My AWS Account Got Hacked. How to Remove the Lightsail Instances?
Over the weekend my AWS account got hacked. The hacker created 2,000 lightsail instances. AWS suspended my account after an hour when it recognized the suspicious activity. However, after my account was reinstated was where I ran into the biggest problems. AWS claims they do not have the authority to remove the lightsail instances. Therefore, I need to do it myself. To do so, they sent me the following linkd:https://lightsail.aws.amazon.com/ls/docs/en_us/articles/delete-an-amazon-lightsail-instance. Since it is impractical to delete each instance individually, I needed to write a script to remove the instances. First, stop the bleeding by doing the following:
- remove all keys: https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/#:~:text=If%20you%20see%20a%20warning,the%20confirmation%20box%2C%20choose%20Yes.
- change passwords
- enable 2FA: https://aws.amazon.com/iam/features/mfa/
Here’s what I did to remove the malicious lightsail instances:
- Configure your AWS CLI
aws configure
AWS Access Key ID [None]: accesskey
AWS Secret Access Key [None]: secretkey
Default region name [None]: us-west-2
Default output format [None]:2. Obtain a list of all the lightsail instance names. Create a file called LightsailWriteToFile.sh. In the same directory, create a file called lightsail.txt. We are going to write a bash script that saves the output from the AWS CLI. Since the output of the AWS CLI is an object, we need to save it to a file so we can read the output in a language that understands objects (i.e. javascript). I’m sure there’s a better way to do this. If you know of a way, please comment.
#!/bin/bash
aws lightsail get-instances > lightsail.txt
echo "finished"3. Open lightsail.txt and copy the “instances” array. It should look something like this.
{
"instances": [
{
"name": "xxxx",
"arn": "xxxxx",
"supportCode": "xxxxxx",
"createdAt": "xxxx",
"location": {
"availabilityZone": "xxxxx",
"regionName": "us-west-2"
},
"resourceType": "Instance",
"tags": [],
"blueprintId": "ubuntu_18_04",
"blueprintName": "Ubuntu",
"bundleId": "medium_2_0",
"isStaticIp": false,4. We need to create a list of instance names. We will need to use javascript to access the properties in the object returned from the AWS CLI. Create a file called lightsail.js. Copy and paste the instances from lightsail.txt. In your Documents folder, create a file called lightsail2.txt.
const instances = <paste instances from lightsail.txt>let instanceString = "";
for (let i = 0; i < instances.length; i++) {
instanceString += `${instances[i].name} `;
}fs.writeFile("/Users/YourName/Documents/lightsail2.txt", instanceString, (err) => {
if (err) {
console.error(err);
return;
}
});
5. Create another file called lightsail2.sh. Paste the list of instance names as a inside of the parenthesis to create a bash array. Bash arrays look like this (1 5 9 4 55 11). Now, iterate over the array with the aws lightsail command to delete an instance aws lightsail delete-instance — instance-name.
#!/bin/bashINSTANCES=(<paste instanceString>)for t in ${INSTANCES[@]}; do
aws lightsail delete-instance --instance-name $t
done
For each instance that is deleted, you should see a “succeeded” response in your terminal.
