All Products
Document Center

:Abnormal account in ECS instance

Last Updated:May 31, 2022

Problem description

When you log on to the ECS instance, an abnormal account is detected in the ECS instance.


An account may be created abnormally. An ECS instance may be vulnerable to intrusion.


Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of instances including but not limited to Elastic Compute Service (ECS) and Relational Database Service (RDS) instances. Before the modification, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted sensitive information such as the logon account and password in the Alibaba Cloud Management Console, we recommend that you modify such information in a timely manner.

Verify that the account is not created by anyone else. In this case, verify that the account is created properly. If an application is not created abnormally, check the name of the account. Application-related accounts include mysql and tcpdump accounts. If the name of the administrator account is irrelevant to applications and similar to that of an administrator account (such as Administrators), the ECS instance may be at risk of intrusion. Perform the following operations to rectify the vulnerability:

Abnormal account deleted from the system

Follow these steps to check for abnormal accounts in ECS instances:

  • Linux instance
    1. Log on to the ECS instance. For more information, see connection method overview.
    2. Run the VI /etc/passwd command to check whether account exception exists. If an abnormal account exists, run the usermod-l#user] command to disable the abnormal account, or run the userdel-r%user] command to delete the abnormal account.
      Note:[$User] is the abnormal account name.
  • Windows instance
    Note: This section has been verified in windows2012.
    1. Delete accounts that contain $at the end of their account names. Generally, the account names created by hackers contain $at the end.
      1. Log on to the ECS instance. For more information, see connection method overview.
      2. Press the Win key in the lower left corner, select the control panel, and click the user account>Manage other accounts.
      3. Locate the account name that contains the dollar sign ($) at the end of the account name and delete it.
    2. Hackers may create hidden accounts in your ECS instance. Local accounts cannot view hidden accounts. You can modify the registry and modify the permissions of the Administrator account. We recommend that you back up data before modifying the registry, avoid operation errors.
      1. Log on to the ECS instance. For more information, see connection method overview.
      2. Find the program and enter regedt32.exe.
      3. Select hkey_local_machineuncsam. By default, the content is not visible.
      4. Click SAM, right-click and select permissions, select Administrators, allow the column check box, select full control for permissions, and then click OK.
      5. Select start>Run. Enter regedit.
      6. Select HKEY_LOCAL_MACHINE.>SAM>SAM>Domains>Account>Users>Names. The information of all accounts in the current ECS instance is displayed. You can delete a hidden account by deleting an account that does not exist in the local account.

Fix the vulnerability by using security center

  1. Log on to the security center console, and select threat detection.>Security alerts: you can check ECS instances for intrusions. For more information, see Security Alert Overview.
  2. If you are using the paid edition, you can upgrade security center to provide the cloud virus detection feature. Alternatively, you can install third-party security software on the servers and try to remove all viruses. And delete the new abnormal account, and then enhance the security.
    Note:If the abnormal account continues to fail to be deleted and the cost of environment rebuilding is low, you can back up data and initialize the system disk to completely restore the problem. Make sure that you have backed up the system disk before you perform the operation. For more information, see reinitialize a system disk.

Application scope

  • Elastic Compute Service