Defending against SSH brute force attacks is an important task for any dedicated server or virtual private server (VPS) owner. We all know that cleaning a compromised server can be extremely difficult, requiring a full wipe and reinstall, or restore from a clean backup.
What do the attackers do after breaking into a server? Well, most of them would try to download malicious programs and use the server to do bad things. But what programs do they download?
To help answer this question, I have compiled a list that summarizes malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded those malware after "breaking in", and tried to run them (usually with
nohup). Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious stuff.
Hosted on GitHub, the list includes malwares' MD5 checksums, first/last seen dates, occurrences and possible filenames. You may use it to check for infected files on servers. However, please note that this list is by no means complete or accurate, and may contain false positives. Use at your own risk!
Link to the list: https://gist.github.com/hwdsl2/9737420
Example steps to check files in a directory:
1 - Browse to my list above, copy all lines and save to a file, e.g.
mwlist.txt. Alternatively, you can download it.
2 - Cut out and sort the MD5 checksums of the list and save to a new file:
grep ^[^#] mwlist.txt | cut -f1 -d ' ' | sort > mwlist-md5.txt
3 - Generate MD5 checksums of all files in a directory (e.g.
/etc, or change to any directory you want to check):
find /etc -type f -print0 | xargs -0 md5sum > hash-etc.txt
4 - Cut out and sort the MD5 checksums:
cut -f1 -d ' ' hash-etc.txt | sort > hash-etc-md5.txt
5 - Use
comm to find common lines between the two files:
comm -12 mwlist-md5.txt hash-etc-md5.txt
6 - Output from Step 5 shows any matching checksums between my list and files in the chosen directory. If not empty, identify individual file names with the following. Replace
EACH_LINE_IN_OUTPUT with those from Step 5's output:
grep "EACH_LINE_IN_OUTPUT" hash-etc.txt
7 - Proceed to terminate the infected files' processes and remove them from your system, at your discretion.
Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.
Next article: IPTables GeoIP, Port Knocking and Port Scan Detection
Previous article: Using SSHFS to Share Folders between Your Servers
Return to Lin's Tech Blog Homepage