rich z's picture

in the last few days I got a message from amazon that seems to indicate my turnkey wordpress site was compromised.  It was a site I was building so I just shut it down.  I did notice when quickly checking the   turnkey gui there was a  spike in traffic over the prior few days.  (one day had 900 megs of downoad which could be the whole server as far as I know)

*Is there any way to figure out when I got compromised? I have not changed the site in at least 90 days so was thinking I could maybe look at the backup history to see what files changed recently or maybe some amazon log for imcoming data?  
*Is there any faq for how to secure these boxes better?  I assume I have three things I need to think about   1)General securing amazon deployments - things like firewalls etc. 2) Securing the turnkey linux in general terms.  3)Securing wordpress itself

My preferred plan of attack would be to fire up a backup for 90 days or so ago and then secure it better.   But I think if I cant find the bot files then I would fire up a new instance and migrate my code...

Message from Amazona...


The abuse comes in the form of DDoS using SYN Flood attack towards port
80 of IP and it started at approximately 11:50 CET (+0100).

Jeremy Davis's picture

My suspicion is that your WP site became part of this botnet. Note the link in that post to the Sucuri blog. (As per the article) Sucuri also have a scanner to see if your site was used in the DDoS attack. I also thought that some of the comments were worth reading.

Let us know how you go. I'd be interested to hear how things go and perhaps we can harden up the default TKL appliance...?

Add new comment