Shulou(Shulou.com)06/02 Report--

Editor to share with you how to deal with ECS instance external DDoS attacks caused by locking, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article, let's learn about it!

How to deal with the external DDoS attack of ECS instance resulting in being locked down

When your ECS instance is locked in the ECS console and receives an official text message or email notification that the Aliyun instance is closed, it means that your ECS instance has been securely locked. This is because Aliyun has detected that your ECS instance has external DDoS attacks, which affects the network stability of the cloud platform, so it is locked by the security system.

After the security lock, it indicates that the virus has invaded. It is recommended that you create a snapshot in time to back up the disk data.

Troubleshoot ECS instance virus

Check the network connection status of the ECS instance, analyze whether there is any suspicious sending behavior, and stop if so.

Linux instance: execute the command netstat-a to view the network connection.

Windows instance: execute the command netstat-a-n-o in the PowerShell environment to view the network connection.

Use antivirus software to check and kill viruses. It is recommended to use an Knight for total antivirus.

Common Trojan cleaning commands for Linux:

Chattr-I / usr/bin/.sshdrm-f / usr/bin/.sshdrm-f-r / usr/bin/bsd-portrm-r-f / root/.sshrm-r-f / usr/bin/bsd-portcp / usr/bin/dpkgd/ps / bin/pscp / usr/bin/dpkgd/netstat / bin/netstatcp / usr/bin/dpkgd/lsof / usr/sbin/lsofcp / usr/bin/dpkgd/ss / usr/sbin/ssfind / proc/-name exe | xargs ls-l | grep-v Task | grep deleted | awk'{print $11}'| awk-F /'{print $NF}'| xargs killall-9

Troubleshoot ECS instance vulnerabilities

Check whether the account of the ECS instance is abnormal.

Windows instance

Delete an account with a dollar character ($) at the end of the account name. In general, a hacker creates an account name with the character $at the end.

Hackers may create hidden users in your ECS instance, and local users cannot view hidden accounts. You can modify administrator permissions by modifying the registry. It is recommended that you back up the data before modifying the registry to avoid operation errors:

Connect remotely and log in to the instance.

Click start > run, and enter regedt32.exe.

Select HKEY_LOCAL_MACHINE/SAM/SAM, and you can't see the contents by default.

Click SAM, right-click to select permissions, select administrator, check permissions for full Control, and click OK.

Select start > run, and enter regedit.

Select HKEY_LOCAL_MACHINE/SAM/SAM/Domains/Account to display all user names of the current ECS instance. Delete accounts that are not in the local account to delete hidden users.

Linux instance

Execute the command last or / var/log/secure to view the recent login record of the ECS instance.

Execute the command vi / etc/passwd to see if there are any abnormal accounts, and if so, execute the command usermod-L username to disable the user or the command userdel-r username to delete the user.

Check whether the ECS instance is logged in remotely, and if so, change the password to a strong password, which is composed of 10 or more uppercase and lowercase letters, numbers and special symbols.

Check to see if there are any vulnerabilities in the Web service, such as struts, ElasticSearch, etc., and upgrade if so. You can also log in to the Cloud Shield security feature to check whether the Web service has vulnerabilities.

Check whether the password of the internal account of the ECS instance is too simple, such as MySQL account, SQL Server account, FTP account, Web management backend account, or other passwords, and reset the simple password to a complex password consisting of 10 or more uppercase and lowercase letters, numbers and special symbols.

Repair according to the instructions of the official website of the corresponding third-party software.

Activate Cloud Shield service

Enable all Cloud Shield security protection features to avoid malicious attacks on your ECS instance.

Initialize ECS instance

The problem cannot be solved after the above processing. It is recommended that you initialize the ECS instance.

Log in to the ECS Management console.

Create a snapshot of the failed ECS instance, including the system disk and the data disk.

After stopping the failed ECS instance, click more > reinitialize the disk in the action bar, and select reinitialize the system disk and data disk.

Redeploy the application and upload the antivirus data, and rerun the ECS instance.

Turn on all cloud shield security functions.

The above is all the contents of the methods that deal with the external DDoS attacks of ECS instances that lead to locking. Thank you for your reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.