Russian producer of anti-virus protection of information – “Doctor Web” – conducted an investigation into hacking web-servers that run on the operating system Linux.
According to experts, one way of stealing passwords on servers based on Linux is a Trojan called Linux.Sshdkit. This malicious program is a dynamic library that runs on 32-bit and 64-bit distributions of Linux.
While experts are not able to fully establish the mechanism that is used to steal passwords. However, they found that the installation of malicious programs on the server under attack is carried out, using a critical vulnerability.
After installing the software on the system, the Trojan joins sshd-process and captures authentication data. Then, the user’s credentials are sent to the remote server, which is owned by hackers. In order to address the command server generated every two days, Linux.Sshdkit the following algorithm: «Linux.Sshdkit special algorithm generates two DNS-name and if they both refer to the same IP-address, then the address is converted to another IP and sends the stolen information. ”
IS specialists managed to intercept traffic to one of the control servers of the malicious trojan using the method sinkhole, which allowed to find out the presence of stolen usernames and passwords from compromised servers.
The specialists at “Doctor Web” recommend server administrators working on Linux to check the operating system. “One of the signs of infection may be the presence of the library / lib / libkeyutils * 20 to 35 KB” – said they.