Monday, December 5, 2016

Tearing apart a modern infected host. My first hacked openstack instance.

Recently I had notice a whopping 600MB a second http request to china. Not good. It flooded our little 100mb line and killed the firewalls creating 3k new states a second.

The new states were coming from one of the instances in my openstack environment! Awww man what did I screw up? Answer is nothing, the user never changed anything on his default instance and it was what i believe to be auto hacked by a botnet exploiting web apps using default configuration.

What did I do? Luckily its openstack. I shutoff the instance, detached the volume and rebuilt using a clean image. I also altered the rules to discourage this happening again.

When I get time I will be opening this volume and looking at what is going on.