Backdoor on Ubuntu for Amazon EC2, check it out!
In November, a good habrachelovek karohos shared with us an excellent recipe for organizing a free personal VPN on Amazon cloud ( Free VPN from Amazon ). In short, for those who missed, the idea is, the launch and constant uptime of the micro-image with Ubuntu Server 10.04 with the configured OpenVPN fit into the free Amazon quota (it is given only for a year, but still). Many then took advantage of this opportunity, including myself.
Today I received a letter from Amazon with the title “Your Action Required”. Summary of the letter:
ami-c2a255ab is the very image that karohos gave the link to in its topic. Google helpfully suggested that not only I received such a letter, some kind person had already posted it on PasteBin . (Funny, PasteBin is starting to compete with Twitter :)
I went to my cozy VPV-chick, checked. It turned out that for ubuntu I deleted this key earlier, but for root there is no. I began to remember and remembered that I had seen these keys when setting up the instance, I was surprised at their presence, but I thought that Amazon itself needed them. I was then the first to deal with Amazon EC2, and with setting up the server Ubunt. In general, I left out of fear that I could not then go to the server.
In logs of extraneous inputs did not see. With default rotation settings, I have logs preserved for about a month. If it were not for the constant swotting of some bots on the SSH port, probably more would have been preserved.
Commands for testing:
There should be only one key in authorized_keys that Amazon gave you when creating an instance. If there are other keys (not yours), delete them.
I don’t know if it can be called a backdoor in the full sense, because the opportunity to enter is not disguised. Most likely the key simply remained from the author of this image, who had no evil intentions. A more interesting question, what exactly did the security guards of the Amazon react to? Probably the complaint of one of the clients that climbed up to him. (Although the letter does not explicitly say this.) But only the owner of the secret key, that is, the author of the image, could do it.
In any case, their customer care (and their reputation) is a matter of respect. A good example for our cloud services.
UPD.
As SilenceAndy suggests, Ubuntu has pages with AMIs that can be used without fear: 8.04 , 9.10 , 10.04 , 10.10 , 11.04 b1
UPD2
The author of this image, Paulo Fisch (guru), has unsubscribed in his blog:
Today I received a letter from Amazon with the title “Your Action Required”. Summary of the letter:
Hey.
We recently noticed that the publicly available AMI image contains a public SSH key inside, allowing the author of the image to enter under the root. Also, according to our logs, you have (or had) instances running from this AMI.
')
AMI compromised: ami-c2a255ab
Your account ID: xxxxxxx
Instance ID (s): xxxxxxx
Blah blah blah, immediately transfer everything to other instances, do not start any more from this AMI instances. Also ban entry to your instances with this key. To do this, find and delete the line in '/root/.ssh/authorized_keys' file and '/home/ubuntu/.ssh/authorized_keys' of the following content:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCU8QRvONa / Rv4mXSDMVFX7EnIiJd2nuQ0mUHPTGNUCq0PjyNemjXTLztxfbA9q8 + S9T7q1UJG3dp49EzE1Gq8KAQm6vmSn80pPrm3hTHAmiBboIZzoqv6PSedkUvZyqqBn1NK0VZxGH7JvsagW95R2AfTdEwdXRjorxtPzi / MpYdoOzM41yzysyjmIZYdeOcZLliLfv9B31lTaFY2RfxpJ4TWlKh1Fo4 / IyUyd3uyih17ucbKiSdJ2G5iYS01wL18o9Ett8cyjtrYXDewEsGtrL0taQMuPpiD66 + HE37k4GWwNho6vsMSO1qbeTY431EQSaIrr / SKn8ToqnnLBy6On guru
Blah blah blah, sorry for the inconvenience,
Amazon EC2 security team.
ami-c2a255ab is the very image that karohos gave the link to in its topic. Google helpfully suggested that not only I received such a letter, some kind person had already posted it on PasteBin . (Funny, PasteBin is starting to compete with Twitter :)
I went to my cozy VPV-chick, checked. It turned out that for ubuntu I deleted this key earlier, but for root there is no. I began to remember and remembered that I had seen these keys when setting up the instance, I was surprised at their presence, but I thought that Amazon itself needed them. I was then the first to deal with Amazon EC2, and with setting up the server Ubunt. In general, I left out of fear that I could not then go to the server.
In logs of extraneous inputs did not see. With default rotation settings, I have logs preserved for about a month. If it were not for the constant swotting of some bots on the SSH port, probably more would have been preserved.
Commands for testing:
# keys for ubuntu sudo cat /home/ubuntu/.ssh/authorized_keys # keys for root sudo cat /root/.ssh/authorized_keys # SSH log entries grep Accept /var/log/auth.log* zcat /var/log/auth.log.?.gz | grep Accept
There should be only one key in authorized_keys that Amazon gave you when creating an instance. If there are other keys (not yours), delete them.
I don’t know if it can be called a backdoor in the full sense, because the opportunity to enter is not disguised. Most likely the key simply remained from the author of this image, who had no evil intentions. A more interesting question, what exactly did the security guards of the Amazon react to? Probably the complaint of one of the clients that climbed up to him. (Although the letter does not explicitly say this.) But only the owner of the secret key, that is, the author of the image, could do it.
In any case, their customer care (and their reputation) is a matter of respect. A good example for our cloud services.
UPD.
As SilenceAndy suggests, Ubuntu has pages with AMIs that can be used without fear: 8.04 , 9.10 , 10.04 , 10.10 , 11.04 b1
UPD2
The author of this image, Paulo Fisch (guru), has unsubscribed in his blog:
The image of ami-c2a255ab will be removed, since I foolishly left my public SSH key there, which would allow me to log into any instance running from this AMI.
I apologize for the inconvenience, and assure you that this happened only because of inexperience, and not from malicious intent.
After all, I was pointed out in the comments, but then I did not appreciate all the consequences. My fault!
Source: https://habr.com/ru/post/117101/
All Articles