If your website is attacked after Security Center is activated, you can check the following items to locate the intrusion causes:

1. Trojans

If you use Windows, check for suspicious processes in Windows Task Manager. The name of a suspicious process does not conform to English grammar conventions or naming conventions of computers, or seems to be a random character string. The following are examples of suspicious process names:
  • A name that does not conform to English grammar conventions: eeosec.exe
  • A name that contains digits only: 117466363.exe
  • A name that seems to be a random character string: lkdhpec.exe
  • A name that contains Chinese elements. For example, changcheng.exe and beijing.exe.

Check whether the system has a constant trend of high CPU usage.

If you use Linux, check whether the /usr/bin/dpkgd directory contains the following files: ps, ss, lsof, or netstat.

If any of the preceding conditions is met, attackers have intruded into your server and have uploaded trojans.

Note Snapshot rollback does not eliminate the problem. After a snapshot rollback, the vulnerabilities remain exploitable to attackers.

2. Webshells

If you receive an email or text message that reports a webshell on your server, your server has been attacked and a webshell has been uploaded. The attacker can access and tamper your website or database.

You can quarantine the webshell file in the Security Center console. To prevent later intrusions, you must take further actions to located the vulnerability.

3. Whether your website is blocked or has hidden links or illicit pages

If Alibaba Content Moderation Service has detected pages with illicit content on your website and these pages have been blocked, or your webpages have errors or unauthorized pop-up windows, check your website code. Locate the webpage files of the suspicious URLs. Check whether the code in these files is written or generated by yourself.

If you do not recognize the code, an attacker has intruded into your server and has uploaded illicit webpages or code. You can manually delete these pages or code.
Note Attackers launch such intrusions by exploiting vulnerabilities in your business system, code logic, or databases, or other vulnerabilities that are not related to server security. You cannot prevent further intrusions by snapshot rollback or server resetting.

4. Source IP address of the logon server

If Security Center alerts you of an unusual logon, check whether the source IP address is normal. Normal source IP addresses include the outbound IP addresses of the region with internal engineers, external IP addresses temporarily used to log on to your server from another region, and the IP addresses used to log on the server by using VPN and VPS.

If the source IP address is abnormal, change the logon password. Ensure that the password contains at least 10 characters, including upper-case letters, lower-case letters, and special characters. Check whether Security Center still alerts you of unusual logons.

If the cause of the intrusion into your server is not mentioned in this topic, submit a ticket. Describe the event details and attach the relevant screenshots in the ticket.