Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

Server Alarms

Updated on 2025-02-12 GMT+08:00

HSS generates alarms on a range of intrusion events, including brute-force attacks, abnormal process behaviors, web shells, abnormal logins, and malicious processes. You can learn all these events on the console, and eliminate security risks in your assets in a timely manner.

NOTE:

Alarms generated by AV detection and HIPS detection are displayed under different types of events.

  • Alarms generated by AV detection are displayed only under the Malware events.
  • Alarms generated by HIPS detection are displayed in subcategories of all events.

Constraints

Servers that are not protected by HSS do not support alarm-related operations.

Server Security Alarms

For details about server security alarm types and alarm items, see Table 1. Alarms vary by HSS edition. For details, see Features.

Table 1 Server security alarms

Alarm Type

Alarm Type Description

Alarm

Alarm Description

Malware

Malicious software includes viruses, worms, Trojans, and web shells implanted by hackers to steal your data or control your servers.

For example, hackers will probably use your servers as miners or DDoS zombies. This occupies a large number of CPU and network resources, affecting service stability.

Unclassified malware

Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one-click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Viruses

Detect diverse viruses in server assets, reports alarms, and isolate and remove virus files.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Worms

Detect and kill worms on servers and report alarms.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Trojans

Detect and remove Trojan and viruses on servers and report alarms.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Botnets

Detect and kill botnets on servers and report alarms.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Backdoors

Detect backdoors in servers and reports alarms.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Rootkits

Detect server assets and report alarms for suspicious kernel modules, files, and folders.

Supported OSs: Linux.

Ransomware

Check for ransomware in web pages, software, emails, and storage media.

Ransomware can encrypt and control your data assets, such as documents, emails, databases, source code, images, and compressed files, to leverage victim extortion.

Supported OSs: Linux and Windows.

Isolation and killing: Automatically or manually detect, isolate, and remove some ransomware.

Hacker tools

Detect and kill hacker tools on servers and report alarms.

Supported OSs: Linux and Windows.

Isolation and removal: manual

Web shells

Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells.

You can configure the web shell detection rule in the Web Shell Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.

You need to add a protected directory in policy management. For details, see Web Shell Detection.

Supported OSs: Linux and Windows.

Isolation and removal: manual

Mining software

Detect, scan, and remove mining software on servers, and report alarms.

Supported OSs: Linux and Windows.

Isolation and removal: automated or manual

Vulnerability Exploits

The exploit of vulnerabilities in the server system, software, or network to obtain unauthorized access rights, steal data, or damage the target system.

Exploits can be performed remotely or locally. In a remote vulnerability exploit, an attacker connects to the target system through the network and discovers system vulnerabilities to launch attacks. In a local vulnerability exploit, an attacker obtains low access permissions on the target system and exploits vulnerabilities to escalate permissions or perform other malicious operations.

Remote code executions

Detect and report alarms on server intrusions that exploit vulnerabilities in real time.

Supported OSs: Linux and Windows.

Redis vulnerability exploits

Detect the modifications made by the Redis process on key directories in real time and report alarms.

Supported OSs: Linux.

Hadoop vulnerability exploits

Detect the modifications made by the Hadoop process on key directories in real time and report alarms.

Supported OSs: Linux.

MySQL vulnerability exploits

Detect the modifications made by the MySQL process on key directories in real time and report alarms.

Supported OSs: Linux.

Abnormal System Behaviors

Abnormal system behaviors occur while servers are running, and are usually caused by system faults, malicious attacks, or security vulnerabilities. Abnormal system behaviors may cause data loss or system breakdown. To protect server system and data security, it is important to detect and handle abnormal system behaviors in a timely manner.

Reverse shells

Monitor user process behaviors in real time to report alarms on and block reverse shells caused by invalid connections.

Reverse shells can be detected for protocols including TCP, UDP, and ICMP.

You can configure the reverse shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.

To enable automatic reverse shell blocking, enable Auto Blocking in the HIPS Detection policy on the Policies page.

Currently, the following types of reverse shells can be blocked: exec reverse shell, Perl reverse shell, AWK reverse shell, Python reverse shell.b, Python reverse shell.a, Lua reverse shell, mkfifo/openssl reverse shell, PHP reverse shell, Ruby reverse shell, rssocks reverse proxy, Bash reverse shell, Ncat reverse shell, exec redirection reverse shell, Node reverse shell, Telnet dual-port reverse shell, nc reverse shell, Socat reverse shell, rm/mkfifo/sh/nc reverse shell, and socket/tchsh reverse shell.

