My EC2 instance was hacked recently. It doesn't really matter as I'm just starting my website and there was no sensitive information on my server yet, but I do plan for there to be in the future. I am going to terminate the compromised server and set up another one in order to secure my website.
My issue is that I want to make sure this never happens again, and the only way I can convince myself that my new server is secure is by knowing how the first server was compromised and making sure that the new server cannot be compromised by the same method. However I am having trouble identifying/understanding how the first server was hacked.
The stack used is Rails 4.2.4 + Postgresql 9.3 + Puma + Nginx 1.4.6. The server I'm running is Ubuntu 14.04.2 LTS on an AWS EC2 t2.micro instance. My AWS access keys have not been published anywhere, and I am the only one who should have SSH access to my server.
Now I'm no hacker, or even a good sysadmin for that matter (though I'm learning) so I have to keep an open mind about how the server was infiltrated, but since the only way I access my server is by SSH, I'm assuming that is how hackers got in too. I had erroneously left an inbound security group rule for the SSH port 22 to have a source of 0.0.0.0/0, which also makes me think it is likely this is how hackers got in.
I access my server by ssh using a private key with command similar to
ssh -vi "/home/me/.ssh/my_private_key.pem" ubuntu@my_aws_instance.com
I was notified of the compromise from an ec2-abuse@amazon.com email that my server had been making DDOS attacks. Although I couldn't verify this by looking around my logs, I did find some hidden php scripts in /var/tmp
which looked as if they were designed to send out phishing emails which convinced me that the server had indeed been hacked.
There is no password set up for ssh which was confirmed by hydra
when I tried to attack my own server. This implies to me that the attacker must have guessed my RSA private key... except I understand this is not realistically possible.
I don't know of any other possible ways that the server could have been compromised. Does anyone have any ideas? Are any of my assumptions or steps wrong?
Inbound Security Group Rules (at the time of being hacked):
HTTP TCP 80 0.0.0.0/0
PostgreSQL TCP 5432 0.0.0.0/0
SSH TCP 22 0.0.0.0/0
Custom TCP Rule TCP 9200 91.216.55.150/32
Thanks in advance for your help. I'm sure that I have left out a lot of useful information so if there is anything more you'd like to know just ask.
EDIT:
The website does contain some fairly standard Rails data input functionality. Mainly through html forms and there I also allow for image upload using a gem called carrierwave.