All Products
Search
Document Center

Solution to Trojans infecting ECS instances

Last Updated: Dec 15, 2020

Overview

When an ECS instance is infected with a Trojan virus, data may be lost and there is a risk. This article describes how to remove viruses from ECS instances and how to improve ECS Security.

Details

If your ECS instance is infected with a Trojan virus, promptly create a snapshot to back up disk data. For detailed steps, see creating snapshots.

Solution to ECS instance infected with viruses

Linux instance

  1. Change the password of an ECS instance. For more information, see reset instance logon password.
    Note: we recommend that the password be at least eight characters in length and contain the following character types: lowercase letters, uppercase letters, digits, and special characters.
  2. Modify the port for remote logon. For more information, see modify the default remote port.
  3. Enable the Firewall to control which IP addresses can access ECS instances. Only enable certain service ports on IP addresses. For more information, see how to configure the default Firewall for ECS instances.
    Note: we recommend that you control access to IP addresses for services that do not need to be available to all users, such as FTP and databases.
  4. Check whether any unauthorized port is opened. If so, close the unauthorized port. For more information, see use the netstat command in the Linux ECS instance to view and check the system Port information. For more information, see use the netstat command to process port usage.
  5. Check whether abnormal processes are running. If yes, close the process and run the ps-ef or top command to view the process.
    Note: confirm with the server administrator whether the files used by the abnormal process can be deleted.
  6. Install an anti-malware program and perform full scanning and removal.
    Description
    • We recommend that you use Alibaba Cloud security center.
    • If Web services are installed on the ECS instance, restrict Web accounts from accessing the file system, and only grant these accounts read-only permissions.
    • To delete an unknown account in the system, see abnormal accounts in ECS instances.

Windows instance

  1. Change the password of an ECS instance. For more information, see reset instance logon password.
    Note: we recommend that the password be at least eight characters in length and contain the following character types: lowercase letters, uppercase letters, digits, and special characters.
  2. Modify the remote logon Port. For more information, see how to view and modify the default port of remote desktop for Windows instances.
  3. Enable the firewall to restrict the IP addresses that can access a Windows instance. Only enable certain service ports on IP addresses. For more information, see how to configure a firewall for remote connection to a Windows instance.
    Note: we recommend that you control the source IP addresses for services that do not need to be available to all users, such as FTP and databases.
  4. Check whether there are open unauthorized ports. If there are unauthorized open ports, close the unauthorized ports.
    Select start>Run. Enter cmd to open the command line tool and run the netstat/ano command to check the port.
  5. Check whether there are abnormal processes that are running. If yes, close the process.
    Select start>Run, enter msinfo32, double-click the software environment, select the running task, check.
    Note: confirm with the server administrator whether the files used by the abnormal process can be deleted.

  6. Install an anti-malware program and perform full scanning and removal.
    Description

Improve ECS instance security

If no security protection is configured for an ECS instance, bad effects may occur. After fixing the vulnerabilities that are infected by viruses on your ECS instances, you can defend your ECS instances against viruses to enhance the ECS instance security capability. For more information, see improve ECS instance security.

Reference

You can also refer to the following documents to read more information about why an ECS instance has been attacked or how to defend against the attacks:

Application scope

  • Elastic Compute Service