All Products
Search

This Product

    :What do I do if abnormal accounts exist in an ECS instance?

    Document Center

    :What do I do if abnormal accounts exist in an ECS instance?

    Last Updated:May 31, 2024

    Problem description

    When you log on to an Elastic Compute Service (ECS) instance, abnormal accounts exist in the instance.

    Cause

    The accounts may be abnormally created and the ECS instance may be compromised.

    Solution

    Note

    • Before you perform high-risk operations such as modifying the configurations or data of Alibaba Cloud instances, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.

    • Before you modify the configurations or data of an instance, such as an ECS instance or an ApsaraDB RDS instance, we recommend that you create snapshots or enable backup for the instance. For example, you can enable log backup for an ApsaraDB RDS instance.

    • If you have granted permissions on sensitive information or submitted sensitive information in the Alibaba Cloud Management Console, we recommend that you modify the sensitive information at the earliest opportunity. Sensitive information includes usernames and passwords.

    Check whether an abnormal account is created by another user. If so, the account is a normal account. If an account is abnormally created, check the name of the account. If the account is created for an application, such as MySQL or tcpdump, the account name is related to the application and is considered normal. If the account name is not related to an application and is similar to that of an administrator account, such as Administrators, the ECS instance may be compromised. You can perform the following steps to resolve the issue based on the actual situation:

    Delete the abnormal accounts from the system

    Perform the following steps to check whether abnormal accounts exist in the ECS instance:

    • Linux instance

      1. Log on to the ECS instance. For more information, see Connection method overview.

      2. Run the vi /etc/passwd command to check whether abnormal accounts exist. If an abnormal account exists, run the usermod -L [$User] command to disable the abnormal account or run the userdel -r [$User] command to delete the abnormal account.

        Note

        [$User] specifies the name of the abnormal account.

    • Windows instance

      Note

      In this example, an ECS instance that runs Windows Server 2012 is used.

      1. Delete accounts whose names end with a dollar sign ($). In most cases, the names of the accounts created by hackers end with a dollar sign ($).

        1. Log on to the ECS instance. For more information, see Connection method overview.

        2. Press the left Windows key, and choose Control Panel > User Accounts > Manage another account.

        3. Find the accounts whose names end with a dollar sign ($) and delete the accounts.

      2. Hackers may create hidden accounts in your ECS instance. Local accounts cannot view the hidden accounts. You can modify the registry to modify the permissions of the Administrators account. To prevent operation errors, we recommend that you back up data before you modify the registry.

        1. Log on to the ECS instance. For more information, see Connection method overview.

        2. Open the Run dialog box, enter regedt32.exe, and then click OK.

        3. Choose HKEY_LOCAL_MACHINE > SAM. You cannot view the subdirectories by default.

        4. Click SAM, right-click Permissions, select Administrators, select Full Control in the Allow column, and then click OK.

        5. Click the Start icon, select Run, and then enter regedit.

        6. Choose HKEY_LOCAL_MACHINE > SAM > SAM > Domains > Account > Users > Names. All account names in the ECS instance are displayed. Non-local accounts are hidden accounts. Delete the accounts.

    Use Security Center to resolve the issue

    1. Log on to the Security Center console. Choose Detection and Response > Alerts to check whether the ECS instance is compromised. For information about alerts, see Overview.

    2. You can upgrade to the paid Security Center Enterprise Edition to use the cloud threat detection and fixing features, or install third-party security software on the instance to perform a full scan and removal. Delete the abnormal accounts and perform necessary security hardening.

      Note

      If the abnormal accounts still cannot be deleted and the cost of rebuilding the environment is not high, you can back up data and initialize the system disk to resolve the issue. Before initialization, make sure that you have backed up data. For more information, see Re-initialize a system disk.

    Applicable scope

    • ECS