All Products
Document Center

:Handle the problem that the port is locked due to ECS instance distributed denial of service attack

Last Updated:Dec 17, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.


When your ECS instance is in the locked state in the ECS console and you receive an official SMS or notification email to shut down the ECS instance, it indicates that your ECS instance has been locked for security. This is because Alibaba Cloud detects that your ECS instance is distributed denial of service attack to the outside world, which affects the network stability of the cloud platform. Therefore, the ECS instance is locked by the security system. This article describes how to fix the problem that an ECS instance is locked due to distributed denial of service attack.


Once the security of your ECS instance is locked, the virus has intruded. Please create a snapshot to back up disk data in a timely manner. For detailed steps, see create a snapshot, and then perform the following steps to fix the problem.

Check ECS instances for viruses or vulnerabilities

Seesolutions to Trojans infected with ECS instances, check whether there is a virus or vulnerability in your ECS instances, and then fix it.

Initialize an ECS instance

If the issue persists, perform the following steps to initialize the ECS instance.

  1. Log on to the ECS console.
  2. Create a snapshot for the faulty ECS instance, including the system disk and data disk. For more information, see creating snapshots.
  3. Reinitialize the system disk and data disks. For more information, see reinitialize a system disk and reinitialize a data disk.
  4. Redeploy the application, upload the antivirus data, and run the ECS instance again.

Access Security Center

If the problem is solved, you can connect to security center to avoid your ECS instance from being attacked again.

  • Security Center is a unified security management system that recognizes, analyzes, and warns of security threats in real-time. With security capabilities such as ransomware protection, anti-virus protection, web tamper protection, and compliance assessments, users can automate security operations, responses, and threat tracing to secure cloud and local servers and meet regulatory compliance requirements.
  • The Basic edition of Security Center is available by default. Basic edition only provides the detection of unusual logons, vulnerability detection, and security configuration items of cloud products. For more information about advanced threat detection, vulnerability fixing, and virus detection,


You can also read more about defending against attacks on an ECS instance by using the following documents:


The following commands are common Trojan clearing commands in Linux. Use them with caution based on the actual on-site environment.

  • chattr -i /usr/bin/.sshd
  • rm -f /usr/bin/.sshd
  • rm -f -r /usr/bin/bsd-port
  • rm -r -f /root/.ssh
  • rm -r -f /usr/bin/bsd-port
  • cp /usr/bin/dpkgd/ps /bin/ps
  • cp /usr/bin/dpkgd/netstat /bin/netstat
  • cp /usr/bin/dpkgd/lsof /usr/sbin/lsof
  • cp /usr/bin/dpkgd/ss /usr/sbin/ss
  • find /proc/ -name exe | xargs ls -l | grep -v task |grep deleted| awk '{print $11}' | awk -F/ '{print $NF}' | xargs killall -9

Application scope

  • Elastic Compute Service