Resolve the issue of abnormal accounts in an ECS instance -

Problem description

When you log on to an Elastic Compute Service (ECS) instance, abnormal accounts exist in the instance.

Cause

The accounts may be abnormally created and the ECS instance may be compromised.

Solution

Check whether an abnormal account is created by another user. If so, the account is a normal account. If an account is abnormally created, check the name of the account. If the account is created for an application, such as MySQL or tcpdump, the account name is related to the application and is considered normal. If the account name is not related to an application and is similar to that of an administrator account, such as Administrators, the ECS instance may be compromised. You can perform the following steps to resolve the issue based on the actual situation:

Delete the abnormal accounts from the system

Perform the following steps to check whether abnormal accounts exist in the ECS instance:

Linux instance
1. Log on to the ECS instance. For more information, see Connect to a Linux instance by using a password or key.
2. Run the vi /etc/passwd command to check whether abnormal accounts exist. If an abnormal account exists, run the usermod -L [$User] command to disable the abnormal account or run the userdel -r [$User] command to delete the abnormal account.
  Note
  [$User] specifies the name of the abnormal account.
Windows instance
Note
In this example, an ECS instance that runs Windows Server 2012 is used.
1. Delete accounts whose names end with a dollar sign ($). In most cases, the names of the accounts created by hackers end with a dollar sign ($).
  1. Log on to the ECS instance. For more information, see Connect to a Linux instance by using a password or key.
  2. Press the left Windows key, and choose Control Panel > User Accounts > Manage another account.
  3. Find the accounts whose names end with a dollar sign ($) and delete the accounts.
2. Hackers may create hidden accounts in your ECS instance. Local accounts cannot view the hidden accounts. You can modify the registry to modify the permissions of the Administrators account. To prevent operation errors, we recommend that you back up data before you modify the registry.
  1. Log on to the ECS instance. For more information, see Connect to a Linux instance by using a password or key.
  2. Open the Run dialog box, enter regedt32.exe, and then click OK.
  3. Choose HKEY_LOCAL_MACHINE > SAM. You cannot view the subdirectories by default.
  4. Click SAM, right-click Permissions, select Administrators, select Full Control in the Allow column, and then click OK. Close the Registry Editor.
  5. Click the Start icon, select Run, and then enter regedit.
  6. Choose HKEY_LOCAL_MACHINE > SAM > SAM > Domains > Account > Users > Names. All account names in the ECS instance are displayed. Non-local accounts are hidden accounts. Delete the accounts.

Use Security Center to resolve the issue

Log on to the Security Center console. Choose Detection and Response > Alerts to check whether the ECS instance is compromised. For information about alerts, see Overview.
You can upgrade to the paid Security Center Enterprise Edition to use the cloud threat detection and fixing features, or install third-party security software on the instance to perform a full scan and removal. Delete the abnormal accounts and perform necessary security hardening.
Note
If the abnormal accounts still cannot be deleted and the cost of rebuilding the environment is not high, you can back up data and initialize the system disk to resolve the issue. Before initialization, make sure that you have backed up data. For more information, see Re-initialize a system disk.