This topic describes trojan attacks, how to find and delete trojan files, and how to defend against trojan attacks.
Introduction
In a trojan attack, an attacker obtains the control of your website and injects malicious code into web pages. The attacker may inject malicious code to the web pages by using an iframe, JavaScript, an HTML body, CSS, or a method hard to detect.
When a user visits an attacked web page, the injected malicious code exploits vulnerabilities of the browser, third-party ActiveX controls, and plug-ins, such as Flash and PDF plug-ins, to secretly download and run trojans.
Hazards of trojan attacks
If a trojan attack occurs, the attacker intrudes into your website and can obtain sensitive user data, such as accounts, passwords, and business data. If a user visits the attacked website, the computer of the user may be implanted with trojans. The trojans can steal data such as bank accounts, social network accounts, and passwords. The trojans can also damage data on disks of the computer. This can cause huge losses of information assets for the user. Therefore, trojan attacks may affect the reputation of your website, damage the computer systems of your users, and cause data leaks of the users.
Find and clear a trojan file
If a trojan attack occurs on your website, the attacker intrudes into the website by exploiting vulnerabilities and implants malicious code into the file system or code of your web server. You can find and clear the trojan file by using the following methods:
If the malicious code is already detected by Security Center, find the trojan file based on the URL directory and delete the file.
Use Security Center to automatically detect and remove the trojan file. The number of code files for an operating system or application software is large, so it is difficult to manually identify trojan files.
Defend against trojan attacks
Fix the vulnerabilities on your website system and on your web servers in a timely manner to prevent your website from being attacked. Trojan attacks bring severe damage to websites. Attackers can exploit vulnerabilities on tampered web pages, browsers, and operating systems as well as download and run trojans and malicious programs to expand the scope of attacks. You must protect your website against trojan attacks at all levels. We recommend that you defend against trojan attacks at the following levels:
Network security level
Use services or features such as ECS security groups, SLB whitelists, and Cloud Firewall to reduce the number of service ports that are exposed to the Internet. The exposed ports are vulnerable to attacks.
Host system level
Use Bastionhost to manage methods to log on to ECS instances and grant O&M personnel only necessary permissions.
Configure a strong password for your Alibaba Cloud account. The password must be at least eight characters in length and contain uppercase letters, lowercase letters, digits, and special characters. Change your password every few months to ensure security. We recommend that you use multi-factor authentication (MFA) or SSH key credentials to log on to ECS instances.
Obtain security vulnerability information, for example, from the security vulnerability notice on the Alibaba Cloud official website. Regularly detect and fix vulnerabilities on your website and web servers. Install patches to operating systems and application software in a timely manner.
Activate Security Center to detect and handle security risks, configuration items that are not secure, operating system vulnerabilities, and middleware vulnerabilities on your servers.
Strictly control file access permissions. Restrict permissions to access sensitive directories and permissions to execute scripts that modify these directories. Grant only necessary permissions to access and modify the file system.
Database level
Do not use web-based management tools to manage databases and do not open your web management system directly to the Internet.
Configure access control policies to allow only application servers to access database services. Do not open database service ports to the Internet.
Configure strong passwords for the database services.
Application security level
Enhance the security of web application middleware.
Perform code security tests and white-box tests. Fix detected vulnerabilities before you bring the service code online. This prevents attackers from exploiting the vulnerabilities to intrude into your service system.
Use Cloud Security Scanner to regularly scan for vulnerabilities of your website and web system. Fix these vulnerabilities before you bring the service system online.
Check for program vulnerabilities and fix them in a timely manner. You can use Incident Response Service to identify vulnerabilities and causes of intrusions. You can use Web Application Firewall (WAF) to protect your web applications against external attacks.