NOTE:

Before you enable auto blocking of reverse shells, ensure you have enabled the function of isolating and killing malicious programs.

Supported OSs: Linux.

File privilege escalations

Detect file privilege escalation behaviors and generate alarms.

Supported OSs: Linux.

Process privilege escalations

Detect the privilege escalation operations of the following processes and generate alarms:
  • Root privilege escalation by exploiting SUID program vulnerabilities
  • Root privilege escalation by exploiting kernel vulnerabilities

Supported OSs: Linux.

Important file changes

Monitor important system files (such as ls, ps, login, and top) in real time and generate alarms if these files are modified. For details about the monitored paths, see Monitored Important File Paths.

HSS reports all the changes on important files, regardless of whether the changes are performed manually or by processes.

Supported OSs: Linux.

File/Directory changes

Monitor system files and directories in real time and generate alarms if such files are created, deleted, moved, or if their attributes or content are modified.

Supported OSs: Linux and Windows.

Abnormal process behaviors

Check the processes on servers, including their IDs, command lines, process paths, and behavior.

Send alarms on unauthorized process operations and intrusions.

The following abnormal process behavior can be detected:

  • Abnormal CPU usage
  • Processes accessing malicious IP addresses
  • Abnormal increase in concurrent process connections

Supported OSs: Linux and Windows.

Isolation and killing: Some abnormal processes can be manually isolated and killed.

High-risk command executions

You can configure what commands will trigger alarms in the High-risk Command Scan rule on the Policies page.

HSS checks executed commands in real time and generates alarms if high-risk commands are detected.

Supported OSs: Linux and Windows.

Abnormal shells

Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

You can configure the abnormal shell detection rule in the Malicious File Detection rule on the Policies page. HSS will check for suspicious or remotely executed commands.

Supported OSs: Linux.

Sensitive file access detection

Detect the unauthorized access to or modifications of sensitive files.

Supported OSs: Linux and Windows.

Suspicious crontab tasks

Check and list auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders.

You can get notified immediately when abnormal automatic auto-start items are detected and quickly locate Trojans.

Supported OSs: Linux and Windows.

System protection disabling

Detect the preparations for ransomware encryption: Disable the Windows defender real-time protection function through the registry. Once the function is disabled, an alarm is reported immediately.

Supported OSs: Windows.

Backup deletion

Detect the operations performed by ransomware before it encrypts your data. Once HSS detects that backup files or files in the Backup folder are deleted, an alarm is reported.

Supported OSs: Windows.

Suspicious registry operations

Detect operations such as disabling the system firewall through the registry and using the ransomware Stop to modify the registry and write specific strings in the registry. An alarm is reported immediately when such operations are detected.

Supported OSs: Windows.

System log deletion

An alarm is generated when a command or tool is used to clear system logs.

Supported OSs: Windows.

Suspicious command executions

  • Check whether a scheduled task or an automated startup task is created or deleted by running commands or tools.
  • Detect suspicious remote command execution.

Supported OSs: Windows.

Suspicious process executions

If application process control is enabled, HSS checks for application processes that are not authenticated or authorized based on the whitelist policy, and reports an alarm if such a process is detected.

For more information, see Application Process Control Overview.

Supported OSs: Linux and Windows.

Suspicious process file access

If application process control is enabled, HSS checks for application processes that access specified directories but are not authenticated or authorized based on the whitelist policy, and reports an alarm if such a process is detected.

For more information, see Application Process Control Overview.

Supported OSs: Linux and Windows.

Abnormal User Behaviors

Abnormal or unexpected user behaviors that occur in a specific environment or system, sometimes within a short period of time, such as abnormal logins or unauthorized access. To detect and identify these abnormal behaviors, user operations need to be checked and analyzed.

Brute-force attacks

If hackers log in to your servers through brute-force attacks, they can obtain the control permissions of the servers and perform malicious operations, such as steal user data; implant ransomware, miners, or Trojans; encrypt data; or use your servers as zombies to perform DDoS attacks.

HSS can detect brute-force attacks on the following service accounts:

  • Windows: RDP, SQL Server
  • Linux: MySQL, vsftpd, SSH

If the number of brute-force attacks (consecutive incorrect password attempts) reaches 5 or within 30 seconds or reaches 15 within 1 hour, HSS will block the login source IP address. By the IP address is blocked for 12 hours to prevent server intrusions caused by brute-force attacks.

You can check whether a login IP address can be trusted based on its brute-force attack alarm details, including the attack source IP address, attack type, and how many times it has been blocked. You can manually unblock trusted IP addresses.

