0

I inherited an app with an AWS backend. I hadn't had time to update and make sure best practices were being used on the AWS backend before it was compromised.

Each server is listed as having had DDOS attacks coming from the web (port 80).

PREFERABLY I'd just spin up a new instance of the servers and that would be that, but apparently no instance lifecycle was setup by the previous developers.

Is there some limited timeframe that Amazon has a past instance, or am I/my client completely screwed?

Otherwise I'll likely have to manually clean the server (or literally create the exact or a similar configuration), and obviously that's either is far from ideal.

EDIT:

To clarify, the servers in question were compromised and used to send high volumes of traffic. Amazon determined that they were implicated in a DDOS attack and blocked them from the internet.

EDIT 2: I feel a downvote is unfair - how am I supposed to know without asking?

Andrew Alexander
  • 161
  • 1
  • 10
  • 2
    Hang on, were they compromised, or DDOSed? Those are vastly different things. – ceejayoz Jun 13 '19 at 14:27
  • They were compromised and implicated in a DDOS attack. I.e. the hackers got access to the server and used it to send high volumes of traffic out. Personally my goal is to nuke the server from orbit if possible. Recreating or cleaning it sounds like an exercise in pain. – Andrew Alexander Jun 13 '19 at 14:29
  • 3
    Possible duplicate of [How do I deal with a compromised server?](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – ceejayoz Jun 13 '19 at 14:30
  • This isn't a duplicate of how to deal with a compromised server. The ideal protocol is to roll a new one from a backup. I am asking if there is anyway to do this via AWS without having snapshots - i.e. does AWS have any sort of "emergency" short term snapshots. I have already implemented several additional security measures to try to prevent this from happening again, and intend to install several on the servers when I have them back, un-malwared – Andrew Alexander Jun 13 '19 at 14:31
  • 1
    Andrew, first of all, please be bold in deleting the parts of your own question that seem to confuse others. Append-only is suboptimal for future readers. Secondly, you presently cannot determine whether the "short term snapshot" is compromised or clean. The fact that it maybe won't immediately any suspicious activity doesn't mean it's clean. This is why I am also voting it a duplicate. – kubanczyk Jun 15 '19 at 11:05

1 Answers1

4

EC2 instances and EBS volumes do not have any backup mechanism other than the snapshots made by and visible to you in the console or via the SDK/CLI/API.

There is no system-provided rollback/flashback or similar emergency functionality in EC2/EBS.

The one thing to check is the source AMI used to create the machines. If it still exists, you might get lucky and find that it has a working baseline system with the application installed, pre-malware, and you can launch more machines from that... but from the description, the machines sound like they may be snowflakes that were built by hand from AMIs containing only the operating system.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86