This article is concerned with the resilient tracking control of a networked control system under cyber attacks. The attacker is an active adversary whose aim is to severely degrade the tracking performance of the system by launching deception attacks on the sensor-to-controller communication channels and denial-of-service attacks on the controller-to-plant channels, respectively. First, a concept of resilient set-membership tracking control is presented, through which the system's true state is guaranteed to reside in a bounding ellipsoidal set of the reference state regardless of the existence of attacks and unknown-but-bounded (UBB) noises. Second, in the case that full information of the system's state is not implicitly trusted in the presence of attacks, a resilient set-membership estimation strategy is provided to secure the state estimates against the deception attacks. Furthermore, based on a recursive computation of a reference state ellipsoid and confidence state estimation ellipsoids, a convex optimization algorithm in terms of recursive linear matrix inequalities is proposed to obtain the gain parameters for both the desired resilient state estimator and the tracking controller. Finally, the effectiveness of the proposed method is illustrated through an Internet-based three-tank system.