Alarm Events
HSS generates alarms on 13 types of intrusion events, including brute-force attacks, abnormal process behavior, web shells, abnormal logins, and malicious processes. You can learn all these events on the HSS console and eliminates security risks in your assets in a timely manner.
Alarm Events
Alarm Name | Description | Basic | Enterprise | Premium | WTP |
|---|---|---|---|---|---|
Brute-force attack | If hackers log in to your servers through brute-force attacks, they can obtain the control permissions of the servers and perform malicious operations, such as steal user data; implant ransomware, miners, or Trojans; encrypt data; or use your servers as zombies to perform DDoS attacks. Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.
| √ | √ | √ | √ |
Abnormal login | Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers.
| √ | √ | √ | √ |
Malicious program (cloud scan) | Malicious programs include Trojans and web shells implanted by hackers to steal your data or control your servers. For example, hackers will probably use your servers as miners or DDoS zombies. This occupies a large number of CPU and network resources, affecting service stability. Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing. | × | √ (Isolate and kill) | √ (Isolate and kill) | √ (Isolate and kill) |
Abnormal process behavior | Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected:
| × | √ | √ | √ |
Critical file change | If hackers intrude into your system, they will probably tamper with important system files to forge identities or prepare for further attacks.
HSS only checks whether directories or files have been modified, not whether they are modified manually or by a process. | × | √ | √ | √ |
Web shell | A web shell is a command execution environment in the form of web page files, such as PHP and JSP files. After hacking a website, a hacker usually puts a web shell among normal web page files in the web directory of a website server, and then accesses the web shell through a browser to control the server. Check whether the files (often PHP and JSP files) in your web directories are web shells.
| × | √ | √ | √ |
Reverse shell | Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP. You can configure the reverse shell detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. | × | × | √ | √ |
Abnormal shell | Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files. You can configure the reverse shell detection rule on the Policies page. HSS will check for suspicious or remotely executed commands. | × | × | √ | √ |
High-risk command execution | You can configure what commands will trigger alarms in the High-risk command detection rule on the Policies page. HSS checks executed commands in real time and generates alarms if high-risk commands are detected. | × | × | √ | √ |
Auto-startup check | Trojans usually intrude servers by creating auto-started services, scheduled tasks, or preloaded dynamic libraries. The auto-startup check function collects information about all auto-started items, including their names, types, and number of affected servers. HSS checks and lists auto-started services, scheduled tasks, pre-loaded dynamic libraries, run registry keys, and startup folders. | × | × | √ | √ |
Unsafe account | Hackers can probably crack unsafe accounts on your servers and control the servers. HSS checks suspicious hidden accounts and cloned accounts and generates alarms on them. | × | √ | √ | √ |
Privilege escalation | After hackers intrude servers, they will try exploiting vulnerabilities to grant themselves the root permissions or add permissions for files. In this way, they can illegally create system accounts, modify account permissions, and tamper with files. HSS detects privilege escalation for processes and files in the current system. The following abnormal privilege escalation operations can be detected:
| × | × | √ | √ |
Rootkit | HSS detects suspicious rootkit installation in a timely manner by checking:
| × | × | √ | √ |
Monitored Important File Paths
Type | Linux |
|---|---|
bin | /bin/ls /bin/ps /bin/bash /bin/netstat /bin/login /bin/find /bin/lsmod /bin/pidof /bin/lsof /bin/ss |
usr | /usr/bin/ls /usr/bin/ps /usr/sbin/ps /usr/bin/bash /usr/bin/netstat /usr/sbin/netstat /usr/sbin/rsyslogd /usr/sbin/ifconfig /usr/bin/login /usr/bin/find /usr/sbin/lsmod /usr/sbin/pidof /usr/bin/lsof /usr/sbin/lsof /usr/sbin/tcpd /usr/bin/passwd /usr/bin/top /usr/bin/du /usr/bin/chfn /usr/bin/chsh /usr/bin/killall /usr/bin/ss /usr/sbin/ss /usr/bin/ssh /usr/bin/scp |
sbin | /sbin/syslog-ng /sbin/rsyslogd /sbin/ifconfig /sbin/lsmod /sbin/pidof |
- Alarm Events
- Monitored Important File Paths