Lucas Taulealeausumai's picture

So I've been running the standard moodle setup as per your settings on a medium moodle setup/instance.


I got an email from Amazon last month saying that the server was hacked and used in a DDoS attack. They closed the port in question (port 80) and I didn't really see how it was possible based on your security etc. So i left the server open and monitored it (since we needed moodle.


But then I got a bill for $2500 (AUD) for the server hosting last Friday. I stopped  the instance immediately.


Figuring that since port 80 had been shut, and knowing that we needed the server to run, I reinstigated the instance through turnkey. Only to find out this morning that in doing so, it must have reopened port 80..


So now I'm likely to get another $2500 bill or there abouts.





Jeremy Davis's picture

Amazon VPS are commonly targeted by bots trying to brute force entry, so you need to use a strong password. My guess is that is what happened. A passphrase (rather than a password) is much better. Actually best of all, use SSH keys and disable password login altogether.

Having a poor password is a little like leaving the keys to your house under the front mat. It doesn't matter how good the deadbolts on your doors and windows are if the bad guys find the keys...

If you haven't done too much since the initial hack; then you may be able to go back through your bash history and see what was done to your server (and undo it). Otherwise there are a number of Linux server "anti-malware" tools you can use to clean up (e.g. Chkrootkit, Rootkit Hunter). Although personally; unless I can be 100% sure on what has been done then I can never 100% trust a server that has been compromised (even if it seems ok).

If you have a backup (e.g. TKLBAM) that predates the hack (and you won't lose much work/data/etc) then restoring to a new clean server would be advised. Even just restoring a current (cleaned) backup to a new server (using a good password, or better still keys) would be a reasonable idea IMO. At least that would eliminate the possibility of apt installed binaries being compromised. Obviously though your backup may well still include malware (which might also be reinstalled)...

Also if you contact Amazon and explain the situation perhaps they will give you a refund (or at least a partial refund)? Although seeing as they shut your server down and you restarted it (without resolving the issue) then they maybe not.

Add new comment