This topic provides answers to some frequently asked questions about the threat detection feature of Security Center.

How do I check whether mining programs exist in my assets?

If the CPU utilization of your server significantly increases, for example, to 80% or higher, and an unknown process continuously transmits packets, a mining program is running on your server.

If Security Center detects mining programs on your assets, Security Center sends you alert notifications by text message or email. You can log on to the Security Center console and choose Detection > Alerts to handle the alerts on mining programs. If mining programs are related to other alerts, such as alerts on communication with mining pools and access to malicious domain names, we recommend that you handle the related alerts. For more information about how to view and handle related alerts, see View exceptions related to an alert.

Alerts on mining programs

What do I do if antivirus is not enabled and my server is under a mining attack?

On the Alerts page of the Security Center console, find the alert and click Process in the Actions column. In the dialog box that appears, set Process Method to Anti-Virus, select Isolate the source file of the process and End the running of the process, and then click Process Now. On the Settings page, turn on the switch for Anti-Virus.

What do I do if I accidentally add a mining alert to a whitelist?

On the Alerts page of the Security Center console, set the status filter condition to Handled. Security Center displays all the alerts that are handled. Find the mining alert that you added to the whitelist and click Cancel whitelist in the Actions column. The alert is displayed in the alert list.

How do I view the protection features that are enabled?

Security Center provides an overview of the protection features that are enabled or disabled.

On the Alerts page of the Security Center console, you can view the protection features that are enabled or disabled. Alerts
By default, enabled protection features are not displayed. You can click the Hide/Show icon icon on the Alerts page to view the enabled protection features. View enabled protection features
By default, all protection features, excluding the web tamper proofing feature, supported by the current Security Center edition are enabled.
Note
  • If you want to enable web tamper proofing, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, or Ultimate edition and purchase web tamper proofing. For more information about how to enable web tamper proofing, see Enable web tamper proofing. For more information about how to use web tamper proofing, see Enable the web tamper proofing feature.
  • The feature of cloud threat detection is supported by the Enterprise and Ultimate editions and are automatically enabled in the editions. If you use the Basic, Anti-virus, or Advanced edition, you must upgrade Security Center to the Enterprise or Ultimate edition before the feature can be automatically enabled.

How do I check whether automatic virus blocking takes effect?

You can log on to the Security Center console, go to the Settings page, and turn on the switch for Anti-Virus. On the Alerts page, set the filter conditions to Precise defense and Handled. If the search result shows that the defense status is Interception successful, automatic virus blocking takes effect. Blocking success for precise defense

How does Security Center detect intrusions?

Security Center scans your assets, and Alibaba Cloud security engineers analyze and verify user traffic data to detect intrusions.

What are the common intrusions?

Common intrusions include webshells, brute-force attacks, and mining attacks. Security Center generates alerts for these intrusions. For more information, see Alert types.

Why is an alert generated when I call the phpinfo function? Is the alert a false positive?

No, the alert is not a false positive.

The phpinfo file contains a large amount of sensitive information, such as the absolute path of a website. When you call the phpinfo function to obtain the phpinfo file, attackers may exploit the information in the phpinfo file to attack your asset. Most attackers first upload the phpinfo file to obtain more information for further penetration. If the file is required for your business, you can log on to the Security Center console, go to the Alerts page, and select Add to Whitelist when you handle the alert on the phpinfo function.

Can Security Center automatically quarantine webshell files?

No, Security Center cannot automatically quarantine webshell files. Webshell files may contain your business information. You must identify and manually quarantine webshell files. You can find quarantined files in the Quarantine panel. You can also restore quarantined files within 30 days after you quarantine the files. For more information, see Use the quarantine feature.

How does Security Center detect webshells?

Security Center detects website script files, such as PHP, ASP, and JSP files, based on servers and networks. The following list describes the methods used to detect webshells:
  • Server-based detection: monitors the changes of website directories on servers in real time.
  • Network-based detection: restores webshell files and identifies network protocols.

Why do alerts involve files that are commonly used on my server? Are these alerts false positives?

