Security Center generates different types of alerts for threats detected on assets in real time, including alerts for web tampering, suspicious processes, webshells, unusual logons, and malicious processes. Security Center detects threats based on threat detection models. This allows you to monitor the security posture of assets in real time and handle threats at the earliest opportunity.
Background information
Security Center generates alert events when threats are detected on your servers or cloud services. For example, when Security Center detects attacks that are initiated from a malicious IP address or detects exceptions on assets, alert events are generated.
To view the alerts that are generated on your assets, you can go to the Detection and Response > Alerts page. If you have enabled the Cloud Threat Detection and Response (CTDR) feature, you can perform the following operations to view the alerts: Go to the CTDR > Alert page. In the upper-right corner of the Alert page, click Alerts on Host and Container to go to the Alerts page.
Web tamper proofing is a value-added feature that is provided by Security Center. To use the feature, you must purchase and enable the feature. For more information, see Use the feature of web tamper proofing.
Limits on threat detection
Security Center sends alerts in real time when risks are detected. You can manage security alerts, scan for and fix vulnerabilities, analyze attacks, and perform configuration assessment in the Security Center console. Security Center can analyze alerts and trace attacks. This reinforces the security of your assets. To protect your assets against attacks, we recommend that you regularly install the latest security patches on your server, and use other security services together with Security Center, such as Cloud Firewall and Web Application Firewall (WAF).
After you install the Security Center agent on a server, the defense process of Security Center requires a specific period of time to take effect on the server. During this period of time, Security Center cannot block threats such as ransomware and DDoS trojans.
Attacks and viruses are always changing, and actual workloads run in different environments. Therefore, Security Center cannot ensure that all unknown threats are detected in real time. We recommend that you use Security Center features such as alerting, vulnerability detection, baseline check, and configuration assessment to enhance security and prevent intrusions, data thefts, and data damage.
Threat detection models
Security Center provides more than 250 threat detection models to detect threats in a comprehensive manner. You can click the icon in the upper-left corner of the Alerts page to view the models. The models are used to detect threats on your cloud assets from end to end during the 10 stages of a network attack. The stages include Attack Portal, Load Delivery, Privilege Escalation, and Escape Detection.
Risk levels of alerts
The alerts that are generated by Security Center are classified into the following risk levels.
Risk level | Description |
Urgent | Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity. |
Suspicious | Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks. |
Reminder | Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts. |
Alert statistics
Security Center provides statistics based on the alert types that are enabled. This allows you to obtain up-to-date information about the alerts on your assets and on the enabled and disabled alert types. On the Alerts page of the Security Center console, you can view the statistics about alerts and the enabled alert types.
The following table describes the parameters in the upper part of the Alerts page.
Parameter | Description | Operation |
Alerting Servers | The number of servers on which alerts are generated. | Click the number below Alerting Servers to go to the Server tab of the Host page. The Server tab displays the details of servers on which alerts are generated. |
Urgent Alerts | The number of unhandled Urgent alerts. | Click the number below Urgent Alerts. The system displays the urgent alerts on the Alerts page. You can view and handle the Urgent alerts. Note We recommend that you handle the Urgent alerts at the earliest opportunity. |
Total Unhandled Alerts | The total number of unhandled alerts. | View the details of all Unhandled alerts on the Alerts page. For more information, see View and handle alerts. |
Precise Defense | The number of alerts generated for viruses that are automatically quarantined by the malicious host behavior prevention feature. | Click the number below Precise Defense. The system displays the related alerts on the Alerts page. You can view all viruses that are automatically quarantined by the malicious host behavior prevention feature.Malicious Host Behavior Prevention Note You can ignore the viruses that are quarantined by Security Center. |
Enabled IP Address Blocking Policies/All Policies |
| Click a number below Enabled IP Address Blocking Policies/All Policies. In the IP Policy Library panel, you can view the IP address blocking policies that are enabled or all IP address blocking policies that are created. For more information about IP address blocking policies, see Configure alert settings. |
Quarantined Files | The number of files that are quarantined by Security Center based on handled alerts. | Click the number below Quarantined Files. In the Quarantined Files panel, you can view the details of quarantined files. The quarantined files cannot affect your servers. For more information, see View and restore quarantined files. |
Alert types
For more information about the check items of each type of alert in Security Center and the check principles, see Alerts. The types of alerts that Security Center can generate vary based on the Security Center edition. For more information, see Functions and features.
The following table describes all the types of alerts that Security Center can generate.
Alert | Description |
Web tamper proofing | Security Center monitors web directories in real time and restores tampered files or directories by using the backup files. This protects websites from malicious modifications, trojans, hidden links, and uploads of violent or illicit content. Security Center can detect the following suspicious activities:
Note Web tamper proofing is a value-added feature that is provided by Security Center. To use the feature, you must purchase and enable the feature. Security Center Anti-virus, Advanced, Enterprise, and Ultimate support web tamper proofing. Security Center Basic does not support web tamper proofing. For more information, see Use the feature of web tamper proofing. |
Suspicious Process | Security Center can detect suspicious processes, including processes that perform the following operations:
|
Webshell | Security Center uses engines developed by Alibaba Cloud to scan for common webshell files. Security Center supports scheduled scan tasks, provides real-time protection, and quarantines webshell files.