Supported OSs: Linux and Windows.

Abnormal logins

Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers.

  • Check and handle remote logins.

    You can check the blocked login IP addresses, and who used them to log in to which server at what time.

    If a user's login location is not any common login location, an alarm will be triggered.

  • Trigger an alarm if a user logs in to the server by a brute-force attack.

Supported OSs: Linux and Windows.

Invalid accounts

Hackers can probably crack unsafe accounts on your servers and control the servers.

HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them.

Supported OSs: Linux and Windows.

User account added

Detect the commands used to create hidden accounts. Hidden accounts cannot be found in the user interaction interface or be queried by commands.

Supported OSs: Windows.

Password thefts

Detect the abnormal obtaining of hash value of system accounts and passwords on servers and report alarms.

Supported OSs: Windows.

Abnormal Network Access

Abnormal network access refers to exceptions that occur during network connection or data transmission and different from normal usage. These exceptions include abnormal resource usage, unauthorized access, and abnormal connections. Abnormal network access behaviors on servers may be a prelude to attacks.

Cloud honeypots

An alarm is reported if a connection to the honeypot port of a server is detected.

Supported OSs: Linux and Windows.

Suspicious download requests

An alarm is generated when a suspicious HTTP request that uses system tools to download programs is detected.

Supported OSs: Windows.

Suspicious HTTP requests

An alarm is generated when a suspicious HTTP request that uses a system tool or process to execute a remote hosting script is detected.

Supported OSs: Windows.

Abnormal outbound connections

Report alarms on suspicious IP addresses that initiate outbound connections.

Supported OSs: Linux (kernel 5.10 or later).

Port forwarding

Report alarms on port forwarding using suspicious tools.

Supported OSs: Linux.

Reconnaissance

Reconnaissance is the act of gathering information about a target network before launching an attack.

Port scan

Detect scanning or sniffing on specified ports and report alarms.

Supported OSs: Linux.

Host scan

Detect the network scan activities based on server rules (including ICMP, ARP, and nbtscan) and report alarms.

Supported OSs: Linux.

Fileless Attacks

A fileless attack does not release malicious executable files. Instead, it writes malicious code into the system memory or registry. Because there are no malicious files used, such an attack is difficult to detect.

Fileless attacks are classified into the following types based on disk file activities:

  • No file activities.

    That is, no disk files are stored or operated in disks. Generally, such attacks are initiated in the upper-layer hardware, firmware, or software layer rather than the OS.

  • Indirect activities through files.

    That is, no files are stored in disks, but activities are indirectly performed through files. Malicious code is usually indirectly loaded to the memory for execution through white files. Most of such malicious code is carried by scripts, which are executed through program commands or specific mechanisms such as disk boot records.

  • File activities required.

    Generally, malicious code is converted into data. Attackers exploit file-related program vulnerabilities or features to convert malicious data into malicious code for execution.

Process injection

Scan for malicious code injection into running processes and report alarms.

Supported OSs: Linux.

Dynamic library injection

Scan for the payloads injected by hijacking functions in the dynamic link library (DLL) and report alarms.

Supported OSs: Linux.

Memory file process

Scan for the behaviors of creating an anonymous malicious file that exists only in the RAM through the memfd_create system call and executing the file, and report alarms on such behaviors.

Supported OSs: Linux.

Security Alarm Severities

HSS alarm severities indicate alarm impact on service systems. It can be Critical, High, Medium, or Low. For details, see Table 2.

Table 2 Security alarm severities

Alarm Severity

Description

Critical

A critical alarm indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alarms are generated if ransomware encryption behaviors or malicious programs are detected. You are advised to handle the alarms immediately to avoid severe system damage.

High

A high-risk alarm indicates that the system may be under an attack that has not caused serious damage. For example, such alarms are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You are advised to investigate and take measures in a timely manner to prevent attacks from spreading.

Medium

A medium-risk alarm indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You are advised to further analyze and take proper preventive measures to enhance system security.

Low

A low-risk alarm indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alarms are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alarms do not require immediate emergency measures. If you have high requirements on asset security, pay attention to the security alarms of this level.

Monitored Important File Paths

Type

Linux

bin

/bin/ls

/bin/ps

/bin/bash

/bin/login

usr

/usr/bin/ls

/usr/bin/ps

/usr/bin/bash

/usr/bin/login

/usr/bin/passwd

/usr/bin/top

/usr/bin/killall

/usr/bin/ssh

/usr/bin/wget

/usr/bin/curl

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback