2025 Oct 27, 03:04
In recent news, cybersecurity researchers at AhnLab Security Emergency Response Center (ASEC) have discovered that hackers are actively targeting Linux SSH servers for deploying malware scanners. These hackers specifically go after poorly managed servers in order to obtain IP and SSH credentials for the purpose of launching DDoS and CoinMiner malware attacks. The attackers begin by conducting IP scans to identify active SSH ports, which are then subjected to brute force attacks. This ultimately leads to the installation of more CoinMiners, resulting in increased cryptocurrency mining. In addition to DDoS and CoinMiners, the threat actors also seek target information that would allow them to install more malware and carry out other malicious activities
For instance, scanners may be installed and any breached information is subsequently sold on the dark web. The most common malware installed on these poorly managed Linux SSH servers includes scanners, DDoS bots, and CoinMiners. To gain unauthorized access to Linux servers, the hackers log in using stolen SSH credentials and proceed with installing malware. They then scan for active SSH assistants using the stolen credentials and employ malware installations accordingly. A CPU core check command is used to verify the success of the login process
Furthermore, the attackers utilize various scripts such as "go" for port scanning, banner grabbing, and SSH dictionary attacks. Other scripts like "gob" and "rand" are employed for IP class customization. The results of the scans are saved in "bios.txt," while banners are stored in "banner.log." The "prg" tool is then used to extract IPs with the "SSH-2.0-OpenSSH" identifier from "bios.txt" for the purpose of dictionary attacks. Any successful logins are stored in "ssh_vuln." Additionally, the actors check the total number of CPU cores using the command "grep -c ^processor /proc/cpuinfo" to gain more information about the target system. To ensure cybersecurity, researchers have provided several recommendations for mitigating these types of attacks.