Note Security Center Basic detects only some types of webshells. If you want to detect all types of webshells, we recommend that you upgrade Security Center Basic to the Anti-virus, Advanced, Enterprise, or Ultimate edition. For more information, see Upgrade and downgrade Security Center. |
Unusual Login | Security Center detects unusual logons to your servers. You can configure approved logon IP addresses, time periods, and accounts. Logons from unapproved IP addresses, accounts, or time periods trigger alerts. You can manually add approved logon locations or configure the system to automatically update approved logon locations. You can also specify the assets on which alerts are triggered when unusual logon locations are detected. Security Center can detect the following suspicious activities:
For more information, see How does Security Center detect unusual logons and generate alerts for unusual logons? |
Suspicious Event | Security Center detects suspicious activities during application runtime. |
Sensitive File Tampering | Security Center checks whether the sensitive files on your servers are tampered with. The sensitive files include pre-loaded configuration files in the shared libraries of Linux. |
Malware | Security Center uses an agent to scan your servers in real time. If viruses are detected, Security Center generates alerts. You can log on to the Security Center console to handle the detected viruses. Security Center can detect the following suspicious activities:
|
Unusual Network Connection | Security Center detects unusual network connections and disconnections. Security Center can detect the following suspicious activities:
|
Other | Security Center detects unusual disconnections of the Security Center agent. |
Suspicious Account | Security Center detects unapproved accounts that attempt to log on to your assets. |
Application intrusion event | Security Center detects intrusions that use system application components. |
Cloud threat detection | Security Center checks whether threats exist in the other Alibaba Cloud services that you have purchased. For example, Security Center can detect suspicious deletion of ECS security group rules. |
Precise Defense | Security Center provides the Malicious Host Behavior Prevention feature for precise protection against common ransomware, DDoS trojans, mining programs, trojans, malicious processes, webshells, and computer worms. For more information about how to enable the feature, see Proactive Defense. |
Application Whitelist | You can create a whitelist policy for applications on servers that require reinforced protection. If the suspicious or malicious processes that are identified by the policy are not added to the whitelist, Security Center generates alerts. |
Persistence | Security Center detects suspicious scheduled tasks on servers. If persistent threats against the servers are detected, Security Center generates alerts. |
Web Application Threat Detection | Security Center detects intrusions that use web applications. |
Malicious scripts | Security Center check whether the system services of your assets are attacked or modified by malicious scripts. If potential script attacks are detected, Security Center generates alerts. Malicious scripts are classified into file-based scripts and fileless scripts. After an attacker gains control over a server, the attacker uses scripts for additional attacks. For example, the attacker may insert mining programs and webshells, and add administrator accounts to your system. Programming languages of malicious scripts include Bash, Python, Perl, PowerShell, Batch, and VBScript. |
Threat intelligence | Security Center uses the threat intelligence library developed by Alibaba Cloud to perform correlation analysis on access traffic and logs. Security Center also detects threat events, including access to malicious domains, malicious download sources, and malicious IP addresses. |
K8s Abnormal Behavior | Security Center monitors the security status of running containers in a Kubernetes cluster. This allows you to detect security risks and intrusions in a cluster at the earliest opportunity. To detect threats to a cluster, you must enable the feature of threat detection on Kubernetes containers. For more information, see Enable features on the Container Protection Settings tab. |
Alerts
The following list describes all the alerts that Security Center can generate. The alerts are classified based on operating systems, detection items, and attack methods. Based on the threat intelligence of Alibaba Cloud and the latest disclosed vulnerabilities, Security Center analyzes the threats on your server by using an intrusion prevention system (IPS) and generates different types of alerts. This topic describes the alerts that Security Center can generate and the types of the alerts.
Alerts for Linux servers
Alert type | Alert name | Description |
Persistence | Tampering of the kernel configuration file | The threat detection model detected that the configuration file of the kernel module on your server was tampered with. In most cases, the tampering is detected when a rootkit program modifies the configuration file to achieve self-starting. |
Malicious startup item script | The threat detection model detected that some files of self-startup items on your server were suspicious. The files may be scheduled tasks or self-startup scripts that are inserted by malware or attackers to achieve persistence. | |
Backdoor process | The threat detection model detected a suspicious backdoor process on your server. The backdoor process may be persistent behavior that is left by attackers who attempt to maintain permissions. | |
Abnormal code in memory | The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected. | |
Abnormal process | The threat detection model detected that abnormal processes exist in the running programs on your server. The processes may be malicious processes or processes that loaded malicious code. | |
Abnormal self-startup item | The threat detection model detected abnormal self-startup items on your server. The self-startup items may be added by attackers or malware to achieve persistence. | |
Hidden kernel module | The threat detection model detected hidden kernel modules on your server. The kernel modules may be rootkit backdoors that are inserted by attackers or malware, which are used to maintain system permissions and hide other malicious behavior. | |
Suspicious scheduled task in Linux | The threat detection model detected a suspicious scheduled task on your server. The task may be persistent behavior that is left by attackers in your server. | |
SSH public key backdoor | The threat detection model detected an abnormal SSH public key for logons on your server. The SSH public key was added to the attacked server by a worm or attacker to maintain permissions. | |
Malicious scripts | Execution of malicious script code | The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server. |
Detection of a malicious script file | The threat detection model detected a malicious script file on your server. The file may be inserted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file. | |
Malware | Tainted basic software | The threat detection model detected tainted basic software on your server. In most cases, tainted basic software is a system program into which malicious code is injected. Although the tainted basic software offers basic features, it covertly conducts malicious behavior. |
Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. | |
Access to a malicious IP address | The threat detection model detected that a process on your server was attempting to connect to a malicious IP address. This IP address may be the IP address of a C&C server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is inserted by attackers. | |
Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. | |
Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. | |
Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. | |
Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. | |
Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. | |
Exploit | The threat detection model detected that an exploit was running on your server. An exploit takes advantage of known vulnerabilities in operating systems and applications to escalate privileges, implement escapes, and execute arbitrary code. | |
Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. | |
Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. | |
Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. | |
Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. | |
DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. | |
Rootkit | The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is inserted in the underlying system. A rootkit is used to hide the traces of itself or other malicious programs. | |
Rootkit kernel module | The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is inserted in the underlying system. A rootkit is used to hide the traces of itself or other malicious programs. | |
Suspicious Process | Tampering of file time | The threat detection model detected that a process on your server attempted to modify the file time. The process may be triggered by attackers who imitate the actual file time to forge the actual creation, access, or modification time of abnormal files to evade detection. |
Call of risk tools | The threat detection model detected a suspicious call of risk tools on your server. The risk tools can be used as proxies, tunnels, or scanning tools that are exploited by attackers to intrude into the server. | |
Reverse shell | The threat detection model detected that your server has run a reverse shell command. Attackers run reverse shell commands to establish a reverse network connection between your server and the server of attackers. Arbitrary commands can be run on your server based on the reverse network connection. For more information, see Detect reverse shells from multiple dimensions. | |
Connection to a malicious download source | The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. | |
Access to sensitive files | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process suspiciously read or modified important system files. | |
Suspicious command run by a process | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited the Remote Code Execution (RCE) vulnerability of the service to run the command. | |
