This topic provides answers to some commonly asked questions about the threat detection feature of Security Center.

How do I determine whether my assets contain mining programs?

If the CPU utilization of your server increases significantly, for example, to 80% or higher, and an unknown process keeps transmitting packets, a mining program is running on your server.

If Security Center detects mining programs on your assets, it sends alerts to you by using text messages or emails. You can log on to the Security Center console and choose Detection > Alerts. On the page that appears, you can manage mining alerts. If mining programs are related to other alerts that are related to mining programs, such as communication activities with mine pools and visiting malicious domains, we recommend that you also manage these alerts. For more information about how to view and manage these alerts, see View exceptions related to an alert.

Alerts generated from mining programs

What do I do if anti-virus is not enabled and my server is under a mining attack?

On the Alerts page of the Security Center console, find the alert, and click Processing in the Actions column. Then, select Anti-Virus, Isolate the source file of the process, and End the running of the process, and click Fix Now. On the Settings page, turn on Anti-Virus.

What do I do if I accidentally add a mining alert to a whitelist?

On the Alerts page of the Security Center console, set the status filter condition to Handled. Security Center displays all the alerts that are handled. Find the alert and click Cancel whitelist in the Actions column.

How do I view the defense items that I have enabled?

Security Center provides an overview of the defense items that are On or Off.

On the Alerts page of the Security Center console, you can view the defense items that are On and Off.Handle alerts
By default, enabled defense items are not displayed. You can click Hide/Show icon on the Alerts page to view the enabled defense items.Click the Hide/Show icon
By default, all supported defense items of the current Security Center edition are enabled. However, these do not include the Application Whitelist or Webpage Tampering defense item.
Note
  • To enable the Webpage Tampering defense item, you must upgrade Security Center to the Basic Anti-Virus, Advanced, or Enterprise edition and purchase the web tamper proofing feature. For more information about how to enable the Webpage Tampering defense item, see Enable tamper protection. For more information about web tamper proofing, see Enable tamper protection.
  • The Application Whitelist defense item is in the public preview phase. In the left-side navigation pane of the Security Center console, choose Operation > Extensions to apply for a trial. For more information about an application whitelist, see Application whitelist.
  • Cloud threat detection is supported and automatically enabled only for the Enterprise edition of Security Center. To use cloud threat detection, you must upgrade Security Center to the Enterprise edition.

How do I confirm that automatic virus blocking takes effect?

Log on to the Security Center console, go to the Settings page, and turn on Anti-Virus. On the Alerts page, change the filter conditions to Precise Defense and Processed. If the defense status is Successful Interception, automatic virus blocking takes effect.Block success for precise defense

How does Security Center detect intrusions?

When Security Center scans your assets or Alibaba Cloud security engineers analyze and verify the user traffic data, Security Center can detect intrusions.

What are the common intrusions?

The alerts that are provided by Security Center cover common intrusions. These intrusions include webshell, brute-force cracking, and mining. For more information, see Alert types.

Why does the call of the phpinfo function generate an alert? Is the alert a false alert?

The alert is not a false one.

phpinfo contains a large amount of sensitive information, such as the absolute path of a website. If you call the phpinfo function on an asset, attackers may exploit the information in the phpinfo function to attack the asset. Most attackers first call the phpinfo function to obtain more information for further penetration. If the file is a normal file required for your business, you can log on to the Security Center console, go to the Alerts page, and select Add to Whitelist when you handle the alert.

Can Security Center automatically quarantine webshell files?

No, Security Center cannot automatically quarantine webshell files. You must identify the webshell files that contain your business information and then manually quarantine the files. Quarantined files can be found in the Quarantine filesand can be restored within 30 days.

How does Security Center provide webshell detection?

Security Center detects website script files, such as PHP, ASP, and JSP files, based on both hosts and networks. Introduction of two detection mechanisms:
  • Host-based detection: The changes of web directories on hosts are monitored in real time.
  • Network-based detection: Networks capture webshell files and identify network protocols to detect webshells.

Why do alerts involve files that are commonly used on my server? Are these alerts false alerts?

