Careless Monitoring of Linux SSH Servers Attracts Cryptominers and DDoS Bots


Cybercriminals are targeting poorly managed Linux SSH servers to install malware for cryptomining or to carry out distributed denial of service attacks, researchers have found.

Poor password management and lax vulnerability patches can allow hackers to exploit servers for cybercrime, according to an AhnLab report released this week.

SSH servers provide secure remote access to a computer or server over a network. Once compromised, they can allow bad actors to infiltrate even more SSH servers and install additional malware. The more servers hackers control, the more cryptocurrencies they can mine or the bigger their DDoS attacks can become.

Before installing such malware, threat actors need to obtain information about their targets, including IP address and SSH account credentials. They perform an IP scan to identify servers with SSH service, then use familiar tools to collect the credentials, the researchers said.

Both methods are dictionary attacks, in which attackers attempt to gain unauthorized access to a system by using a large set of predefined words as potential passwords; and brute force attacks, in which hackers try every possible combination of passwords until the correct one is found.

Malware strains found by AhnLab include ShellBot, Tsunami, ChinaZ DDoS Bot and XMRig CoinMiner. Bad actors may also choose to install only scanners, instead of malware, and sell the breached IP address and account credentials on the dark web.

The researchers did not specify who was behind these attacks. However, they noted that various hacker groups have used port scanners and SSH dictionary attack tools in the past, with each group using slightly different tools and files, including lists of credentials of account.

AhnLab recommends that administrators maintain strong passwords, keep their server software up to date, and add security programs such as firewalls.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Daryna Antoniuk

Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.

Leave a comment