Suspicious command run by a high-risk application | The threat detection model detected that a high-risk application on your server ran a suspicious command. A high-risk application can be a web service, database service, script, scheduled task, or self-starting item. These applications may have been compromised and used by attackers to run malicious commands. | |
Suspicious encoded command | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. | |
Suspicious port listening | The threat detection model detected suspicious port listening on your server. After attackers intrude into a server, attackers use software, such as nc, for port listening. This way, attackers establish a hidden communication channel to steal information from the server. | |
Suspicious path | The threat detection model detected a suspicious file name extension on your server. The file is executable, and the format of the file does not match the format represented by the extension. A potential cause is that attackers have changed the file name extension of an executable file during the intrusion process to evade detection. | |
Execution of suspicious files | The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers. | |
Suspicious behavior | The threat detection model automatically analyzed the historical behavior of a process on your server and detected a suspicious command. | |
Potential data breach by using HTTP tunnels | The threat detection model detected that an HTTP channel was used to send command execution results on your server to an external server. A potential cause is that attackers have exploited RCE vulnerabilities to send the command execution results on the compromised server to the server that the attackers use. | |
Suspicious SSH tunneling | The threat detection model detected that your server was attempting to establish a suspicious SSH tunnel. | |
Suspicious webshell injection | The threat detection model detected that a suspicious process was attempting to inject a webshell file into your server. | |
Suspicious privilege escalation | The threat detection model detected that some processes on your server were exploiting system vulnerabilities and application vulnerabilities to obtain high system permissions. A potential cause is that attackers have implemented privilege escalation during the intrusion process. | |
Suspicious rootkit behavior | The threat detection model detected that a rootkit backdoor on your server was running suspicious commands. A potential cause is that attackers have inserted a rootkit backdoor and have sent malicious instructions to the backdoor to achieve remote control. | |
Suspicious call of database export tools | The threat detection model analyzed the historical behavior of a process on your server and detected suspicious calls of database export tools. A potential cause is that attackers have stolen data from your server after the server has been compromised. | |
Abnormal behavior sequence | The threat detection model detected the combination of multiple abnormal behavior sequences on your server. The combination is usually caused by the spreading of a family of worms. Your services may also have been infected by worms. | |
Suspicious command run by Apache CouchDB | The threat detection model detected that Apache CouchDB on your server ran a suspicious command. | |
Suspicious command run by FTP applications | The threat detection model detected that an FTP application on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and have used FTP to run batch files. | |
Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. | |
Linux crontab file tampering | The threat detection model detected that a process on your server was attempting to modify files for scheduled tasks on a Linux server. A potential cause is that malicious programs or rootkit programs were attempting to write persistent backdoor code into your server. | |
Suspicious command run by scheduled tasks in Linux | The threat detection model detected that a scheduled task on your server ran a suspicious command. A potential cause is that attackers have written malicious commands in the scheduled tasks to maintain permissions after the server has been compromised. | |
Suspicious command sequence in Linux | The threat detection model detected that a process on your server ran a sequence of suspicious commands. These commands are similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected. | |
Execution of suspicious commands in Linux | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. | |
Suspicious file writing by using the MySQL EXPORT function | The threat detection model detected that the MySQL application on your server was attempting to write files to sensitive directories. A potential cause is that attackers have executed malicious SQL statements by cracking weak passwords or by using web applications. | |
Suspicious command run by MySQL | The threat detection model detected that the MySQL service on your server ran a suspicious command. Potential causes include weak passwords in the MySQL service and web services into which the SQL statements have been injected. | |
Suspicious command run by Oracle | The threat detection model detected that the Oracle database on your server ran a suspicious command. A potential cause is that attackers have run remote commands after the password of the Oracle database is leaked. | |
Suspicious UDF library file writing by using the Postgres EXPORT function | The threat detection model detected that the Postgres application on your server was attempting to write a suspicious .so file to a disk. A potential cause is that attackers have executed malicious SQL statements in the Postgres application after attackers have cracked the weak password of the Postgres application and have logged on to the Postgres application. Attackers may have used the .so file to obtain control permissions on your server. | |
Suspicious command run by PostgreSQL applications | The threat detection model detected that a PostgreSQL application on your server ran a suspicious command. Potential causes include weak passwords in the PostgreSQL service and web services into which malicious SQL statements have been injected. | |
Execution of suspicious commands by Python applications | The threat detection model detected that a Python application on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised. | |
Crontab file modified by Redis | The threat detection model detected that the Redis application on your server wrote a suspicious file to a disk. A potential cause is that attackers have used a blank password or have cracked the weak password of the Redis application to execute malicious SQL statements and obtain system permissions. | |
Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. | |
Sensitive File Tampering | System file tampering | The threat detection model detected that a process on your server was attempting to modify or replace system files. A potential cause is that attackers were attempting to replace system files to evade detection and hide backdoors. We recommend that you check whether the system files for which the alerts are generated are actual system files. |
System file moving | The threat detection model detected that an upstream process was attempting to move system files on your server. A potential cause is that attackers have moved the system files that have been monitored by security software during the intrusion process to evade detection. | |
Tampering of configuration files used to preload Linux shared library files | The threat detection model detected that the configuration files used to preload Linux shared library files were being tampered with. | |
Other | Abnormal disconnection of the Security Center agent | The threat detection model detected that the main process AliYunDun of the Security Center agent on your server exceptionally stopped and the agent was disconnected from Alibaba Cloud. The disconnection may be caused by network instability and last for a short period of time. Another potential cause is that the Security Center agent has been uninstalled from your server after the server has been compromised. In this case, you must log on to your server and check whether the Security Center agent is running. If the agent is not running, start the agent. |
Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
Unusual Logon | Logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your Elastic Compute Service (ECS) instance. |
FTP logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the FTP application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the FTP application. | |
MySQL logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the MySQL application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the MySQL application. | |
Server logon by using a backdoor account | The threat detection model detected that an attacker inserted a backdoor account into your server and logged on to your server by using the backdoor account. If you did not perform this operation, we recommend that you immediately delete the backdoor account. | |
Server logon by using an account with a weak password | The threat detection model detected that an account with a weak password was used to log on to your server. This logon may be performed by yourself or attackers. In most cases, attackers crack weak passwords to intrude into a server. We recommend that you immediately configure a strong password. | |
Suspicious external logon scanning | The threat detection model detected that your server frequently initiated brute-force attacks on protocols, such as SSH, RDP, and SMB. A potential cause is that your server has been attacked and has been used by attackers to attack other servers. | |
Logon from an unusual location | The threat detection model detected that your server was logged on from two locations that are far from each other within a short period of time. One of the locations is your usual logon location. The logons from different locations indicate that one of the logon requests is initiated from an unusual location rather than the usual location. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the server. | |
Logon by using an unusual account | The threat detection model detected that you added an unusual account to the administrator group and the account was used to log on to your server. If you did not perform this operation, we recommend that you immediately delete the account. | |