These alerts are not false alerts. If files that are commonly used on your server are modified or the files contain obvious webshell statements, Security Center generates alerts. You can handle these alerts based on the actual situation.

What alerts can I add to whitelists?

You can add the alerts that are generated on malicious processes to whitelists. If you add an alert that is generated on a malicious process to a whitelist, only the access source is added to the whitelist. The following table describes the alert types that you can add to a whitelist.

Alert type Description
Malicious processes Adds the MD5 hash value to the whitelist.
Unusual logons Adds the IP addresses that are used in unusual logons to the whitelist.
Access to malicious IP addresses or communication activities with mine pools Adds the related IP addresses to the whitelist.
Visiting malicious domains Adds the domains to the whitelist.
Access or connection to malicious download sources Adds the source URLs to the whitelist.
Webshell Adds the web directory configurations to the whitelist.
Malicious scripts Adds the MD5 hash value and path to the whitelist.
Cloud threat detection Configures whitelist rules in the Security Center console.
Unusual process activities Adds the command lines to the whitelist.
Persistent webshells Adds the MD5 hash and characteristic values to the whitelist.
Sensitive file tampering Adds the file path to the whitelist.
Application intrusion Adds the command lines to the whitelist.
Detection of threats to web applications Adds the domains or URLs to the whitelist.
Unusual network connections Adds the command lines, destination IP addresses, and destination ports to the whitelist. If some fields are missing, only the existing fields are added to the whitelist.

How do I manage common alerts?

You can perform the following operations to manage common alerts:
  • Manage an unusual process activity
    View the alert and check whether the process activity is a normal workload activity. If it is a normal workload activity, click Processing in the Actions column, and select Whitelist. If no, check and manage other relevant alerts. After the alerts are managed, click Processing in the Actions column, and select Ignore.Unusual process activitySolutions
  • Manage a webshell
    Check whether the source file is a normal workload file. If it is a normal workload file, click Processing and select Whitelist. If no, click Processing and select Isolation.WebshellsSolutions
  • Manage a malicious process
    We recommend that you use the anti-virus feature to terminate a malicious process and isolate the source file. Alternatively, you can log on to the server and manually manage the malicious process. A malicious process may automatically delete itself, or disguise itself as a system process to bypass detection. If no source file exists, check for an unusual process, a scheduled task, or a startup program.Malicious processesSolutions
  • Manage an unusual network connection
    If network connections are established by trusted workloads, click Processing and select Whitelist. If no, use Cloud Firewall or Web Application Firewall (WAF) to block requests based on the alert. After the alert is managed, select Ignore to add the alert to the Handled list.Unusual network connectionSolutions

How do I avoid the situation where I properly log on to a server but Security Center prompts that the logon is unusual?

You can log on to the Security Center console. Select Alerts and click Settings. On the page that appears, configure common logon IP addresses, common logon time, and common logon accounts that are used to generate alerts on unusual logons. You can manually add common logon locations or configure Security Center to automatically update common logon locations. You can also specify assets on which alerts are triggered if uncommon logon locations are detected.

What do I do if Security Center still displays an unusual logon after I configure common logon IP addresses, common logon time, and common logon accounts and properly log on to a server?

In this case, you must first check whether the alert indicates a logon from an invalid IP address, an unusual location, or an unusual account. Logon IP addresses, locations, accounts, and time are the factors that may trigger an alert, and these factors do not have priorities. An alert is triggered if any of the factors is abnormal.

Is the logon successful or blocked if an alert that indicates an unusual logon is triggered?

An alert that indicates an unusual logon indicates that the logon is successful, but the logon behavior is considered suspicious by Security Center. Therefore, Security Center generates an alert for the unusual logon.

What do I do if an alert that indicates an unusual logon is identified as an alert that indicates a logon from an attacker?

You can log on to the Security Center console and select Alerts. Find the alert and click Processing in the Actions column. On the page that appears, select to block for 12 hours, and click Process Now. We recommend that you change your account password in a timely manner and check whether other unknown accounts and unknown public keys exist on the server. This is to prevent SSH password-free logons.Block for 12 hours

Is a suspicious command run if Security Center generates an alert about the suspicious command after logons to an ECS instance by using SSH?

