SlideShare a Scribd company logo

SSH Brute Force Attack

Download as PPTX, PDF
G
Groots Software Technologies.

The document discusses a ssh brute force attack on an AWS blockchain instance, highlighting continuous CPU utilization increases and a malware known as 'shellbot' that exploits SSH vulnerabilities for unauthorized access. It details methods for observing and mitigating the attack, including reviewing SSH logs, checking user authentication attempts, and removing unnecessary cron jobs. Recommendations include navigating suspicious directories, validating outbound connections, and terminating insecure processes.

Software
1 of 10
Download to read offline
1
2
3
4
5
Most read
6
Most read
7
8
9
Most read
10
SSH Brute Force Attack On AWS Blockchain Instance GROOTS AWS.
1. Continuously CPU utilization increased by kswap0 process. 2. It breached 100% CPU utilization. 3. Un-necessary SSH attempts get increased. Impact
One of the malware trying to penetrate the network of our customer who used aws blockchain server. That malware is known as “Shellbot”. The botnet uses brute force and SSH exploit (exploit Shellshock Flaw and vulnerability) to achieve remote access to the target systems, including blockchain server. Summary
Technical Observation In next slide attached brute attack diagram, it shows SSH brute force attack. The SSH access or auth log shows request come from different IP’s and user’s. Using this trick, brute force is able to bypass lockout login mechanism such as Fail2ban. Once instance is fully compromised, attacker installed hacking suite. All the malicious logic is managed by bash or perl scripts.
SSH Brute Attack - SSH Observation ● Check SSH auth login log file - cat /var/log/auth.log | tail cat /var/log/auth.log | egrep -i fail
Malicious directory
SSH Brute Attack - SSH Observation ● Check SSH auth login log file - $ cat /var/log/auth.log | tail $ cat /var/log/auth.log | egrep -i fail ● Get the total SSH user login attempts. $ cat /var/log/auth.log | egrep -i fail | egrep -i “invalid user” | wc -l ● Get the SSH user login name list & count. $ cat /var/log/auth.log | egrep -i fail | egrep -i “invalid user” | cut -d ‘ ‘ -f11 | sort | uniq -c | sort -nr | head
● Find out un-necessary cron jobs of all system users & remove it. $ sed 's/^([^:]*):.*$/crontab -u 1 -l 2>&1/' /etc/passwd | grep -v "no crontab for" | sh Expected output - 1 1 */2 * * /var/lib/postgresql/.configrc/a/upd>/dev/null 2>&1 @reboot /var/lib/postgresql/.configrc/a/upd>/dev/null 2>&1 5 8 * * 0 /var/lib/postgresql/.configrc/b/sync>/dev/null 2>&1 @reboot /var/lib/postgresql/.configrc/b/sync>/dev/null 2>&1 0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1 SSH Brute Attack - Observation & Action
● Navigate to the directories which are observed in unrelated cron jobs and remove unrelated executable files. ● Verify the valid outbound connections established from the server to other hosts. $netstat -tupn | grep -E "*ESTABLISHED" Expected output: 172.31.44.75:45280 212.227.140.133:22 ESTABLISHED 18631/tsm ● In case the connections are unrelated and suspicious, check the details using its PID and kill such suspected processes. $ lsof 18631 $ kill 18631 SSH Brute Attack - Observation & Action
Thank you !!! Groots Software Technologies. Would you recommend this solution? Write your review here.