ECS instance compromised due to brute-force attacks initiated by multiple invalid users | The threat detection model detected that multiple invalid users logged on to your server by using the same IP address. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. | |
ECS instance compromised due to brute-force attacks on RDP | The threat detection model detected that your server was under brute-force attacks on RDP. Attackers cracked the RDP service password and logged on to the server after several times of attempts. | |
ECS instance logon over SSH before suspicious command sequence execution | The threat detection model detected that some malicious commands ran on your server after an IP address was used to log on to the server. A potential cause is that the password used to log on to your server is weak or is leaked. | |
Logon to an ECS instance within an unusual time range | The time when the server is logged on is not within the logon time range that you specify. We recommend that you check whether the logon is valid. | |
Logon to an ECS instance by using an unusual account | The account that is used to log on to the server does not match the condition of a legitimate account. We recommend that you check whether the logon is valid. | |
Logon to an ECS instance by using an unusual IP address | The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid. | |
Logon to an ECS instance from an unusual location | The location from which the server is logged on is not within the logon locations that you specify. We recommend that you check whether the logon is valid. | |
Unusual Network Connection | Port forwarding | The threat detection model detected that a process on your server was attempting to set up a tunnel for port forwarding. A potential cause is that attackers have used your compromised server to attack other servers that are deployed on the same internal network. |
Access to a malicious domain name | The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, or mining pool address. In this case, attackers may have intruded into your server and exploited the server. | |
Suspicious outbound connection | The threat detection model detected that your server was attempting to access a website. The website may be related to a mining pool address, a C&C backdoor, and the domain name of a botnet organization. | |
Reverse shell connection by using Meterpreter | The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter. For more information, see Detect reverse shells from multiple dimensions. | |
Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. | |
Internal network scan | The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised. | |
Suspicious lateral movement attack on an internal network | The threat detection model detected an abnormal internal network connection on your server. A potential cause is that attackers have launched lateral movement attacks on an internal network after the server has been compromised. | |
Abnormal traffic | The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert. | |
Proactive connection to malicious download sources | The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. | |
Suspicious command run by Redis | The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server. | |
Suspicious Account | System logon by using a suspicious account | The threat detection model detected that a user was attempting to log on to the system by using an unauthorized account, a system built-in account, or an attacker account. The logon may be performed by an attacker. |
Alerts for Windows servers
Alert type | Alert name | Description |
Persistence | Suspicious self-startup item | The threat detection model detected that some self-startup items on your server were suspicious. The items may have been added by malware or attackers to achieve persistence. |
Suspicious backdoor | The threat detection model detected a WMI or bitsadmin backdoor on your server. Such a backdoor may have been left by attackers to maintain system permissions after your server has been compromised. | |
Abnormal code in memory | The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected. | |
Abnormal process | The threat detection model detected that abnormal processes exist in the running programs on your server. The processes may be malicious processes or processes that loaded malicious code. | |
Abnormal registry configuration | The threat detection model detected a suspicious registry configuration on your server. In most cases, some key registry configurations may be modified by malware to achieve persistence or conduct sabotage behavior. | |
Abnormal self-startup item | The threat detection model detected abnormal self-startup items on your server. The self-startup items may have been added by malware or attackers to achieve persistence. | |
Cobalt Strike RAT | The threat detection model detected malicious code of Cobalt Strike RAT in the memory of a process on your server. The process may be a malicious process or a process into which malicious code has been injected. | |
Malicious scripts | Execution of malicious script code | The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server. |
Detection of a malicious script file | The threat detection model detected a malicious script file on your server. The file may be inserted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file. | |
Malware | Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. |
Access to a malicious IP address | The threat detection model detected that a process on your server was attempting to connect to a malicious IP address. This IP address may be the IP address of a C&C server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is inserted by attackers. | |
Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. | |
Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. | |
Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. | |
Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. | |
Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. | |
Exploit | The threat detection model detected that an exploit was running on your server. An exploit takes advantage of known vulnerabilities in operating systems and applications to escalate privileges, implement escapes, and execute arbitrary code. | |
Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. | |
Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. | |
Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. | |
Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. | |
DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. | |
Hashdump running | The threat detection model detected that malware, such as Windows Credentials Editor (WCE) and minikazi, was running on your server. Such malware can steal the hash value of the system account, which causes password leaks. | |
Suspicious Process | Creation of suspicious scheduled tasks in Windows | The threat detection model detected that a suspicious scheduled task was created on your server. A potential cause is that malware or attackers have created the task to maintain permissions during the intrusion process. |
Call of risk tools | The threat detection model detected a suspicious call of risk tools on your server. The risk tools can be used as proxies, tunnels, or scanning tools that are exploited by attackers to intrude into the server. | |
Suspicious process running by using WMIC | The threat detection model detected that your server was attempting to use WMIC to create and run programs. A potential cause is that attackers have created WMIC tasks to maintain system permissions after the server has been compromised. | |
Connection to a malicious download source | The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. | |
Suspicious command run by a high-risk application | The threat detection model detected that a high-risk application on your server ran a suspicious command. A high-risk application can be a web service, database service, script, scheduled task, or self-startup item. These applications may have been compromised and used by attackers to run malicious commands. | |
Creation of suspicious files in high-risk applications | The threat detection model detected that sensitive services, such as web applications, created executable files or scripts on your server. A potential cause is that attackers have exploited vulnerabilities to implant viruses or trojans into your server. | |
Suspicious script operation | The threat detection model detected that some commands that are related to scripts running on your server are highly suspicious. The detected threat may be caused by malware or attackers. | |
Suspicious process path | The threat detection model detected that a process on your server was started from an unusual path in which normal software is not installed. The process may be a virus, a trojan, or a tool that is brought in when attackers intrude into your server. | |
Process with a suspicious file name | The threat detection model detected that the file of a process on your server had a suspicious file name extension or the file name imitated the name of the system file. The process may be a virus, a trojan, or a tool that is brought in when attackers intrude into your server. | |
Suspicious port listening | The threat detection model detected suspicious port listening on your server. After attackers intrude into a server, attackers use software, such as nc, for port listening. This way, attackers establish a hidden communication channel to steal information from the server. | |
Suspicious command | The threat detection model detected that the information collection command on your server was suspicious or the calls among running processes were suspicious. This may be related to trojans, viruses, or attackers. | |
Execution of suspicious files | The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers. | |
Suspicious modification to registry configurations | The threat detection model detected that a process was attempting to modify the registry configurations on your server. A potential cause is that attackers have written backdoor code into your server or have modified the sensitive configurations after attackers have obtained system permissions. | |
Suspicious command sequence | The threat detection model detected that a process on your server ran a sequence of suspicious commands. These commands are similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected. | |
ProcDump for data dumps | The threat detection model detected that the ProcDump process was saving sensitive data that is stored in the process memory to the disks on your server. This saving operation may cause sensitive data breaches. | |