No, the alerts are not false positives. If the creation time of files that are commonly used on your server is changed or the files contain obvious webshell statements, Security Center generates alerts. You can handle the alerts based on the actual situation.

What alerts can I add to the whitelist?

You can add the alerts that are generated for malicious processes to the whitelist. If you add an alert that is generated for a malicious process to the whitelist, only the source file of the malicious process is added to the whitelist. The following table describes the types of alerts that you can add to the whitelist.

Alert type Description
Malicious process (cloud threat detection) Adds the MD5 hash value to the whitelist.
Unusual logon Adds the IP addresses that are used for unusual logons to the whitelist.
Access to malicious IP addresses or communication with mining pools Adds the related IP addresses to the whitelist.
Access to malicious domain names Adds the related domain names to the whitelist.
Access or connection to malicious download sources Adds the source URLs to the whitelist.
Webshells Adds the web directories to the whitelist based on the configurations of the directories.
Malicious script Adds the MD5 hash value and path to the whitelist.
Cloud threat detection Configures whitelist rules in the Security Center console.
Suspicious process Adds the command lines to the whitelist.
Persistent webshells Adds the MD5 hash and characteristic values to the whitelist.
Tampering of sensitive files Adds the file path to the whitelist.
Intrusion into applications Adds the command lines to the whitelist.
Threat to web applications Adds the related domain names or URLs to the whitelist.
Suspicious network connection Adds the command lines, destination IP addresses, and destination ports to the whitelist. If some fields are missing, only the existing fields are added to the whitelist.

How do I handle common alerts?

You can handle the following common alerts in the Security Center console:
  • Alert on suspicious processes
    View the alert and check whether the activity of the process is normal in your workload. If the activity is normal in your workload, click Process in the Actions column. In the dialog box that appears, select Add To Whitelist and click Process Now. If the process is abnormal in your workload, check and handle relevant security event based on other alerts. After the security events are handled, click Process in the Actions column. In the dialog box that appears, select Ignore and click Process Now. Alert on suspicious processesSolution to an alert on suspicious processes
  • Alert on webshells
    Check whether the file is a normal workload file. If the file is a normal workload file, click Process in the Actions column. In the dialog box that appears, select Add To Whitelist and click Process Now. If the file is not a normal workload file, click Process in the Actions column. In the dialog box that appears, select Isolation and click Process Now. Alert on webshellsSolution to an alert on webshells
  • Alert on malicious processes
    We recommend that you use the antivirus feature to terminate the malicious processes and isolate source files. You can also log on to the server and manually handle the malicious processes. A malicious process may automatically delete itself, or disguise itself as a system process to bypass detection. If no source files exist, check whether suspicious processes, scheduled tasks, or startup programs exist. Malicious processesSolution to an alert on malicious processes
  • Alert on a suspicious network connection
    If the network connection is established by trusted workloads, click Process in the Actions column. In the dialog box that appears, select Add To Whitelist and click Process Now. If the network connection is not established by trusted workloads, use Cloud Firewall or Web Application Firewall (WAF) to block requests based on specific alerts. After the alert is handled, select Ignore in the dialog box to move the alert to the handled alert list. Suspicious network connectionSolution to an alert on a suspicious network connection

Why are some alerts in the Expired state?

Security Center changes the status of the alerts that are generated 30 days ago to Expired. If the alerts are generated again in the subsequent detections, Security Center updates the alert generation time and changes the alert status to Unhandled.

How do I avoid the situation in which I properly log on to a server but Security Center prompts that the logon is unusual?

You can log on to the Security Center console and go to the Alerts page. On the Alerts page, click Settings. In the panel that appears, specify approved logon IP addresses, approved logon time range, and approved logon accounts. After you configure the settings, alerts are generated for unusual logons. You can manually add approved logon locations or configure the system to automatically update approved logon locations. You can also specify the assets on which alerts are generated when logons from unapproved locations are detected.

I enter incorrect passwords multiple times and an alert is triggered before I log on to an ECS instance. What do I do?

