My AWS Account Got Hacked. How to Remove the Lightsail Instances?

Over the weekend my AWS account got hacked. The hacker created 2,000 lightsail instances. AWS suspended my account after an hour when it recognized the suspicious activity. However, after my account was reinstated was where I ran into the biggest problems. AWS claims they do not have the authority to remove the lightsail instances. Therefore, I need to do it myself. To do so, they sent me the following linkd:https://lightsail.aws.amazon.com/ls/docs/en_us/articles/delete-an-amazon-lightsail-instance. Since it is impractical to delete each instance individually, I needed to write a script to remove the instances. First, stop the bleeding by doing the following:

Here’s what I did to remove the malicious lightsail instances:

  1. Configure your AWS CLI
aws configure
AWS Access Key ID [None]: accesskey
AWS Secret Access Key [None]: secretkey
Default region name [None]: us-west-2
Default output format [None]:

2. Obtain a list of all the lightsail instance names. Create a file called LightsailWriteToFile.sh. In the same directory, create a file called lightsail.txt. We are going to write a bash script that saves the output from the AWS CLI. Since the output of the AWS CLI is an object, we need to save it to a file so we can read the output in a language that understands objects (i.e. javascript). I’m sure there’s a better way to do this. If you know of a way, please comment.

#!/bin/bash
aws lightsail get-instances > lightsail.txt
echo "finished"

3. Open lightsail.txt and copy the “instances” array. It should look something like this.

{
"instances": [
{
"name": "xxxx",
"arn": "xxxxx",
"supportCode": "xxxxxx",
"createdAt": "xxxx",
"location": {
"availabilityZone": "xxxxx",
"regionName": "us-west-2"
},
"resourceType": "Instance",
"tags": [],
"blueprintId": "ubuntu_18_04",
"blueprintName": "Ubuntu",
"bundleId": "medium_2_0",
"isStaticIp": false,

4. We need to create a list of instance names. We will need to use javascript to access the properties in the object returned from the AWS CLI. Create a file called lightsail.js. Copy and paste the instances from lightsail.txt. In your Documents folder, create a file called lightsail2.txt.

const instances = <paste instances from lightsail.txt>let instanceString = "";
for (let i = 0; i < instances.length; i++) {
instanceString += `${instances[i].name} `;
}
fs.writeFile("/Users/YourName/Documents/lightsail2.txt", instanceString, (err) => {
if (err) {
console.error(err);
return;
}
});

5. Create another file called lightsail2.sh. Paste the list of instance names as a inside of the parenthesis to create a bash array. Bash arrays look like this (1 5 9 4 55 11). Now, iterate over the array with the aws lightsail command to delete an instance aws lightsail delete-instance — instance-name.

#!/bin/bashINSTANCES=(<paste instanceString>)for t in ${INSTANCES[@]}; do
aws lightsail delete-instance --instance-name $t
done

For each instance that is deleted, you should see a “succeeded” response in your terminal.

--

--

--

HTML, JavaScript, and CSS Tutorials

Recommended from Medium

React Native Chat with Chuck Norris

PassportJS — The Confusing Parts Explained

Web Development 2020 vs 2010

DOM was good while it lasted, long live the Shadow DOM!

JavaScript ES12 features with code examples (ES2021)

Features of Different Javascript Framework : Node Js, BackBone JS, Ext Js

Data x Extraction (Requests)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lance Watanabe

Lance Watanabe

More from Medium

Enumerating AWS Resources

Learning More About AWS GuardRails

Building a simple static website using CloudFormation:

New simple dashboard to create EC2 instances on AWS