Suspicious process startup by using BITSAdmin | The threat detection model detected that the BITSAdmin tool was being used to start a suspicious process on your server. A potential cause is that attackers have used the BITSAdmin tool to implant malicious programs into your server and run malicious commands. | |
Malicious code loading by using Windows system files | The threat detection model detected that a malicious command was running on your server. A potential cause is that attackers have used Windows system files to execute malicious code and evade the detection of security software. | |
Suspicious modification to self-startup items | The threat detection model detected that a process was attempting to modify a self-startup item on your server. The modification may be performed by attackers or trojans to maintain system permissions. | |
Modification to read-only and hidden attributes of files by using attrib.exe | The threat detection model detected that a process was attempting to use attrib.exe to modify the read-only and hidden attributes of the files on your server. | |
Self-startup item addition in the system registry | The threat detection model detected that a program was adding self-startup items to the registry on your server. The program may be malware, promotion software into which backdoors have been injected, or a persistent task that has been inserted by attackers after the server has been compromised. The program may also have been used by normal software to achieve self-starting. We recommend that you check whether the program is a trusted program. | |
Suspicious file download from a remote server to a disk by using FTP | The threat detection model detected that a process was attempting to download suspicious files from a remote server by using FTP on your server. | |
Suspicious file copy to a disk by using RDP | The threat detection model detected that an attacker was attempting to copy suspicious files to your server by using RDP. A potential cause is that attackers have stolen or cracked the RDP password that is used to log on to your server. | |
Abnormal deletion of system backup files | The threat detection model detected that a process was attempting to delete the system backup files from your server. A potential cause is that ransomware has deleted your system backup files to prevent file restoration and extort ransom. | |
Abnormal deletion of system logs | The threat detection model detected that a process was attempting to delete the system logs. A potential cause is that malware or attackers have deleted the system logs to evade detection. | |
Suspicious attacker tool | The threat detection model detected that some commands running on your server are very similar to the tools that are usually used by attackers. The commands may be run by attackers during the intrusion process. | |
Suspicious privilege escalation in Windows | The threat detection model detected that some commands that were running on your server were very suspicious. A potential cause is that attackers have exploited the Windows system vulnerabilities or application vulnerabilities to escalate privileges. | |
Abnormal registry operation | The threat detection model detected that some commands that were used to manage the Windows registry were highly suspicious. A potential cause is that malware or attackers have modified some registry configurations after the server has been compromised. | |
Suspicious call of database export tools | The threat detection model analyzed the historical behavior of a process on your server and detected suspicious calls of database export tools. A potential cause is that attackers have stolen data from your server after the server has been compromised. | |
Suspicious calls of system tools | The threat detection model detected that a process on your server was calling system tools in a suspicious manner. A potential cause is that trojans or attackers have called the tools to perform some malicious operations, such as malicious file download, malicious code execution, encryption, and decryption, to evade the detection of common security software. | |
Suspicious modification to system security configurations | The threat detection model detected that a process on your server was modifying the security configurations of the system. A potential cause is that malware or attackers have modified the configurations of the firewall and antivirus software to evade detection. | |
Execution of malicious commands | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. | |
Malicious commands run by Cobalt Strike | The threat detection model detected that a Cobalt Strike agent was installed on your server and the Cobalt Strike agent was running malicious commands. | |
Suspicious command run by FTP applications | The threat detection model detected that an FTP application on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and have used FTP to run batch files. | |
Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. | |
Suspicious process run by LSASS | The threat detection model detected that the lsass.exe process ran a suspicious command on your server. The lsass.exe process is a security authorization process in the Windows operating system. The process authenticates users and generates tokens. Multiple system vulnerabilities are exploited by attackers to initiate buffer overflow attacks against this process so that the attackers can obtain the complete control permissions of the target process. | |
Suspicious command run by MySQL | The threat detection model detected that the MySQL service on your server ran a suspicious command. Potential causes include weak passwords in the MySQL service and web services into which the SQL statements have been injected. | |
Suspicious command run by PostgreSQL applications | The threat detection model detected that a PostgreSQL application on your server ran a suspicious command. Potential causes include weak passwords in the PostgreSQL service and web services into which malicious SQL statements have been injected. | |
Execution of suspicious commands by Python applications | The threat detection model detected that a Python application on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised. | |
Suspicious command run by regsvr32 | The threat detection model detected that regsvr32.exe was running a suspicious command on your server. A potential cause is that attackers have injected malicious code into the Windows OCX files to evade detection and have used regsvr32.exe to execute the code in the memory of your server. | |
Suspicious command run by rundll32 | The threat detection model detected that rundll32.exe was running a suspicious command on your server. A potential cause is that attackers have injected malicious code into the Windows DLL files to evade detection and have used rundll32.exe to execute the code in the memory of your server. | |
Suspicious file writes to disks by SQL Server | The threat detection model detected that the SQL Server application on your server was attempting to write a suspicious file to a disk. A potential cause is that attackers have cracked the weak password of the Redis application to execute malicious SQL statements in the SQL Server application. | |
Suspicious command run by SQL Server applications | The threat detection model detected that the SQL Server application on your server ran a suspicious command. A potential cause is that attackers have cracked the weak password of the SQL Server application and have used the command execution component of the SQL Server application to run malicious commands. | |
Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. | |
Modification to Windows Defender configurations | The threat detection model detected that your server was modifying the registry to disable some features of Windows Defender. The modification operation may have been performed by attackers who have attempted to evade detection and prevention after the server has been compromised. | |
Modification to Windows RDP configurations for port 3389 | The threat detection model detected that the RDP configurations of your server were being modified. A potential cause is that attackers have modified the RDP configurations to maintain permissions after the server has been compromised. | |
Creation of scheduled tasks in Windows | The threat detection model detected that suspicious scheduled tasks were being created on your server. A potential cause is that attackers have inserted backdoors in your server to maintain permissions after the server has been compromised. | |
Creation of suspicious service startup items in Windows | The threat detection model detected that an upstream process was attempting to create suspicious service startup items on your server. A potential cause is that attackers have inserted malicious programs in your server. If a malicious program is running, service startup items are created to maintain permissions. | |
Logon credential breaches in Windows | The threat detection model detected that some programs on your server modified the WDigest item in the registry. A potential cause is that attackers have changed the value of UseLogonCredential to allow logon credentials to be stored in plaintext. This way, attackers can steal the logon credentials from the memory of the server. | |
Execution of HTML scripts by using mshta on Windows | The threat detection model detected that a process on your server was attempting to call mshta to execute scripts embedded in HTML pages. This way, attackers can implant malicious programs into the server. | |
Suspicious port forwarding in Windows | The threat detection model detected that a command was running for port forwarding on an internal network. A potential cause is that attackers were launching lateral movement attacks on the internal network. | |
Modification of Windows Firewall configurations | The threat detection model detected that a process was attempting to modify the configurations of Windows Firewall. | |
Self-startup item addition in Windows | The threat detection model detected that abnormal self-startup items were added to your server. A potential cause is that attackers have added malicious programs to the self-startup items to maintain permissions after the server has been compromised. | |