The password used to log on to an Elastic Compute Service (ECS) instance is complex. Therefore, you may enter incorrect passwords multiple times before you can log on to the instance. In this case, Security Center identifies your logon attempts as brute-force attacks and generates an alert. If you confirm that the alert is a false positive, you can ignore the alert.

Security Center prompts that an unusual logon occurs after I specify approved logon IP addresses, approved logon time range, and approved logon accounts and properly log on to a server. What do I do?

In this case, you must first check whether the alert is triggered by a logon from an unapproved IP address, location, or account. Logon IP addresses, locations, accounts, and time are the factors that may trigger an alert. These factors do not have priorities. If a factor is abnormal, an alert is triggered.

An alert that indicates an unusual logon is triggered. Is the logon successful or blocked?

If an alert is triggered by an unusual logon, the logon is still successful. However, the logon behavior is considered suspicious by Security Center. Therefore, Security Center generates an alert for the unusual logon.

A logon triggers an alert that indicates an unusual logon and is identified as a logon from an attacker. What do I do?

You can log on to the Security Center console and go to the Alerts page. In the alert list, find the alert and click Process in the Actions column. In the dialog box that appears, set Process Method to Block, set Rule validity period to 12 hours, and then click Process Now. This way, attacks are blocked. We recommend that you change your account password at the earliest opportunity and check whether other unknown accounts and unknown public keys exist on the server. This prevents SSH password-free logons. Blocked for 12 hours

I receive an alert that indicates a suspicious command sequence is executed after ECS logons over SSH. Is the command sequence executed?

The command sequence is executed. We recommend that you update the server logon password at the earliest opportunity and check whether other abnormal activities exist on the ECS instance. The abnormal activities include startups of unknown processes.

What logs can I view on the server after an alert is triggered by an unusual logon?

You can view the logs in the /var/log/secure directory on the server. You can run the grep 10.80.22.22 /var/log/secure command to view the logs.

How do I view the number of brute-force attacks to my server or the attack blocking details on my server?

You can log on to the Security Center console and choose Detection > Attack Awareness. On the page that appears, you can view the information about successful blocking of SSH brute-force attacks.

How do I protect servers from brute-force attacks?

You can specify approved logon IP addresses or use certificates for logons. For information about how to specify approved logon IP addresses, see Configure alert settings.

What do I do if a misoperation causes the brute-force attack protection to take effect?

If the number of logon attempts exceeds the upper limit specified in a defense rule against brute-force attacks, the rule takes effect, and you cannot log on to your server. In this case, you can perform the following operations:

Log on to the Security Center console. Go to the Alerts page and click the number below IP blocking / All. In the IP Policy Library panel, find the blocking rule and set Policy Status of the rule to Disabled. Disable blocking rules

Can Security Center protect web applications and websites from brute-force attacks?

No, Security Center cannot protect web applications or websites from brute-force attacks.

Security Center can protect only the servers that allow logons over Remote Desktop Protocol (RDP) or SSH.

What do I do if my server passwords are cracked?

If your server passwords are cracked, attackers may have intruded into your servers and installed malicious programs. You can log on to the Security Center console and choose Detection > Alerts. On the Alerts page, check whether alerts that are generated for brute-force attacks are displayed.
If alerts that indicate ECS instance logons by using brute-force attacks are generated on your assets, your server passwords are cracked. We recommend that you perform the following steps to reinforce the security of your server:
  • Handle the related alerts

    Log on to the Security Center console and choose Detection > Alerts. On the Alerts page, find the alert and click Process in the Actions column. In the dialog box that appears, set Process Method to Block and click Process Now. Security Center generates defense rules for the security group to block access requests from malicious IP addresses.

  • Reset server passwords

    Reset the server passwords that are cracked at the earliest opportunity. We recommend that you use complex passwords.

  • Run baseline checks to detect risks
    Use the baseline check feature of Security Center to detect risks on your servers, and handle the detected risks based on the suggestions that are provided by Security Center.
    Note Only the Advanced, Enterprise, and Ultimate editions of Security Center support the baseline check feature.

