TLDR: My EC2 instance got hacked, I think it is related to the Docker Hub hack. I left some clue and what I did to tighten security.
A few years ago, I finally upgraded from Godaddy to AWS EC2. In fact everything has now been moved away from Godaddy (thank goodness). Route 53, isn’t completely user friendly, but it works fine.
Regardless, I notice that I was getting a bunch of Jetpack notices that my website was down. This was not characteristic of AWS. So ssh’ed into the server and checked the “top” function. I should have taken a screen shot, but my server was being maxed out 99% with numerous “dockerd”. (docker daemon) This load was making my server crash / clogged computing power, etc.
This was a little unnerving, but I do remember installing docker and then abandoning the project. Anyways, what was definitely clear is that dockerd was trashing my server.
Not exactly sure what was accomplished by taking over my server. The instance is a t1.nano, so it doesn’t offer much in the way of crypto mining. My site doesn’t get enough hits, so I doubt it was advertising malware. My only thought is that they might have used it for some kind of SEO / traffic bounce scheme?
Here is what I did immediately tighten up security. If anybody has any more suggestions, please place them in the comments.
- Got a new pair of amazon keys
- clean up amazon security group IP table
- changed database password
- cleared all docker app and content off the server.
Here is just some of the code I found on the server, if anybody is interested.
root:/var/www/html/stocks# docker rmi $(docker images -q)
Untagged: [email protected]:3d9c62b0b614fb7e21afa752b4e84ff83cbbde5b84ea0b533799cc4c44ea3789
and in /etc/docker I found the following.
I will be reporting this to the FBI, as soon they are done with the Muller report and or fall out.