Abnormal operation on a Windows account | The threat detection model detected that the Windows account was used to perform operations on your server and the running command was suspicious. A potential cause is that malware or attackers have used the Windows account to perform operations on the server. | |
Other | Abnormal disconnection of the Security Center agent | The threat detection model detected that the main process AliYunDun of the Security Center agent on your server exceptionally stopped and the agent was disconnected from Alibaba Cloud. The disconnection may be caused by network instability and last for a short period of time. Another potential cause is that the Security Center agent has been uninstalled from your server after the server has been compromised. In this case, you must log on to your server and check whether the Security Center agent is running. If the agent is not running, start the agent. |
Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
Unusual Logon | Logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. |
FTP logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the FTP application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the FTP application. | |
MySQL logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the MySQL application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the MySQL application. | |
SQL Server logon by using a malicious IP address | The threat detection model detected that a malicious IP address was used to log on to the SQL Server application on your server. The IP address was used to initiate attacks. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the SQL Server application. | |
Server logon by using a backdoor account | The threat detection model detected that an attacker inserted a backdoor account into your server and logged on to your server by using the backdoor account. If you did not perform this operation, we recommend that you immediately delete the backdoor account. | |
Server logon by using an account with a weak password | The threat detection model detected that an account with a weak password was used to log on to your server. This logon may be performed by yourself or attackers. In most cases, attackers crack weak passwords to intrude into a server. We recommend that you immediately configure a strong password. | |
Suspicious external logon scanning | The threat detection model detected that your server frequently initiated brute-force attacks on protocols, such as SSH, RDP, and SMB. A potential cause is that your server has been attacked and has been used by attackers to attack other servers. | |
Logon from an unusual location | The threat detection model detected that your server was logged on from two locations that are far from each other within a short period of time. One of the locations is your usual logon location. The logons from different locations indicate that one of the logon requests is initiated from an unusual location rather than the usual location. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to the server. | |
Logon by using an unusual account | The threat detection model detected that you added an unusual account to the administrator group and the account was used to log on to your server. If you did not perform this operation, we recommend that you immediately delete the account. | |
ECS instance compromised due to brute-force attacks initiated by multiple invalid users | The threat detection model detected that multiple invalid users logged on to your server by using the same IP address. If you did not perform this operation, we recommend that you immediately change the password that is used to log on to your ECS instance. | |
ECS instance compromised due to brute-force attacks on SSH | The threat detection model detected that your server was under brute-force attacks on SSH. Attackers cracked the SSH service password and logged on to the server after several times of attempts. | |
ECS instance logon over SSH before suspicious command sequence execution | The threat detection model detected that some malicious commands ran on your server after an IP address was used to log on to the server. A potential cause is that the password used to log on to your server is weak or is leaked. | |
Logon to an ECS instance within an unusual time range | The time when the server is logged on is not within the logon time range that you specify. We recommend that you check whether the logon is valid. | |
Logon to an ECS instance by using an unusual account | The account that is used to log on to the server does not match the condition of a legitimate account. We recommend that you check whether the logon is valid. | |
Logon to an ECS instance by using an unusual IP address | The IP address that is used to log on to the server is not within the IP addresses that you specify. We recommend that you check whether the logon is valid. | |
Logon to an ECS instance from an unusual location | The location from which the server is logged on is not within the logon locations that you specify. We recommend that you check whether the logon is valid. | |
Unusual Network Connection | Port forwarding | The threat detection model detected that a process on your server was attempting to set up a tunnel for port forwarding. A potential cause is that attackers have used your compromised server to attack other servers that are deployed on the same internal network. |
Access to a malicious domain name | The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, or mining pool address. In this case, attackers may have intruded into your server and exploited the server. | |
Reverse shell connection by using Meterpreter | The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter. For more information, see Detect reverse shells from multiple dimensions. | |
Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. | |
Internal network scan | The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised. | |
Suspicious sensitive port scanning | The threat detection model detected that a process on your server sent a large number of network requests to sensitive ports in a short period of time. The behavior may be port scanning behavior. | |
Abnormal traffic | The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert. | |
Proactive connection to malicious download sources | The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. | |
Abnormal network connections in Windows | The threat detection model detected that the connection of a process on your server was unusual. This may be related to trojans, viruses, or attackers. | |
Suspicious Account | System logon by using a suspicious account | The threat detection model detected that a user was attempting to log on to the system by using an unauthorized account, a system built-in account, or an attacker account. The logon may be performed by an attacker. |
Alerts for containers
Alert type | Alert name | Description |
Malware | Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. |
Access to a malicious IP address | The threat detection model detected that a process on your server was attempting to connect to a malicious IP address. This IP address may be the IP address of a C&C server or the IP address of a mining pool that is exploited by attackers, which has high risks. The process may be a malicious file that is inserted by attackers. | |
Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. | |
Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. | |
Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. | |
Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. | |
Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. | |
Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. | |
Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. | |
Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. | |
Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. | |
DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. | |
Suspicious Process | Tampering of file time | The threat detection model detected that a process on your server attempted to modify the file time. The process may be triggered by attackers who imitate the actual file time to forge the actual creation, access, or modification time of abnormal files to evade detection. |
Remote API debugging in Docker that may pose security risks | The threat detection model detected that the Docker remote debugging interface was open to 0.0.0.0 on your server. The interface exposed on the Internet will be quickly intruded by worms. Make sure that the interface is exposed only on a trusted network. | |
Connection to a malicious download source | The threat detection model detected that your server was attempting to connect to a malicious download source. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. | |
Suspicious command run by a process | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited the RCE vulnerability of the service to run the command. | |
Suspicious encoded command | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. | |
Suspicious starting of a privileged container. | The threat detection model detected that a suspicious privileged container was started on your server, which affected container security. If the container is compromised, containers and assets on the server will be affected. Make sure that the privileged container uses trusted image sources and the service that is running in the container is protected against intrusion. | |
Execution of suspicious files | The threat detection model detected that a file on your server was written and executed in a suspicious manner. The file may be a malicious tool downloaded from external sources and executed by attackers. | |
Suspicious behavior | The threat detection model automatically analyzed the historical behavior of a process on your server and detected a suspicious command. | |
Container network scanning behavior | The threat detection model detected that a container on your server was proactively performing a suspicious network scan. The scan may be performed by attackers to compromise your server and move from the compromised server to other servers. | |
High-risk container-related operation | The threat detection model detected that high-risk container-related operations were being performed on your server. The high-risk operations include container startup by using high-risk permissions and mapping of sensitive directories, files, and ports to containers. | |
Execution of suspicious commands inside a container | The threat detection model detected that suspicious commands were being executed inside your container, which indicates potential intrusion. | |