This command is run. We recommend that you update the server logon password in a timely manner, and check whether the ECS instance has other abnormal behaviors, such as starting an unknown process.

What logs can I view on the server when an alert about an unusual logon is generated?

You can view the logs in the/var/log/secure directory on the server. For example, you can run the grep 10.80.22.22 /var/log/secure command to view the logs.

How do I view the number of brute-force attacks or the blocking situation of my server?

You can log on to the Security Center console and choose Detection > Attack Awareness. On the page that is displayed, view information about successful blocking of SSH brute-force cracking.

How can I prevent servers from being cracked?

You can configure common logon IP addresses or use certificates for logons. For information about how to configure common logon IP addresses, see Configure security alerts.

What do I do if a misoperation causes anti-brute force cracking to take effect?

If the number of logon failures is large, your configured rule of anti-brute force cracking takes effect. As a result, you cannot log on to the server. You can perform the following operations to allow logons:

Log on to the Security Center console. Go to the Alerts page and click the number under IP blocking / All. On the IP Policy Library page, find the blocking rule and set Policy Status of the rule to Disabled.

How do I enable protection against brute-force attacks?

You can perform the following operations to enable protection against brute-force attacks. For more information, see Add a defense rule against brute-force attacks.
  1. On the Security Risk page, click Process Now on the right side to go to the Settings > Anti-brute Force Cracking tab.Security Risk page
  2. Optional. Perform the following steps to authorize Security Center.
    Note If you configure a defense rule against brute-force attacks for the first time, you must authorize Security Center. If you have added a defense rule before, skip this step.
    1. In the Anti-brute Force Cracking section, move the pointer over Management, and click Authorize now.
    2. Click Confirm Authorization Policy.

    After you authorize Security Center, choose Settings > Anti-brute Force Cracking. Then, you can add a defense rule against brute-force attacks.

  3. In the Anti-brute Force Cracking section, click Management on the right.
  4. On the Add page, configure a defense rule.Add a defense rule

    Security Center provides the default defense rule Alibaba Cloud best practices against brute-force attacks. The default rule defines that if the number of failed logon attempts exceeds 80 within 10 minutes, the IP address is blocked for six hours. You can use the default rule and select servers to which the default rule applies. You can also configure a custom defense rule. The following table describes the parameters.

    Parameter Description
    Defense Rule Name The name of the defense rule.
    Defense Rule Specifies the defense rule conditions, including the maximum number of failed logon attempts from a specific IP address and the time period during which requests from the IP address are blocked. The maximum number of failed logon attempts can be 2, 3, 4, 5, 10, 50, 80, or 100. The time period during which failed logon attempts are counted can be 1, 2, 5, 10, or 15 minutes. The time period for blocking the IP address can be 5 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 6 hours, 12 hours, 24 hours, or 7 days. If you select Permanent, Security Center does not block the IP address.

    For example, you can configure a custom rule that has the following conditions: If the number of failed logon attempts exceeds three within one minute, the specific IP address is blocked for 30 minutes.

    Select Server(s) The servers to which the defense rule applies. You can select servers from the server list, or filter servers by server name or server IP address.
    Set As Default Policy Specifies whether to set the defense rule as the default rule. By default, servers that have no defense rule attached use the default defense rule.
    Note If you select Set As Default Policy, the defense rule takes effect on all the servers that have no defense rule attached, regardless of whether you select the servers in the Select Server(s) section.
  5. Click OK.

What do I do if my server passwords are cracked?

If your server passwords are cracked, the attacker may have intruded into your servers and implanted malicious programs. You can log on to the Security Center console and choose Detection > Alerts. On the Alerts page, check whether your server passwords are cracked.

If your assets contain alerts such as ECS was successfully brute-forced, your server passwords are cracked. We recommend that you perform the following steps to reinforce the security of your assets:
  • Handle relevant alerts

    Log on to the Security Center console and choose Detection > Alerts. On the Alerts page, click Processing in the Actions column. On the page that appears, select Block and click Process Now. Security Center generates defense rules for the security group to block access requests from malicious IP addresses. For more information, see View and handle alert events.

