edit-icon download-icon

How to handle ECS intrusion?

Last Updated: Jan 30, 2018

Symptoms

The ECS instances can still encounter intrusion, even after being protected by WAF. It may be caused because of the following:

  • The ECS instance is intruded before it is connected to WAF. In this case, you must first clean up the ECS instance.
  • When the DNS resolution is not updated once WAF is configured. This makes the traffic flow directly to ECS, without letting it pass through WAF.
  • Before WAF is used, the IP address of the ECS instance is disclosed and no security group is configured. As a result, hackers directly attack the ECS instance through its IP address.
  • Other sites that are not protected by WAF exist on the ECS instance. The ECS instance is consequently affected by attacks targeting these sites.
  • The ECS instance encounters non-Web-attack intrusions, such as brute crack of the ssh password.

Resolution

  • Perform a Server cleanup described in the following section.
  • Make sure that DNS resolution is updated so that the website is under protection of WAF. For more information, see CNAME access guide.
  • Configure a security group to prevent attacks that can bypass WAF. For more information, see Protect origins.
  • Make sure that all HTTP services on the ECS instance are protected by WAF.
  • Make sure that the ECS instance and database adopt strong passwords.

Note: Before clearing Trojans and viruses, first Create a snapshot to back up data to avoid data loss arising from operation mistakes.

Server cleanup

Clear Trojans and viruses

Follow these steps to detect and clear Trojans and viruses in your ECS instance.

  1. Check the network connection by using netstat and analyze if any suspicious requests exist. If yes, stop the ECS instance.

  2. Use antivirus software to scan and clear viruses.

  3. Run the following command to clear Trojans in Linux.

    1. chattr -i /usr/bin/.sshd
    2. rm -f /usr/bin/.sshd
    3. chattr -i /usr/bin/.swhd
    4. rm -f /usr/bin/.swhd
    5. rm -f -r /usr/bin/bsd-port
    6. cp /usr/bin/dpkgd/ps /bin/ps
    7. cp /usr/bin/dpkgd/netstat /bin/netstat
    8. cp /usr/bin/dpkgd/lsof /usr/sbin/lsof
    9. cp /usr/bin/dpkgd/ss /usr/sbin/ss
    10. rm -r -f /root/.ssh
    11. rm -r -f /usr/bin/bsd-port
    12. find /proc/ -name exe | xargs ls -l | grep -v task |grep deleted| awk '{print $11}' | awk -F/ '{print $NF}' | xargs killall -9

Fix vulnerabilities

Follow these steps to check and fix vulnerabilities for your ECS instance.

  1. Check if the server account is normal. If the server account is abnormal, stop the ECS and delete the abnormal account.

  2. Check if the remote logon to ECS exists. If yes, set up a strong logon password that contains more than 10 characters and consists of uppercase and lowercase alphabets, digits, and special characters.

  3. Confirm that the backend passwords of Jenkins, Tomcat, PhpMyadmin, WDCP, and Weblogic are strong passwords. You can disable the management port 8080, if the services are not in use.

  4. Check for vulnerabilities for Web applications, such as struts and ElasticSearch. Make sure that the website is protected by WAF. We recommend that you use Server Guard for Trojans and viruses clearing and patches installation.

  5. Check if the following vulnerability exists: the Jenkins administrator runs commands remotely without using a password. If yes, set a password or close the page for managing the 8080 port.

  6. Check if the following vulnerability exists: files can be written on Redis without using a password. Check if SSH logon key files created by hackers exist under /root/. If the files exist, delete the files. Modify Redis to make users access Redis using passwords and configure stronger passwords. If access to public networks is not required, use bind 127.0.0.1 to only allow local access.

  7. Check MySQL, SQLServer, FTP, and Web management backend for which passwords are set and make sure you set strong passwords.

Enable Alibaba Cloud Security services

  • Make sure that WAF is enabled for all websites on the ECS instance.
  • Use Alibaba Cloud Security Server Guard for host scanning, Trojans scanning and clearing, and fixing vulnerabilities.

Re-initialize the disk

If the problem still exists after viruses and Trojans are cleared and the Alibaba Cloud Security services are enabled, we recommend that you re-initialize the disk. For more information, see Re-initialize a disk.

Note: Before reinitializing the disk, download and back up your data in the system disk and data disk to a local disk. After the disk is re-initialized, re-deploy your applications, and then re-upload the data to the disk once the virus is cleared.

After completing this procedure, we recommend that you Clear Trojans and viruses, Fix vulnerabilities, and Enable Alibaba Cloud Security services for the ECS instance.

Thank you! We've received your feedback.