If your website is attacked after Security Center is activated, you can check the following items to locate the intrusion causes:
- A name that does not conform to English grammar conventions:
- A name that contains digits only:
- A name that seems to be a random character string:
- A name that contains Chinese elements. For example,
Check whether the system has a constant trend of high CPU usage.
If you use Linux, check whether the /usr/bin/dpkgd directory contains the following files: ps, ss, lsof, or netstat.
If any of the preceding conditions is met, attackers have intruded into your server and have uploaded trojans.
If you receive an email or text message that reports a webshell on your server, your server has been attacked and a webshell has been uploaded. The attacker can access and tamper your website or database.
You can quarantine the webshell file in the Security Center console. To prevent later intrusions, you must take further actions to located the vulnerability.
3. Whether your website is blocked or has hidden links or illicit pages
If Alibaba Content Moderation Service has detected pages with illicit content on your website and these pages have been blocked, or your webpages have errors or unauthorized pop-up windows, check your website code. Locate the webpage files of the suspicious URLs. Check whether the code in these files is written or generated by yourself.
4. Source IP address of the logon server
If Security Center alerts you of an unusual logon, check whether the source IP address is normal. Normal source IP addresses include the outbound IP addresses of the region with internal engineers, external IP addresses temporarily used to log on to your server from another region, and the IP addresses used to log on the server by using VPN and VPS.
If the source IP address is abnormal, change the logon password. Ensure that the password contains at least 10 characters, including upper-case letters, lower-case letters, and special characters. Check whether Security Center still alerts you of unusual logons.
If the cause of the intrusion into your server is not mentioned in this topic, submit a ticket. Describe the event details and attach the relevant screenshots in the ticket.