Trojan attacks may cause websites to experience data leaks and asset losses. You must take security measures to defend against attacks that target networks, operating systems, databases, and applications. This topic describes how to defend against trojan attacks and remove trojan files.
Introduction
A trojan attack, also known as a horse attack, is a malicious program that disguises as legitimate software. Attackers use trojans to gain access to servers or websites by tricking users into downloading or executing malicious code. Attackers may inject malicious code by using iframe, JavaScript, an HTML body, CSS, or a method that is hard to detect.
Attackers may exploit system vulnerabilities, SQL injection vulnerabilities, and file upload vulnerabilities to initiate trojan attacks.
Hazards of trojan attacks
If a trojan attack occurs, the attacker gains access to your website and can obtain sensitive user data, such as accounts, passwords, and business data. If a user visits the attacked website, the computer of the user may be infected with trojans. The trojans can steal data such as bank accounts, social network accounts, and passwords.
The trojans can also damage data on the disks of the computer. This can cause the user to lose a large amount of information assets. Trojan attacks may affect the reputation of your website, damage the computer systems of your users, and leak user data.
Defend against trojan attacks
To prevent your website from being attacked, fix the vulnerabilities on your website system and web servers at the earliest opportunity. Trojan attacks cause severe damage to websites. Attackers can exploit vulnerabilities on tampered web pages, browsers, and operating systems. Attackers can also download and run trojans and malicious programs to expand the scope of attacks.
Therefore, you must protect your website against trojan attacks at all levels. The following figure shows the architecture of a general website system.
We recommend that you defend against trojan attacks at the following levels:
Network security level
Use services or features such as Elastic Compute Service (ECS) security groups, Classic Load Balancer (CLB) whitelists, and Cloud Firewall to reduce the number of service ports that are exposed to the Internet. The exposed ports are vulnerable to attacks.
Host system level
Use Bastionhost to manage the methods that are used to log on to ECS instances and grant O&M personnel only necessary permissions.
Configure a strong password for your Alibaba Cloud account. The password must be at least eight characters in length and contain uppercase letters, lowercase letters, digits, and special characters. We recommend that you change your password every few months to ensure security. We recommend that you use multi-factor authentication (MFA) or SSH key credentials to log on to ECS instances.
Obtain security vulnerability information and regularly detect and fix vulnerabilities on your website and web servers. Install patches to operating systems and application software at the earliest opportunity.
Activate Security Center to detect and handle security risks, configuration risks, operating system vulnerabilities, and middleware vulnerabilities on your servers.
Strictly control file access permissions. Restrict permissions to access sensitive directories and permissions to execute scripts that modify the directories. Grant only necessary permissions to access and modify the file system.
Database level
Do not use web-based management tools to manage databases and do not directly open your web management system to the Internet.
Configure access control policies to allow only application servers to access database services. Do not open database service ports to the Internet.
Configure strong passwords for the database services.
Application security level
Enhance the security of web application middleware.
Perform code security tests and white-box tests. Fix detected vulnerabilities before you bring the service code online. This helps prevent attackers from exploiting the vulnerabilities and gaining access to your service system.
Use the vulnerability management feature of Security Center to regularly scan for vulnerabilities in your website and web system. Fix the vulnerabilities before you bring the service system online.
Check for program vulnerabilities and fix the vulnerabilities at the earliest opportunity. You can use Web Application Firewall (WAF) to protect your web applications against external attacks.
Detect and remove a trojan file
Use Security Center to automatically detect and remove the trojan file. The number of code files of an operating system or application software is large. Therefore, manually identifying trojan files is difficult.
You can use the following methods to remove the trojan file.
Delete the web shell. Use Security Center to scan the web directory and use the agentless detection feature to perform a full scan. For more information, see Configure alert settings and Use the agentless detection feature.
Use the vulnerability management feature to check whether all vulnerabilities are fixed. For more information, see View and handle vulnerabilities.
References
You can use Security Center to detect security risks, configuration risks, operating system vulnerabilities, and middleware vulnerabilities on your servers. You can also use Security Center to fix vulnerabilities. For more information, see Purchase Security Center.
We recommend that you regularly scan for vulnerabilities and fix vulnerabilities at the earliest opportunity. For more information, see Vulnerability management overview.