Collection of credentials inside containers | The threat detection model detected access to sensitive information and files within a container. The information and files include the configuration files of Docker/Swarm/Kubernetes, database connection configurations, logon credentials, AccessKey pairs, certificates, and private key files. We recommend that you check whether the container has been compromised and data has been leaked. | |
Privilege escalation in containers or container escapes | The threat detection model detected suspicious scripts or instructions that were used to escalate privileges or vulnerabilities in your containers. A potential cause is that your containers have been compromised. | |
Collection of container information | The threat detection model detected that suspicious commands were run inside the containers on your server. These commands are usually used by attackers to collect information inside a container after the container is compromised. If the operation is not a trusted operation, we recommend that you immediately reset the container. Trusted operations include the operations of security software and O&M operations of administrators. | |
Running of malicious container images | The threat detection model detected that a malicious container image was running on your server. This image may contain backdoors, mining programs, viruses, or known severe vulnerabilities. We recommend that you perform troubleshooting and use trusted image resources. | |
Abnormal operation on files of Docker | The threat detection model detected that the Docker process on your server was modifying the core service configurations or sensitive files of the system. A potential cause is that attackers have exploited the vulnerabilities in the Docker services to hijack some Docker services and have used the services to initiate container escape attacks, such as CVE-2019-5736 Docker runC and CVE-2019-14271 Docker CP. We recommend that you check whether the Docker container of the current version has such vulnerabilities. | |
Suspicious command run by FTP applications | The threat detection model detected that an FTP application on your server ran a suspicious command. A potential cause is that attackers have exploited the weak passwords in FTP applications and have used FTP to run batch files. | |
Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. | |
Abnormal behavior of Kubernetes service accounts | The threat detection model detected an abnormal instruction inside your container. The instruction attempted to connect to the Kubernetes API server by using a Kubernetes service account. We recommend that you check whether the operation is a trusted operation. Trusted operations include the operations of security software and O&M operations of administrators. Make sure that the account is granted permissions based on the principle of least privilege. This avoids an attacker moving from a compromised container to other containers by using the Kubernetes API after the container is compromised. | |
Suspicious command sequence in Linux | The threat detection model detected that a process on your server ran a sequence of suspicious commands. These commands are similar to the sequence of commands that are usually run by attackers after a server has been compromised. We recommend that you check the parent process of the suspicious commands. The parent process may be a remote control trojan, vulnerable web service, or process into which malicious code is injected. | |
Execution of suspicious commands in Linux | The threat detection model detected that the command line data of a process on your server was highly suspicious. This may be related to trojans, viruses, or attackers. | |
Suspicious command run by Oracle | The threat detection model detected that the Oracle database on your server ran a suspicious command. A potential cause is that attackers have run remote commands after the password of the Oracle database is leaked. | |
Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. | |
K8s Abnormal Behavior | Startup of a pod based on a malicious image | The threat detection model detected that a pod that contained a malicious image was started in your Kubernetes cluster. We recommend that you check whether the image is from a trusted image source and the process inside the pod has malicious programs, such as backdoors and mining programs. |
Suspicious instruction run on a Kubernetes API server | The threat detection model detected that suspicious instructions were run on your Kubernetes API server. A potential cause is that attackers have obtained and used the credentials of your API server. We recommend that you check whether the server has been compromised. | |
Abnormal access to Secrets in a Kubernetes cluster | The threat detection model detected that Secrets were being enumerated inside your Kubernetes cluster. A potential cause is that attackers were stealing sensitive information of the Secrets in the Kubernetes cluster after the cluster has been compromised. We recommend that you check whether the operation was performed by a trusted program or the administrator. | |
Transfer of Kubernetes service accounts from one application to another | The threat detection model detected that one of your service accounts requested permissions outside of the historical baseline or failed authentication several times. A potential cause is that attackers have intruded into a pod and have used the credentials of the service account that was obtained from your server to attack an API server. We recommend that you immediately perform troubleshooting. | |
Successful authentication of an anonymous user in Kubernetes API logs | The threat detection model analyzed your Kubernetes API logs and detected that an anonymous user logged on to your Kubernetes cluster. In most cases, anonymous users cannot be used for Kubernetes cluster O&M. If an anonymous user logs on to a cluster and the cluster is exposed to the Internet, the cluster is at high risk. We recommend that you check whether the operation is performed by a trusted administrator and immediately revoke the access permissions of the anonymous user. | |
Mounting of sensitive node directories | The threat detection model detected that sensitive directories or files were mounted when your pod was starting. A potential cause is that attackers have mounted sensitive files to escape from the pod layer to the node layer to achieve persistence. We recommend that you check whether the operation is trusted. | |
Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
Unusual Network Connection | Suspicious outbound connection | The threat detection model detected that your server was attempting to access a website. The website may be related to a mining pool address, a C&C backdoor, and the domain name of a botnet organization. |
Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. | |
Internal network scan | The threat detection model detected that a process on your server initiated scans against the specified ports of multiple internal IP addresses in a short period of time. A potential cause is that attackers have attempted to launch lateral movement attacks after the server has been compromised. | |
Suspicious command run by Redis | The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server. |
Alerts for the Alibaba Cloud platform
Alert type | Alert name | Description |
Cloud threat detection | Suspicious changing of user passwords | The threat detection model detected that your Alibaba Cloud account changed the password of a specific user by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. |
Suspicious enumeration of security group rules | The threat detection model detected that your Alibaba Cloud account enumerated the security group policies by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious enumeration of users | The threat detection model detected that your Alibaba Cloud account enumerated all users by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious enumeration of specific roles | The threat detection model detected that your Alibaba Cloud account enumerated specific roles by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious deletion of security group rules | The threat detection model detected that your Alibaba Cloud account deleted security group rules by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious modification to security group rules | The threat detection model detected that your Alibaba Cloud account modified security group rules by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious behavior of changing an ECS password | The threat detection model detected that your Alibaba Cloud account changed the password that was used to log on to your ECS instance by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious addition of security group rules | The threat detection model detected that your Alibaba Cloud account added security group rules by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Suspicious addition of SSH keys to an ECS instance | The threat detection model detected that your Alibaba Cloud account added SSH keys by using APIs, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
Abnormal commands of Cloud Assistant | The threat detection model detected that your Alibaba Cloud account ran malicious commands by using the Cloud Assistant API, which was not high-frequency behavior. A potential cause is that attackers have obtained your AccessKey pair to perform malicious operations. | |
ActionTrail disabled | The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you keep ActionTrail enabled in consideration of security. | |
Log delivery from ActionTrail to OSS disabled | The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you enable the feature of log delivery from ActionTrail to Simple Log Service in consideration of security. | |
Log delivery from ActionTrail to Simple Log Service disabled | The threat detection model detected that your Alibaba Cloud account disabled ActionTrail by using APIs. A potential cause is that attackers have disabled ActionTrail to prevent the malicious behavior from being recorded. We recommend that you enable the feature of log delivery from ActionTrail to Simple Log Service in consideration of security. |
Alerts generated by analyzing traffic
Alert type | Alert name | Description |