  • Reset server passwords

    Reset the cracked passwords at the earliest opportunity. We recommend that you use complex passwords.

  • Run baseline checks to detect risks
    Use the baseline check feature of Security Center to detect risks on your servers, and manage the detected risks based on the suggestions that are provided by Security Center.
    Note Baseline check is supported only for the Enterprise edition of Security Center.
  • Reset your servers and reinforce the security of your servers

    For information about how to reinforce the security of your servers, see ECS security deployment method.

Why do I still receive brute-force attack alerts after I change the default port of the SSH service?

After you change the default port of the Secure Shell (SSH) service on a server that runs a Linux operating system from port 22 to another port, you may still receive brute-force attack alerts from Security Center.

Security Center identifies brute-force attacks based on the frequency of SSH logon attempts. Security Center does not identify brute-force attacks based on the default port of the SSH service. Therefore, even if you changed the default port of the SSH service, Security Center still sends you alerts that are triggered by brute-force attacks on the SSH service.

If your server passwords are cracked by brute-force attacks, we recommend that you reinforce the security of your servers. For more information, see What do I do if my server passwords are cracked?.

Why are there records on RDP brute-force attacks even after RDP requests on port 3389 are blocked by security group rules or firewall rules?

Due to the special logon audit mechanism in Windows operating systems, the audit activities of logons based on Inter-Process Communication (IPC), Remote Desktop Protocol (RDP), and Samba are recorded in the same log without the need to specify the logon methods. If records on RDP brute-force attacks are found after the requests to the RDP service port are blocked, check whether IPC or Samba is activated.

Check whether the Elastic Compute Service (ECS) instance has enabled port 135, port 139, or port 445 and whether these ports can be accessed by public IP addresses. Check whether the Window security logs contain logon records within the attack time period.

Does Security Center detect only weak passwords of RDP and SSH services?

Security Center detects weak passwords of RDP and SSH services and weak passwords that are used by administrators to log on to content management systems (CMS).

How do I handle an SSH or RDP remote logon failure?

If the current IP address cannot remotely log on to a cloud server by using SSH or RDP, log on to the Alibaba Cloud Security Control console to add this IP address to the whitelist.

To add an IP address to the whitelist, perform the following steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Settings. On the General tab, find the Security Control section, and click Configuration to go to the Security Control console.Go to the Security Control console
    Note Alternatively, move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud console, and select Security Console to go to the Security Control console.
    Go to the Security Control console
  3. In the Security Control console, choose Whitelist > Access Whitelist in the left-side navigation pane and then click Add.
  4. Enter an IP address in the Source IP field, and select the servers to which logons from the IP address are allowed. Select one or more servers from the box on the left, and click the right arrow to add the selected servers to the Selected box on the right.Add IP addresses
  5. Click OK.

Handle sensitive information leakage

When enterprises or individuals use GitHub, Gitee, or other platforms to manage source code, the source code contains or may contain the following sensitive information: AccessKey pairs of Alibaba Cloud accounts, accounts and passwords of ApsaraDB for RDS databases, accounts and passwords of emails, and accounts and passwords of user-created databases based on ECS. If the preceding account information is leaked, attackers may use the information to access Alibaba Cloud resources and data of enterprises or individual users.

After an enterprise creates a database on an ECS instance, developers may write sensitive information in the database connection configuration file. Sensitive information includes the database connection password and email password. Attackers may obtain the leaked passwords from GitHub and obtain the data of the enterprise. This may cause major security risks for the enterprise.

Solutions:
  • We recommend that you use a private GitHub code base or build an internal code management system to prevent source code or sensitive information leakage.
  • If you find that sensitive information such as an Alibaba Cloud AccessKey pair is leaked, log on to the Alibaba Cloud console, disable and reset the leaked AccessKey pair, or delete it. In addition, delete the hosting code in GitHub at the earliest opportunity.
  • Regularly log on to the Log Service console to view the server access logs. Check whether data leakage has occurred. For example, open the web access log, and specify the URI field to locate the paths that contain files related to AccessKey pairs.
  • Configure internal standards on security operations and management, and restricted development operations. Provide training for IT administrators to improve information security.