I still receive alert notifications about brute-force attacks after I change the default port of the SSH service. Why?

After you change the default port of the SSH service on a Linux server from port 22 to another port, you may still receive alert notifications about brute-force attacks from Security Center.

Security Center identifies brute-force attacks based on the frequency of SSH logon attempts. Even if you changed the default port of the SSH service, Security Center still sends you alert notifications about the brute-force attacks on the SSH service.

If your server passwords are cracked, we recommend that you reinforce the security of your servers at the earliest opportunity. For more information, see What do I do if my server passwords are cracked?.

Records on RDP brute-force attacks are generated even after RDP requests on port 3389 are blocked by security group rules or firewall rules. Why?

Due to the special logon audit mechanism in Windows, the audit activities of logons based on Inter-Process Communication (IPC), RDP, and Samba are recorded in the same log, but the logon methods are not specified. If you find records on RDP brute-force attacks after the requests to the RDP service port are blocked, you must check whether IPC or Samba is enabled.

Check whether port 135, port 139, or port 445 is enabled for your ECS instance, and whether public IP addresses can access these ports. Check whether the Window security logs contain logon records within the attack period.

Does Security Center detect only weak passwords of RDP and SSH services?

Security Center detects weak passwords of RDP and SSH services. Security Center also detects weak passwords that are used by administrators to log on to content management systems (CMSs).

How do I handle an SSH or RDP remote logon failure?

If you cannot remotely log on to a cloud server over SSH or RDP by using the current IP address, you can log on to the Alibaba Cloud Security Control console and add the IP address to the whitelist. This way, the IP address is not blocked for sever logons.

To add an IP address to the whitelist, perform the following steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings. On the General tab, find the Security Control section and click Configuration to go to the Security Control console. Go to the Security Control console
    Note You can also move the pointer over the profile picture in the upper-right corner of the Alibaba Cloud Management Console and click Security Console to go to the Security Control console.
    Go to the Security Control console
  3. In the left-side navigation pane of the Security Control console, choose Whitelist > Access Whitelist. On the page that appears, click Add.
  4. Enter an IP address in the Source IP field and specify the servers that allow logons from the IP address. Select one or more servers from the left-side section and click the right arrow to add the servers to the right-side section below selected. Add IP addresses
  5. After the configuration is complete, click OK.

What do I do if sensitive information is leaked?

When enterprises or individuals use GitHub, Gitee, or other platforms to manage source code, the source code contains or may contain the following sensitive information: AccessKey pairs of Alibaba Cloud accounts, accounts and passwords of ApsaraDB RDS databases, email accounts and passwords, and accounts and passwords of self-managed databases that are hosted on ECS instances. If the preceding account information is leaked, attackers may use the information to access Alibaba Cloud resources and data of enterprises or individual users.

After an enterprise creates a database on an ECS instance, developers may write sensitive information to the configuration file that is used to connect to the database. Sensitive information includes database connection passwords and email passwords. After attackers obtain the leaked passwords from GitHub and pass authentication, the attackers can obtain the data of the enterprise. This causes major security risks for the enterprise.

Solutions
  • We recommend that you use a private GitHub codebase or build an internal code management system to prevent leaks of source code and sensitive information.
  • If sensitive information such as an Alibaba Cloud AccessKey pair is leaked, you must log on to the RAM Management Console, and disable and reset the leaked AccessKey pair, or delete the AccessKey pair. Then, delete the hosted code in GitHub at the earliest opportunity.
  • Regularly log on to the Log Service console to view the server access logs and check whether a data leak occurred. For example, search for web access logs and specify the URI field to identify the paths that contain files related to AccessKey pairs.
  • Develop internal standards on security O&M and red lines for development operations. Provide training sessions for IT administrators to improve information security.

What is the source of the statistics that are displayed on the Attack Awareness page?

The statistics displayed on the Attack Awareness page are attack data that is collected after Security Center automatically identifies and blocks basic attacks. The statistics involve the assets that are protected by Security Center. You can view the assets on the Assets page.