Unusual Network Connection | Access to a malicious domain name | The threat detection model analyzed DNS traffic and detected that your server resolved a high-risk domain name. The domain name may be a malicious domain name, such as a domain name of a remote control, domain name of a botnet organization, or mining pool address. In this case, attackers may have intruded into your server and exploited the server. |
Reverse shell connection by using Meterpreter | The threat detection model detected a suspicious process on your server. The process was attempting to establish a reverse shell connection for the server of the attacker to perform more operations on your server by using Meterpreter. | |
Communication with mining pools | The threat detection model detected that your server communicated with the IP addresses of mining pools. A potential cause is that your server has been intruded by an attacker and used for mining. | |
Abnormal traffic | The threat detection model analyzed the traffic on your server and detected abnormal traffic. Abnormal traffic can be caused by exploits, malware communications, sensitive data breaches, and suspicious proxies and tunnels. We recommend that you handle the traffic based on the details of the alert. | |
Proactive connection to malicious download sources | The threat detection model detected that your server was attempting to connect to a malicious download source by using HTTP. A potential cause is that attackers have exploited weak passwords or command execution vulnerabilities to download malicious files from a remote server. | |
Suspicious command run by Redis | The threat detection model detected that the Redis service on your server executed malicious SQL statements after attackers connected to the Redis service. In this case, the attackers may have controlled your server. | |
Web Application Threat Detection | SQL injection | The threat detection model analyzed HTTP traffic and detected that the Web service on your server was suspected of having SQL injection vulnerabilities and had been exploited by attackers. |
Successful exploitation of high-risk vulnerabilities | The threat detection model analyzed HTTP traffic and detected that your server had high-risk web vulnerabilities, which have been exploited by attackers. | |
Sensitive file leaks | The threat detection model analyzed HTTP traffic and detected that sensitive files on your server were accessed by external IP addresses over HTTP. This may cause data breaches. | |
Suspected attacks against web services | The threat detection model detected that the HTTP request logs generated on your server included command lines and the HTTP response logs included command outputs. A potential cause is that command execution vulnerabilities have been detected on your web services and have been exploited by attackers. |
Alerts generated by analyzing file content
Alert type | Alert name | Description |
Persistence | Suspicious scheduled task in Linux | The threat detection model detected a suspicious scheduled task on your server. The task may be persistent behavior that is left by attackers in your server. |
Malicious scripts | Detection of a malicious script file | The threat detection model detected a malicious script file on your server. The file may be inserted by attackers who intruded into your server. We recommend that you perform the following operations: Check whether the file content is legitimate based on the tag of the malicious script. Then, handle the file. |
Malware | Tainted basic software | The threat detection model detected tainted basic software on your server. In most cases, tainted basic software is a system program into which malicious code is injected. Although the tainted basic software offers basic features, it covertly conducts malicious behavior. |
Malicious program | The threat detection model detected that a malicious program was running on your server. A malicious program is a program that has a variety of malicious behavior characteristics, or a third-party program that causes disruption or damage. | |
Infectious virus | The threat detection model detected that an infectious virus was running on your server. An infectious virus is a type of advanced malicious program. The virus itself writes malicious code into normal program files for execution. Therefore, a large number of normal programs are often infected and then detected as virus hosts. | |
Attacker tool | The threat detection model detected attacker tools on your server. Attacker tools are the tools that are exploited by attackers to escalate privileges and steal sensitive data during the intrusion process, the programs that are used to uninstall security software, or the backdoor programs that are inserted in the system after the attackers intrude into your server. | |
Backdoor program | The threat detection model detected that a backdoor program was running on your server. A backdoor program is a persistent program that is inserted in the system and exploited by attackers to continuously intrude into the server. | |
Suspicious program | The threat detection model detected that a suspicious program was running on your server. In most cases, a suspicious program has the characteristics of malicious code or has the characteristics of a program that is highly suspicious and needs to be classified. You must determine suspicious programs based on the code or program details. | |
Ransomware | The threat detection model detected that ransomware was running on your server. Ransomware is a malicious program that encrypts and locks all key data files on the server to gain ransom. | |
Trojan | The threat detection model detected a trojan on your server. A trojan is a special program that is used to intrude into your server. After a trojan is inserted in the system in disguise, the trojan downloads and releases malicious programs. | |
Worm | The threat detection model detected that a worm was running on your server. A worm is a type of program that replicates itself to spread from a compromised server to another server. A worm can exploit vulnerabilities and launch brute-force attacks. | |
Mining program | The threat detection model detected that a mining program was running on your server. A mining program is a type of program that consumes the computing resources of the server and mines cryptocurrency. This type of program causes extremely high CPU utilization and brings malicious programs. | |
Self-mutating trojan | The threat detection model detected that a self-mutating trojan was running on your server. A self-mutating trojan changes its file hash or replicates itself to a large number of paths and runs in the background. This way, it avoids being cleaned by the system. | |
DDoS trojan | The threat detection model detected that a DDoS trojan was running on your server. A DDoS trojan is a malicious program that is used to receive instructions from a compromised server to launch DDoS attacks against a specific server. | |
Rootkit | The threat detection model detected a rootkit on your server. A rootkit is a malicious module that is inserted in the underlying system. A rootkit is used to hide the traces of itself or other malicious programs. | |
Webshell | Webshell file | The threat detection model detected a suspicious webshell file on your server. A webshell file may be a backdoor file that is inserted and used by attackers to maintain permissions after attackers intrude into a website. |
Alerts related to fileless malware
Alert type | Alert name | Description |
Persistence | Suspicious backdoor | The threat detection model detected a WMI or bitsadmin backdoor on your server. Such a backdoor may have been left by attackers to maintain system permissions after your server has been compromised. |
Abnormal code in memory | The threat detection model detected malicious instructions in the memory of a process on your server. The process may be malware that is left by attackers or a process into which malicious code is injected. | |
Abnormal registry configuration | The threat detection model detected a suspicious registry configuration on your server. In most cases, some key registry configurations may be modified by malware to achieve persistence or conduct sabotage behavior. | |
Cobalt Strike RAT | The threat detection model detected malicious code of Cobalt Strike RAT in the memory of a process on your server. The process may be a malicious process or a process into which malicious code has been injected. | |
Malicious scripts | Execution of malicious script code | The threat detection model detected that malicious script code, such as Bash, PowerShell, and Python, was executed on your server. |
Suspicious Process | Suspicious command run by a process | The threat detection model automatically analyzed the historical behavior of a process on your server and detected that the process ran a suspicious command. A potential cause is that attackers have exploited the RCE vulnerability of the service to run the command. |
Suspicious modification to registry configurations | The threat detection model detected that a process was attempting to modify the registry configurations on your server. A potential cause is that attackers have written backdoor code into your server or have modified the sensitive configurations after attackers have obtained system permissions. | |
Suspicious command run by Java applications | The threat detection model detected that the Java process on your server performed high-risk operations, such as malicious program download and backdoor addition. A potential cause is that you have used vulnerable web frameworks or middleware. | |
Suspicious command run by scheduled tasks in Linux | The threat detection model detected that a scheduled task on your server ran a suspicious command. A potential cause is that attackers have written malicious commands in the scheduled tasks to maintain permissions after the server has been compromised. | |
Execution of suspicious commands by Python applications | The threat detection model detected that a Python application on your server ran a suspicious command. A potential cause is that the Python-based web application on your server has RCE vulnerabilities and has been compromised. | |
Suspicious command run by Tomcat | The threat detection model detected that the Tomcat container on your server ran a suspicious command. A potential cause is that attackers have exploited webshells or RCE vulnerabilities in the Java applications of Tomcat containers to run malicious commands. |