Sharing the solution process of Alibaba Cloud ECS being implanted with mining trojans

Alibaba Cloud ECS servers are currently used by many website customers. Different systems can be used in the server. Windows 2008, Windows 2012, and Linux systems can all be used in Alibaba Cloud servers. Some time ago, our SINE Security received a security request from a customer, saying that they received a text message reminder from Alibaba Cloud, reminding the server that there is a mining process and asked to deal with the security alert immediately. The customer's website could not be opened normally, and even the server SSH remote connection could not be entered, which had a great impact on the customer.

Then our SINE security engineer conducted a comprehensive security check on the customer's server, logged into Alibaba Cloud's control platform, and found that the customer's server CPU reached 100%. We checked the server's CPU monitoring records and found that it usually fluctuated between 20-35%. We checked the processes in TOP and tracked which processes were occupying the CPU. We found that there was a process that was always occupying the CPU. From the problems found above, we can determine that the customer's server has been implanted with a mining program and the server has been hacked, which caused Alibaba Cloud Security to warn that there is a mining process.

It turned out that the client’s server was infected with a mining Trojan. Let’s take a look at the screenshot of the top process:

We searched for the ID of the occupied process and found that the file was in the tmp directory of the Linux system. We forcibly deleted the file and used the command to delete the process. The CPU dropped to 10% instantly. The root cause of mining was here. So how did the hacker attack the server and implant the mining Trojan program? Based on our years of security experience in SINE Security, we judged that the customer's website may have been tampered with. We immediately launched a comprehensive security test on the customer's website. The customer used the dedecms website building system and the open source php+mysql database architecture. We conducted security tests on all codes, pictures, and databases. As expected, we found the problem. The webshell Trojan file was uploaded to the root directory of the website. After consulting the customer, the customer said that he had received a webshell backdoor reminder from Alibaba Cloud before, but the customer did not care at the time.

The root cause of the vulnerability that implanted the mining Trojan program in the server this time was the vulnerability in the website. We manually repaired the code vulnerabilities of dedecms, including the remote code execution vulnerabilities and SQL injection vulnerabilities that existed in the code before. We carried out comprehensive vulnerability repairs, deployed the folder permissions of the website securely, modified the default dede background for the customer, and added secondary password protection to the website background.

Clear the Trojan backdoor. In the scheduled tasks of the server, we found the task plan added by the attacker. Every time the server restarts and every 1 hour, the mining Trojan is automatically executed. We deleted the scheduled task plan and checked the Linux system users to see if other root-level administrator users were added. We found that no such users were added. We checked the reverse links of the server, including whether the malicious ports had other IP links. We checked the security status of all ports with netstat -an and found that no remote Trojan backdoor was implanted. We deployed the security of the customer's ports and used iptables to limit the inflow and outflow of ports.

At this point, the problem of mining Trojans in client servers has been completely solved. Regarding the protection and solution of mining Trojans, let’s summarize it.

What time is it:

Regularly conduct security checks on website program codes to check whether there are webshell backdoors, regularly upgrade and fix vulnerabilities in the website system version, perform secondary password verification on the website backend login to prevent SQL injection vulnerabilities on the website, and obtain the administrator account password to log in to the backend. Use Alibaba Cloud's port security policy to open ports 80 and 443, and release the IP of the remaining SSH ports. When you need to log in to the server, add the released IP in the Alibaba Cloud backend to prevent malicious logins to the server as much as possible. If you also encounter a server prompted by Alibaba Cloud for a mining program, you can find a professional server security company to handle it. In China, SINESAFE, NSFOCUS, Venusstar, and other security companies are relatively good. We also hope that the process of solving the problem can help more people.