从 EC2 实例存储中恢复数据

slo*_*aut 3 linux ssh hacking amazon-ec2

所以上周,EC2 上的一个实例停止响应,我仍然不知道确切的原因,因为我无法再通过 SSH 进入,我怀疑安装到另一个驱动器的 /tmp/ 目录由于某种未知原因不再可访问。

我有一些非常重要的文件需要离开这台服务器...

我仍然能够在 AWS 控制台中提取日志,这里有一些非常相关的行(我仍然能够重新启动服务器):

        Welcome to  CentOS release 5.4 (Final)
        Press 'I' to enter interactive startup.
Cannot access the Hardware Clock via any known method.
Use the --debug option to see the details of our search for an access method.
Setting clock : Thu Dec 29 13:52:43 EST 2011 [  OK  ]

Starting udev: [  OK  ]

Setting hostname localhost.localdomain:  [  OK  ]

No devices found
Setting up Logical Volume Management: File descriptor 7 (/sys/kernel/hotplug) leaked on lvm.static invocation. Parent PID 232: /bin/bash
[  OK  ]

Checking filesystems
Checking all file systems.
[/sbin/fsck.ext3 (1) -- /] fsck.ext3 -a /dev/sda1 
/dev/sda1: clean, 202786/1310720 files, 1428718/2621440 blocks
[  OK  ]

Remounting root filesystem in read-write mode:  [  OK  ]

Mounting local filesystems:  [  OK  ]

Enabling local filesystem quotas:  [  OK  ]

chown: cannot access `/tmp/.ICE-unix': No such file or directory
Enabling /etc/fstab swaps:  [  OK  ]

INIT: Entering runlevel: 4

Entering non-interactive startup
Starting background readahead: [  OK  ]

Bringing up loopback interface:  [  OK  ]

Bringing up interface eth0:  
Determining IP information for eth0...mktemp: cannot create temp file /tmp/wnt890: No such file or directory
/sbin/dhclient-script: line 57: $rscf: ambiguous redirect
/sbin/dhclient-script: line 62: $rscf: ambiguous redirect
/sbin/dhclient-script: line 69: $rscf: ambiguous redirect
 done.
[  OK  ]

Starting getsshkey:  /etc/rc4.d/S11getsshkey: line 12: /tmp/my-key: No such file or directory
getting ssh-key...
/etc/rc4.d/S11getsshkey: line 17: /tmp/my-key: No such file or directory
getting ssh-key...
Run Code Online (Sandbox Code Playgroud)

我确定它不是防火墙问题。这是 nmap 的输出

[root@ip-xxxxxxxxx ~]# nmap -sS -P0 xxxxxxxxxxx

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-12-29 16:32 EST
Interesting ports on xxxxxx (xxxxxxxxx):
Not shown: 1675 filtered ports
PORT     STATE  SERVICE
22/tcp   closed ssh
25/tcp   closed smtp
80/tcp   closed http
443/tcp  closed https
8000/tcp closed http-alt
Run Code Online (Sandbox Code Playgroud)

Tom*_*nor 6

我不认为请这里的任何人帮助您“入侵服务器”特别有利于回答。

  1. 创建正在运行的 EC2 实例的快照
  2. 创建一个新实例。
  3. 将快照挂载为实例上的新 EBS 卷。
  4. 从快照复制数据
  5. 杀死以前的和新的虚拟机实例。

哒哒!您刚刚恢复了数据,不涉及黑客攻击。

这里的一些工具可能会有所帮助。

  • 这都是关于上下文的。 (2认同)