Site in AWS getting compromised

Keywords: WordPress - AWS - Technical issue - Secure Connections (SSL/HTTPS)

bnsupport ID: 9806c9b7-56b0-4b2c-8fde-710661226445

bndiagnostic output:

? Apache: Found possible issues
? Resources: Found possible issues
? Php: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/administration/use-pagespeed/#disable-pagespeed
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/
https://docs.bitnami.com/general/apps/wordpress/configuration/configure-phpfpm-processes/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
AWS instance has already been attacked early this week and same things that happened before are starting to take place now.

  • instance starts to go up in memory usage and so it times out that not even SSH access is possible, this has just happened just now and instance had to be restarted

  • instance starts to work fine but timeout may happen again that not even SSH is possible - output from some indicators taken just now is here below

‘’’
free -m
total used free shared buff/cache available
Mem: 987 367 335 73 284 403
Swap: 634 160 474

ps aux --sort -rss
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 987 0.6 22.4 1180592 227344 ? Sl 22:53 0:03 /opt/bitnami/mysql/bin/mysqld.bin --defaults-file=/o
daemon 1950 3.0 7.1 351400 72520 ? S 23:02 0:00 php-fpm: pool www
daemon 1952 2.3 6.0 275720 61224 ? S 23:02 0:00 php-fpm: pool www
daemon 1268 0.0 4.1 1303224 42272 ? Sl 22:54 0:00 /opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/a
root 1057 0.0 3.1 194076 31608 ? Ss 22:53 0:00 /opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/a
daemon 1062 0.0 1.8 1259688 18796 ? Sl 22:53 0:00 /opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/a
daemon 1063 0.0 1.7 1259688 17976 ? Sl 22:53 0:00 /opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/a
root 1050 0.0 1.1 267788 11768 ? Ss 22:53 0:00 php-fpm: master process (/opt/bitnami/php/etc/php-fp
root 1243 0.0 1.0 628464 11048 ? Ssl 22:53 0:00 /usr/bin/gonit

date
Thu 15 Jul 2021 10:59:57 PM UTC
‘’’

Instance is up and running now and things have been taken into consideration in order for security to be tighten up but things are starting to be playing up again with performance and then maybe a possible attack.

  • firewall rules are in place on AWS instance and only SSH, HTTP and HTTPS are allowed
  • security has been tighten up through WordPress also - 2FA, hide login, etc.
  • monitoring is also in place for the site and instance

Need a second pair of glasses just to see what may be there to consider in order to avoid a new attack.

Thanks.

Hi @cguanaja,

It seems a large number of requests come from the same IP which could indicate a DDOS attack:

sudo tail -n 100000 /opt/bitnami/apache2/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 10

Could you try blocking the IP address following the steps in this guide?

https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/

Regards,
Michiel

Thanks @michiel.

IP that has the biggest number of hits is the one that I’m using to monitor the site so all good with that.

Instance seems to be stable, although I had to restart instance last week when I wasn’t even able to access it via SSH.

Guide that you provided is helpful - anything else that can be considered to enhance security on Bitnami’s stacks?

Thanks.

Hi @cguanaja,

As @michiel mentioned, you can take a look at the number of requests the different IPs made to the instance but you can also open that access_log file and review what those IPs were requesting. If you see something weird, you should block them.

Obviously, to maintain the security levels, you should always have updated versions of the different components the stack has (Apache, PHP, WordPress, …) and use security plugins like Wordfence to ensure your site is safe.

Happy to help!


Was my answer helpful? Click on :heart: