Jump to content

Hackers infect Linux SSH servers with Tsunami botnet malware


Recommended Posts

Via Bleeping Computer:

An unknown threat actor is brute-forcing Linux SSH servers to install a wide range of malware, including the Tsunami DDoS (distributed denial of service) bot, ShellBot, log cleaners, privilege escalation tools, and an XMRig (Monero) coin miner.

SSH (Secure Socket Shell) is an encrypted network communication protocol for logging into remote machines, supporting tunneling, TCP port forwarding, file transfers, etc.

Network administrators typically use SSH to manage Linux devices remotely, performing tasks such as running commands, changing the configuration, updating software, and troubleshooting problems.

However, if those servers are poorly unsecured, they might be vulnerable to brute force attacks, allowing threat actors to try out many potential username-password combinations until a match is found.

See the referenced article for additional information.

  • Like 2
Link to comment
Share on other sites


Looks to be very easy to block and doesn't make it out of userspace. Basically use strong password or disable passwords and only use keys, use fail2ban and other things.



There are a number of ways to protect your SSH credentials from brute force attacks. The most common and effective way is to use a strong password. A strong password should be at least eight characters long and should include a mix of letters, numbers, and symbols. It should also be changed regularly.

Another way to protect your SSH credentials from brute force attacks is to use two-factor authentication. Two-factor authentication requires users to provide both a password and a code generated by an authenticator app or device in order to log in. This makes it much more difficult for attackers to gain access to your account, even if they have your password.


You can also protect your SSH credentials by limiting the number of failed login attempts. After a certain number of failed login attempts, the account will be locked and the user will need to contact an administrator in order to regain access.


Finally, you can use a tool like fail2ban to automatically ban IP addresses that are associated with brute force attacks. This will prevent the attacker from even attempting to log in, as their IP address will be blocked....




Fail2Ban is too common for those that use ssh to not implement. Basically another one of those 'poorly implemented services' attacks.

  • Like 1
  • +1 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...