Release Notes and Announcements

Release Notes

Public Image Release Notes

Official End of Support Plan for the Operating System

Announcements

Product Introduction

CVM Overview

Strengths

Basic Concepts

Regions and Zones

Tutorial

Service Regions and Service Providers

Billing

Billing Overview

Billing Modes

Billing Items

Billing Mode Conversion Overview

Purchasing Instances

Configuration Adjustment Billing Guide

Overdue Payments

Getting Started

Purchasing a Customized Linux Instance

Purchasing a Customized Windows Instance

User Guide

Operation Guide Overview

Use Limits

Instances

Spot Instances

Reserved Instances

Images

Storage

Backup and Restoration

Network

Security

Passwords/Keys

Monitoring and Alarms

Ops Management

Convenience Features

Migrating a Server

Online Migration

Migration Consultation

Troubleshooting

CVM Login Failures

Windows Instance Login Failures

Linux Instance Login Failures

Other Login Failures

Instance Running Failures

Linux Instance Memory Failures

Network Failures

Use Cases

Suggestions on CVM Model Selection

Environment Building

Website Building

Application Building

Visual GUI Building

Uploading Local Files to CVM

Network Performance Test

Suspected Compromise

PDF

Focus Mode

Font Size

Last updated: 2024-01-06 17:32:18

CVMs may be intruded by hackers due to weak passwords and vulnerabilities of open-source components. This document describes how to determine whether a CVM has been infected with a virus and how to fix it.
Troubleshooting the Issue
 Use SSH or VNC to log in to the instance and check whether it has been infected with a virus in the following ways:
Malicious commands were added to rc.local
Run the following command to view the rc.local file.
cat /etc/rc.local 
If the output information contains a command not added by the business team or public image, such as wget xx and /tmp/xx, the CVM has probably been infected with a virus.
Malicious tasks were added to crontab
Run the following command to list the current schedule.
crontab -l
If the output information contains a command not added by the business team or public image, such as wget xx and /tmp/xx, the CVM has probably been infected with a virus.
Dynamic library hijacking was added to ld.so.preload
Run the following command to view the /etc/ld.so.preload file.
cat /etc/ld.so.preload
If the output information contains a dynamic library not added by the business team, the CVM has probably been infected with a virus.
Huge page memory was configured in sysctl.conf
Run the following command to check the usage of huge page memory.
sysctl -a | grep "nr_hugepages "
If the output is not 0, and the business program does not use huge page memory, the CVM has probably been infected with a virus.
Troubleshooting Procedure
1. Back up the system data as instructed in Creating Snapshots.
2. Reinstall the instance system as instructed in Reinstalling System and take the following security hardening measures:
Change the CVM password to a stronger password containing 12-16 characters, including uppercase letters, lowercase letters, special characters, and numbers. For more information, see Resetting Instance Password.
Delete unused CVM login accounts.
Change the default sshd port 22 to a less common port between 1024-65525. For more information, see Modifying the Default Remote Port of CVM.
Manage the associated security group rules to open only ports and protocols required by your business. For more information, see Adding Security Group Rules.
Close the port for internet access for core applications such as MySQL and Redis databases.
Install security software (such as CWPP agent), and configure real-time alarms to get noticed about suspicious logins instantly.

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Cloud Virtual Machine

Suspected Compromise

Troubleshooting the Issue

Troubleshooting Procedure

Help and Support