Suspected Infection with Virus

CVMs may be intruded by hackers due to weak passwords and vulnerabilities of open-source components. This document describes how to determine whether a CVM has been infected with a virus and how to fix it.
Troubleshooting the Issue
 Use SSH or VNC to log in to the instance and check whether it has been infected with a virus in the following ways:
Malicious commands were added to rc.local
Run the following command to view the rc.local file.
cat /etc/rc.local 
If the output information contains a command not added by the business team or public image, such as wget xx and /tmp/xx, the CVM has probably been infected with a virus.
Malicious tasks were added to crontab
Run the following command to list the current schedule.
crontab -l
If the output information contains a command not added by the business team or public image, such as wget xx and /tmp/xx, the CVM has probably been infected with a virus.
Dynamic library hijacking was added to ld.so.preload
Run the following command to view the /etc/ld.so.preload file.
cat /etc/ld.so.preload
If the output information contains a dynamic library not added by the business team, the CVM has probably been infected with a virus.
Huge page memory was configured in sysctl.conf
Run the following command to check the usage of huge page memory.
sysctl -a | grep "nr_hugepages "
If the output is not 0, and the business program does not use huge page memory, the CVM has probably been infected with a virus.
Troubleshooting Procedure
1. Back up the system data as instructed in Creating Snapshots.
2. Reinstall the instance system as instructed in Reinstalling System and take the following security hardening measures:
Change the CVM password to a stronger password containing 12-16 characters, including uppercase letters, lowercase letters, special characters, and numbers. For more information, see Resetting Instance Password.
Delete unused CVM login accounts.
Change the default sshd port 22 to a less common port between 1024-65525. For more information, see Modifying the Default Remote Port of CVM.
Manage the associated security group rules to open only ports and protocols required by your business. For more information, see Adding Security Group Rules.
Close the port for internet access for core applications such as MySQL and Redis databases.
Install security software (such as CWPP agent), and configure real-time alarms to get noticed about suspicious logins instantly.

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

tencent cloud

Sign Up

Log in

Compute

Microservice

Data Migration

Database SaaS Tool

Data Security

Application Security

Big Data

Voice Technology

Internet of Things

Stream Services

Cloud Real-time Rendering

Management and Audit Tools

Edge Computing

Serverless

Relational Database

Networking

Business Security

Domains & Websites

Face Recognition

AI Platform Service

Middleware

Media On-Demand

Game Services

Developer Tools

Container

Essential Storage Service

Enterprise Distributed DBMS

CDN and Acceleration

Security Services

Enterprise Applications

Tencent Big Model

Natural Language Processing

Communication

Media Process Services

Education Sevices

Monitor and Operation

Distributed cloud

Data Process and Analysis

NoSQL Database

Network Security

Cloud Security

Office Collaboration

Image Creation

Optical Character Recognition

Interactive Video Services

Media SDK

Cloud Resource Management

More

Troubleshooting the Issue

Troubleshooting Procedure