What are the solutions for the Aliyun server after unlocking the external attack?

ECS Cloud Server Unlock solution after external attack

Note: Before troubleshooting, create a snapshot backup to avoid incorrect operation that can cause data loss to be restored.

November 10, 2015, we detected a large-scale use of hackers redis vulnerability attacks, implanted Trojans, please be sure to focus attention.

If you have security technical support requirements, such as troubleshooting server WEB applications hacked, web site black chain, Web site modified, horse cleanup in the server, vulnerability detection and repair, security incident Quick Response, you can purchase our paid cloud hosting service Http://www.aliyun.com/product/mss.

Troubleshooting Virus Trojan

Use Netstat to view network connections, analyze for suspicious send behavior, and stop if there are any.

Use antivirus software for virus killing.

Linux Common Trojan Cleanup command:

Chattr-i/usr/bin/.sshd

Rm-f/usr/bin/.sshd

Chattr-i/USR/BIN/.SWHD

Rm-f/USR/BIN/.SWHD

Rm-f-r/usr/bin/bsd-port

Cp/usr/bin/dpkgd/ps/bin/ps

Cp/usr/bin/dpkgd/netstat/bin/netstat

Cp/usr/bin/dpkgd/lsof/usr/sbin/lsof

Cp/usr/bin/dpkgd/ss/usr/sbin/ss

Rm-r-f/root/.ssh

Rm-r-f/usr/bin/bsd-port

find/proc/-name exe | Xargs Ls-l | Grep-v Task |grep deleted| awk ' {print $11} ' | awk-f/' {print $NF} ' | Xargs killall-9

Troubleshoot and repair server vulnerabilities

Check that the server account has an exception, and if so, stop deleting it.

See if the server has remote login, if there is a strong password to modify the password (Word per + number + special symbol) case, 10 digits and above.

View Jenkins, Tomcat, phpMyAdmin, WDCP, Weblogic background password, improve password strength (Word per + number + special symbol) case, 10-bit and above, do not use the recommendation to close the 8080 management port.

See if there are any vulnerabilities to Web applications, such as struts, elasticsearch, etc., please upgrade if available.

Jenkins Administrator to remotely execute a command vulnerability without a password, such as a password to set or close the 8080 Port Administration page.

View Redis No password can remotely write file vulnerabilities, check/root/the hacker created by the SSH login key file, delete, modify Redis for password access and use a strong password, do not need to access the public network best bind 127.0.0.1 local access.

View MySQL, SQL Server, FTP, WEB admin and other settings where there is a password, improve the password strength (Word per + number + special symbol) case, 10 digits and above.

If you have Third-party software installed, please follow the official website guidelines for repair.

Open Cloud Shield Service

Open the Cloud Shield service and turn on all cloud shield security features to protect your host against malicious attacks.

Implement the Security Defense program, please open the Knight service as soon as possible, but also recommends that you configure the Cloud Shield service.

If the problem is still unresolved

The above processing does not solve the problem, we strongly recommend that you do the following:

Completely download the system disk and data disk Backup to local save.

Reset overall. Log on to the Cloud server ECS console.

Click the instance that you want to initialize, and back up the server data.

Closes the instance.

Click the reset disk and select the system disk and the data disk reset to your actual situation. 6. Redeploy the application and upload the data after anti-virus, and restart the 3 steps mentioned above.

If the problem has not been resolved, please contact the After-sale technical support.