If you experience any difficulty in accessing content on our website, please contact us at 1-866-333-8917 or email us at support@chicagovps.net and we will make every effort to assist you.

May 16, 2024

Persistent SSH Backdoor Infects 400,000 Linux Servers Over 15 Years and Continues to Spread


Dan Goodin – May 15, 2024 4:56 pm UTC

From 2009 to 2011, the infrastructure used in the maintenance and distribution of the Linux operating system kernel was infected. Sophisticated malware managed to access the /etc/shadow files, a highly protected resource among developers, which stored encrypted passwords for over 550 system users. This was revealed by researchers on Tuesday.

According to the researchers from security firm ESET, the compromise was orchestrated by unknown attackers who infected at least four servers within kernel.org. This domain is fundamental to the Linux development and distribution network. Having obtained the cryptographic hashes of 551 user accounts on the network, the attackers were successful in converting half into plaintext passwords. This was likely achieved through advanced credential-stealing features present within the malware as well as password-cracking techniques. Using these servers, the attackers sent spam and performed other malicious activities. It is believed that the four servers were infected and cleaned at varying times, with the final two being remediated by 2011.

The Linux Kernel Organization representatives have, aside from revealing the number of compromised user accounts, refused to share additional details regarding the infection.

A 47-page report summarizing Ebury’s 15-year history stated that the infection that targeted the kernel.org network started in 2009, which is two years earlier than it was previously believed to have been compromised. The report also informed that since 2009, the malware residing in OpenSSH has infected over 400,000 servers. All these infected servers were running on Linux except for approximately 400 FreeBSD servers, a dozen servers running on OpenBSD and SunOS, and at least one Mac.

The data later acquired provided additional details about the incident as noted by Researcher Marc-Etienne M. Léveillé:

During 2009 and 2011, Ebury was installed on at least four servers owned by the Linux Foundation. It appears that these servers were serving as mail servers, name servers, mirrors, and source code repositories when they were compromised. The exact time when Ebury was removed from each server is unknown. However, given the discovery of Ebury in 2011, it is probable that two of the servers were compromised for approximately two years, one for one year, and the remaining one for about six months.

Hackers also managed to obtain copies of the /etc/shadow files, which contained 551 unique username and hashed password pairs in total. Surprisingly, the attackers possessed the clear text passwords for 275 of those users, which is 50% of the total. The clear text passwords were likely acquired using the Ebury credential stealer installed, and by brute force.

The researcher mentioned in an email that the Ebury and Phalanx infiltrations seem to be individual breaches by two disparate threat groups. Representatives from the Linux Kernel Organization did not reply to emails questioning whether they acknowledged the ESET report or if its assertions were valid. There is no evidence suggesting that either infiltration led to interference with the Linux kernel source code.

ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.

For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.

Subscribe Email