Attackers Targeting Poorly Managed Linux SSH Servers
In recent times, Linux SSH servers have become a prime target for attackers aiming to compromise security and exploit vulnerabilities for malicious activities. This article delves into the growing concern surrounding poorly secured Linux SSH servers, the techniques employed by threat actors, and crucial steps to fortify your server against potential attacks.
Linux SSH Servers Attack Details
A growing number of malicious actors are using poorly secured Linux SSH servers as entry points to install port scanners and deploy dictionary attack tools. The ultimate objective is to compromise vulnerable servers and incorporate them into a network so that distributed denial-of-service (DDoS) attacks and crypto mining can be carried out.
Adversaries utilize dictionary attacks, attempting to guess SSH credentials by systematically testing commonly used username and password combinations. After being successful, the threat actors escalate their attack by deploying additional malware, including sophisticated scanners made to identify other vulnerable systems.
Those scanners identify systems with an active port 22 (SSH service). Then the threat actors carry out SSH dictionary attacks to install malware. Some commonly used malwares include ShellBot, Tsunami, ChinaZ DDoS Bot, XMRig CoinMiner, and Gafgyt.
According to the analysis report, attackers first use this command to check the total number of CPU cores after successful login.
grep -c ^processor /proc/cpuinfo
This indicates that the malicious actor has successfully acquired the account credentials. Subsequently, they logged in again using the same credentials to download a compressed file, which contained both a port scanner and an SSH dictionary attack tool.
Server administrators can greatly lower the risk of compromise by being aware of the strategies used by threat actors and putting preventive measures in place. Users are strongly advised to adopt robust and proactive security measures to protect Linux SSH servers from these evolving threats. Essential practices such as using complex and difficult-to-guess passwords, frequently changing them, and keeping systems up-to-date should be implemented.
The sources for this article include a story from TheHackerNews.