0

(See update below) I received notification from Amazon that my instance tried to hack another server. there was no additional information besides log dump:

Original report:

  • Destination IPs:
  • Destination Ports:
  • Destination URLs:
  • Abuse Time: Sun May 16 10:13:00 UTC 2010
  • NTP: N
  • Log Extract:

External 184.xxx.yyy.zzz, 11.842.000 packets/300s (39.473 packets/s), 5 flows/300s (0 flows/s), 0,320 GByte/300s (8 MBit/s)

(184.xxx.yyy.zzz is my instance ip)

How can I tell whether someone has penetrated my instance? What are the steps I should take to make sure my instance is clean and safe to use? Is there some intrusion detection techinque or log that I can use?

Any information is highly appreciated.

UPDATE: I received further log files from Amazon. seems like our server is scanning consecutive IP addresses for port 22. I ran rkhunter and chkrootkit without success. What can I do?

Niro
  • 1,371
  • 3
  • 17
  • 35

2 Answers2

1

You could look for signs of intrusion with chkrootkit, but you should install trusted binaries to use with it or your results are suspect. If you're not already, you should make sure you patch it constantly; I'd suggest cron updates at least daily. There are plenty of host-based intrusion detection (HIDS) packages available, you'll need to research them to determine which is appropriate for your needs.

One last thing to consider, where did you get your AMI from? I've always wondered who uses some of the seemingly innocuous instances up there... that you really have no clue where they come from. These can easily be tampered with by the original uploader. Just some food for thought.

obfuscurity
  • 761
  • 3
  • 7
  • The AMI is from Scalr. which I believe to be reliable. I run chkrootkit and rkhunter . It didn't reveal anything. WHats the next step? – Niro May 17 '10 at 07:53
0

I just installed an AMI from Scalr, and find a hacking process trying to scan other servers' phpmyadmin. It's scary.