Check Your Server for Malware from SSH Attacks

Defending against SSH brute force attacks is an important task for any dedicated server or virtual private server (VPS) owner. We all know that cleaning a compromised server can be extremely difficult, requiring a full wipe and reinstall, or restore from a clean backup.

Kippo Honeypot Logo

What do the attackers do after breaking into a server? Well, most of them would try to download malicious programs and use the server to do bad things. But what programs do they download?

To help answer this question, I have compiled a list that summarizes malware caught in my Kippo SSH Honeypot. The honeypot was deployed on servers at multiple locations. Attackers downloaded those malware after "breaking in", and tried to run them (usually with nohup). Therefore, they are most likely used to launch DDoS attacks, or do all kinds of malicious stuff.

Hosted on GitHub, the list includes malwares' MD5 checksums, first/last seen dates, occurrences and possible filenames. You may use it to check for infected files on servers. However, please note that this list is by no means complete or accurate, and may contain false positives. Use at your own risk!

Link to the list: https://gist.github.com/hwdsl2/9737420

Example steps to check files in a directory:

1 - Browse to my list above, copy all lines and save to a file, e.g. mwlist.txt. Alternatively, you can download it.

2 - Cut out and sort the MD5 checksums of the list and save to a new file:

grep ^[^#] mwlist.txt | cut -f1 -d ' ' | sort > mwlist-md5.txt  

3 - Generate MD5 checksums of all files in a directory (e.g. /etc, or change to any directory you want to check):

find /etc -type f -print0 | xargs -0 md5sum > hash-etc.txt  

4 - Cut out and sort the MD5 checksums:

cut -f1 -d ' ' hash-etc.txt | sort > hash-etc-md5.txt  

5 - Use comm to find common lines between the two files:

comm -12 mwlist-md5.txt hash-etc-md5.txt  

6 - Output from Step 5 shows any matching checksums between my list and files in the chosen directory. If not empty, identify individual file names with the following. Replace EACH_LINE_IN_OUTPUT with those from Step 5's output:

grep "EACH_LINE_IN_OUTPUT" hash-etc.txt  

7 - Proceed to terminate the infected files' processes and remove them from your system, at your discretion.

Please share this post if you like it, and do not hesitate to write your comments or questions in the Disqus form below.


Next article: IPTables GeoIP, Port Knocking and Port Scan Detection
Previous article: Using SSHFS to Share Folders between Your Servers

Return to Lin's Tech Blog Homepage



View or Post


Disclaimer: All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. All trademarks mentioned herein belong to their respective owners.
    The owner of this blog will not be liable for any errors or omissions in this information nor for the availability of it. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Your name:

Email address:

Website URL:

Please leave a comment:

You agree that this form is for A N T I-S P A M B O T S!
     D O-N O T-S U B M I T !