edit-icon download-icon

What should I do if my ECS is hacked

Last Updated: Mar 06, 2018

Instant actions

  1. Change the password of your administrator account.

    Note: We recommend that you use a password that consists of eight or more uppercase or lowercase letters, digits, and special characters.

  2. Modify the remote logon port, and enable the firewall to restrict or specify IP addresses.

  3. Open specific service ports for the firewall.

    Note: We recommend that you restrict the access to services like FTP and databases that do no need to be opened to all users.

  4. Check whether you have opened any unauthorized ports or not.

    • For Windows insatnce:
      • Run netstat /ano in the CMD to view the ports.
      • Check port processes by PID:
        1. Click Start > Run.
        2. Run msinfo32.
        3. Open Software Environment > Running Tasks.
        4. Delete files in the corresponding directory.
    • For Linux instance: Run netstat –anp command to view the ports.
  5. Install the anti-virus and anti-Trojan software to scan for and kill viruses on the ECS instance.

    • If you want to delete an unknown account on Windows, you must check the SAM key-value in the registry for any hidden accounts.
    • If you have installed a web service, limit the file access permissions for the associated account on the file system and only grant the read-only permission.


  1. Enable all the Alibaba Cloud Security services to safeguard ECS, especially the following items:

    • WAF. The WAF service protects you from being intruded by hackers by web service vulnerabilities. WAF has a professional security team that keeps a close watch on local security breach events. Once a new vulnerability reveals,the team updates the protection rules immediately to stop the hackers from using the new vulnerability to break into the website.
    • Webshell Detection. Webshell Detection detects backdoor programs on ECS instances in real time.
    • Host Password Cracking Defense.
  2. Change the following passwords:

    • ECS Instance logon password
    • Database connection password
    • Website background password
    • FTP password
    • Other server manager password

      Note: We recommend that you use a password that consists of eight or more uppercase and lowercase letters, digits, and special characters.

  3. Reinforce the system.

    • Hide the website background. Use multiple characters as the website background directory name to guarantee normal website operation. For example: /mothersaidthesafestpasswordisthelongestandthemostintricateone/.
    • Update Windows system patches timely.
Thank you! We've received your feedback.