How a Compromised Alibaba Cloud Server Was Recovered: Key Security Lessons

A server on Alibaba Cloud suddenly stopped because the cloud’s monitoring detected that the server was repeatedly launching attacks against other servers, so it was blocked. It was clearly compromised and used as a bot.

Remediation steps:

Check logged‑in users – who showed only my account, but last revealed unknown IP logins.

Install Alibaba Cloud’s security service (Aliyun Anqi).

Change the SSH port and password, restrict login to specific IPs.

Inspect startup programs – none abnormal.

Examine cron jobs – found malicious entries containing a Redis key and an SSH public key, indicating password‑less SSH was enabled via a weak Redis configuration. The Redis config lacked a bind address and used a weak password; it was corrected and Redis restarted. The malicious cron entries were removed and the cron service restarted.

Enable all Cloud Shield monitoring alerts and update the notification phone number.

Configure iptables to tightly restrict ports.

Specific malicious content found:

REDIS0006?crackitA?

ssh-rsa AAAAB3NzaC1y......bVMcIVHPyiP3/y/bliZ6JZC7jnZLk6kMvGw== [email protected]

Lesson: The root cause was weak security awareness – neglecting basic hardening such as securing Redis, changing the default SSH port, and using the built‑in Alibaba Cloud security settings and alerts. Improving security fundamentals can prevent most incidents. This experience is shared with other server administrators lacking strong security practices.