This topic describes trojan attacks, how to find and delete trojan files, and how to defend against trojan attacks.
When a user visits an attacked web page, the injected malicious code exploits vulnerabilities of the browser, third-party ActiveX controls, and plug-ins, such as Flash and PDF plug-ins, to secretly download and execute the trojan virus.
Hazards of trojan attacks
If a trojan attack occurs, the attacker intrudes into your website and can obtain sensitive user data, such accounts, passwords, and business data. If a user visits the attacked website, the computer of the user may be implanted with a trojan virus. The virus can steal data such as bank accounts, social network accounts, and passwords. The trojan virus can also damage data on disks of the computer. This can cause huge losses of information assets for the user. Therefore, trojan attacks may affect the reputation of your website, damage the computer systems of your users, and cause data leaks of the users.
Find and clear a trojan file
If a trojan attack occurs on your website, the attacker intrudes into the website by exploiting vulnerabilities and implants malicious code into the file system or code of your web server. You can find and clear the trojan file by using the following methods:
If the malicious code is already detected by Security Center, find the trojan file based on the URL directory and delete the file.
Use Security Center to automatically detect and remove the trojan file. The number of code files for an operating system or application is large, so it is difficult to manually identify trojan files.
Defend against trojan attacks
Fix the vulnerabilities in your website system and on your web servers in a timely manner to prevent your website from being attacked. Trojan attacks bring severe damage to websites. Attackers can exploit vulnerabilities in tampered web pages, browsers, and operating systems as well as download and execute trojan viruses and malicious programs to expand the scope of attacks. You must protect your website against trojan attacks at all levels. The following figure shows the architecture of a general website system.
We recommend that you defend against trojan attacks at the following levels:
Network security level
Host system level
Use Bastionhost to manage methods to log on to ECS instances and grant O&M personnel only necessary permissions.
Configure a strong password for your Alibaba Cloud account. The password is at least eight characters in length and must contain uppercase letters, lowercase letters, digits, and special characters. Change your password every few months to ensure security. We recommend that you use multi-factor authentication (MFA) or SSH key credentials to log on to ECS instances.
Obtain security vulnerability information, for example, from the security vulnerability notice on the Alibaba Cloud official website. Regularly detect and fix vulnerabilities on your website and web servers. Install patches to operating systems and application software in a timely manner.
Activate Security Center to detect and handle security risks, insecure configuration items, operating system vulnerabilities, and middleware vulnerabilities on your servers.
Strictly control file access permissions. Restrict permissions to access sensitive directories and permissions to execute scripts that modify these directories. Grant only necessary permissions to access and modify the file system.
Do not use web-based management tools to manage databases and do not open your web management system directly to the Internet.
Configure access control policies to allow only application servers to access database services. Do not open database service ports to the Internet.
Configure strong passwords for the database services. For more information, see Database service security hardening.
Application security level
Enhance security of web application middleware. For more information, see Web application security hardening.
Perform code security tests and white-box tests. Fix detected vulnerabilities before you bring the service code online. This prevents attackers from exploiting the vulnerabilities to intrude into your service system.
Use Cloud Security Scanner to regularly scan for vulnerabilities of your website and web system. Fix these vulnerabilities before you bring the service system online.
Check for program vulnerabilities and fix them in a timely manner. You can use Emergency Response Service to identify vulnerabilities and causes of intrusions. You can use Web Application Firewall (WAF) to protect your web applications against external attacks.