All Products
Search

This Product

    :How do I handle intrusions into ECS instances for which WAF protection is enabled?

    Document Center

    :How do I handle intrusions into ECS instances for which WAF protection is enabled?

    Last Updated:Feb 18, 2025

    This topic describes how to handle intrusions into Elastic Compute Service (ECS) instances for which Web Application Firewall (WAF) protection is enabled. The following table describes possible causes and solutions for the intrusions.

    No.

    Possible cause

    Solution

    1

    The ECS instance suffers an intrusion before WAF protection is enabled.

    Clean up the ECS instance.

    2

    After WAF protection is enabled, the related Domain Name System (DNS) records are not updated, and access traffic is still routed to the ECS instance, which is actually not protected.

    Update the DNS records to make sure that access traffic passes through WAF. For more information, see Modify a DNS record.

    3

    Before WAF protection is enabled, the IP address of the ECS instance is exposed and no security groups are configured for the instance. As a result, the instance is directly attacked.

    Configure a security group to prevent attackers from bypassing WAF. For more information, see Configure protection for an origin server.

    4

    The ECS instance hosts multiple websites, but only some are protected by WAF. As a result, side-injection occurs.

    Make sure that all HTTP services on the ECS instance are protected by WAF.

    5

    The ECS instance suffers an intrusion after a non-web attack, such as a brute-force attack on SSH passwords.

    Make sure that the ECS instance and related database use strong passwords.

    Important

    Before you remove trojans and viruses from the ECS instance, we recommend that you create a snapshot to back up data. This helps prevent data loss caused by misoperations. For more information, see Create a snapshot.

    Detect and remove trojans and viruses

    1. Use netstat to check network connections and analyze whether sending behavior is suspicious. If yes, stop your server.

    2. Use antivirus software to detect and remove viruses.

    The following Linux commands are commonly used to remove trojans: 

    chattr -i /usr/bin/.sshd 
rm -f /usr/bin/.sshd 
chattr -i /usr/bin/.swhd 
rm -f /usr/bin/.swhd 
rm -f -r /usr/bin/bsd-port 
cp /usr/bin/dpkgd/ps /bin/ps 
cp /usr/bin/dpkgd/netstat /bin/netstat 
cp /usr/bin/dpkgd/lsof /usr/sbin/lsof 
cp /usr/bin/dpkgd/ss /usr/sbin/ss
rm -r -f /root/.ssh 
rm -r -f /usr/bin/bsd-port
find /proc/ -name exe | xargs ls -l | grep -v task |grep deleted| awk '{print $11}' | awk -F/ '{print $NF}' | xargs killall -9

    Detect and fix vulnerabilities

    1. Check whether suspicious server accounts exist. If yes, stop the server and remove the suspicious accounts.

    2. Check whether remote server logon exist. If yes, change the logon password to a strong password. A strong password must be at least 10 characters in length and contain uppercase and lowercase letters, digits, and special characters.

    3. Check administrator passwords for services such as Jenkins, Tomcat, PhpMyadmin, WDCP, and Weblogic to ensure that strong passwords are used. For unused services, disable the management port 8080.

    4. Check whether vulnerabilities exist in web applications such as Struts and Elasticsearch. Make sure that your website is protected by WAF. You can also use Threat Detection Service to detect and remove trojans and viruses and install security patches.

    5. Check whether a vulnerability that can be exploited to allow Jenkins administrators to remotely execute commands without passwords exists. If yes, configure a password or disable the management port 8080.

    6. Check whether a Redis vulnerability that can be exploited to remotely write files without passwords exists. Check whether the /root/ directory contains SSH key files that are created by hackers. If yes, delete the files. Then, configure strong passwords for Redis. If public network access is not required, use bind 127.0.0.1 to allow local access only.

    7. Check password settings for MySQL, SQL Server, FTP, and web management consoles. Make sure that strong passwords are used.

    Enable Alibaba Cloud Security services

    • Make sure that WAF protection is enabled for all websites hosted on your ECS instance.

    • Use Threat Detection Service of Alibaba Cloud Security to scan for risks and vulnerabilities, detect and remove trojans, and fix vulnerabilities.

    Re-initialize cloud disks

    If issues persist after you remove viruses and trojans and fix vulnerabilities on your ECS instance and enable Alibaba Cloud Security services, we recommend that you re-initialize your cloud disks that are used as system disks and data disks to the initial status.

    For more information, see Re-initialize a cloud disk.

    Important

    Before you re-initialize your cloud disks, download the full data of the system disks and data disks to your computer and create backups. After the re-initialization, remove viruses from the backup data and then upload the data.

    After the re-initialization, perform the preceding operations again. Detect and remove trojans and viruses, detect and fix vulnerabilities, and then enable Alibaba Cloud Security services.