More Related Content

PPTX
Cyber Security Fundamentals
Apurv Singh Gautam
 
PDF
Diagrama y algoritmo de mantenimiento preventivo de hardware
valeriaturururu
 
PPTX
Basic computer fundamentals
Saraswati yadav
 
PPTX
Manual ensamble y desensamble
POSTRE EXPRESS S.A
 
PPTX
malware
Deepak Chawla
 
DOCX
Hardware-para-sexto-de-primaria (1).docx
CynthiaSalinas18
 
PDF
Plan de mantenimiento preventivo de Software y Hardware
manuelggonzalesmacha
 
PDF
ÁREAS RESERVADAS A FAVOR DE YPFB-2018
Carlos Delgado
 
Cyber Security Fundamentals
Apurv Singh Gautam
 
Diagrama y algoritmo de mantenimiento preventivo de hardware
valeriaturururu
 
Basic computer fundamentals
Saraswati yadav
 
Manual ensamble y desensamble
POSTRE EXPRESS S.A
 
malware
Deepak Chawla
 
Hardware-para-sexto-de-primaria (1).docx
CynthiaSalinas18
 
Plan de mantenimiento preventivo de Software y Hardware
manuelggonzalesmacha
 
ÁREAS RESERVADAS A FAVOR DE YPFB-2018
Carlos Delgado
 

What's hot (12)

PDF
Cyber Security: Why your business needs protection & prevention measures
CBIZ, Inc.
 
DOCX
Disposiciones antes de entrar a la sala de computo
Renzo Cortez
 
ODT
Seguridad informatica
elkincarmonaerazo
 
PPT
Mca i-fundamental of computer-u-1-computer hardware system
Rai University
 
PPT
¿Qué es el software?
Joel Carranza
 
PPTX
Cyber security
SaurabhKaushik57
 
PPTX
Mantenimiento de la pc
Carmen Rizk
 
DOCX
Ficha técnica de equipos de computo full
Katherine Arenas Marin
 
PPT
Spyware
Babur Rahmadi
 
DOCX
Defensa de Red - Seguridad Informática
CarlosJesusKooLabrin
 
PPTX
Normas de higiene y seguridad de un centro de computo
adan95
 
PPTX
Interrupciones
jcarlosl
 
Cyber Security: Why your business needs protection & prevention measures
CBIZ, Inc.
 
Disposiciones antes de entrar a la sala de computo
Renzo Cortez
 
Seguridad informatica
elkincarmonaerazo
 
Mca i-fundamental of computer-u-1-computer hardware system
Rai University
 
¿Qué es el software?
Joel Carranza
 
Cyber security
SaurabhKaushik57
 
Mantenimiento de la pc
Carmen Rizk
 
Ficha técnica de equipos de computo full
Katherine Arenas Marin
 
Spyware
Babur Rahmadi
 
Defensa de Red - Seguridad Informática
CarlosJesusKooLabrin
 
Normas de higiene y seguridad de un centro de computo
adan95
 
Interrupciones
jcarlosl
 
Ad

Similar to SSH Brute Force Attack (20)

PDF
Linux Hardening - Made Easy
Guy Barnhart-Magen
 
PPTX
AWS SSH Bastion
Groots Software Technologies.
 
PDF
Linux security quick reference guide
Craig Cannon
 
PDF
SSH.pdf
AnisSalhi3
 
PDF
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
PPT
Presentation nix
fangjiafu
 
PPT
Presentation nix
fangjiafu
 
PDF
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
APNIC
 
PPTX
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
DOCX
Cent os 5 ssh
Alejandro Besne
 
PDF
Hack the box open admin writeup
tamlaiyin
 
PPTX
Applying ML for Log Analysis
DoiT International
 
PPTX
Server hardening
Teja Babu
 
PDF
An introduction to SSH
nussbauml
 
PDF
Fail2ban - the system security for green hand -on linux os
Samina Fu (Shan Jung Fu)
 
PDF
CentOS Linux Server Hardening
MyOwn Telco
 
PDF
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
TXT
Linuxserver harden
Gregory Hanis
 
PPT
China.z / Trojan.XorDDOS - Analysis of a hack
hendrikvb
 
PPTX
Security Walls in Linux Environment: Practice, Experience, and Results
Igor Beliaiev
 
Linux Hardening - Made Easy
Guy Barnhart-Magen
 
AWS SSH Bastion
Groots Software Technologies.
 
Linux security quick reference guide
Craig Cannon
 
SSH.pdf
AnisSalhi3
 
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
Presentation nix
fangjiafu
 
Presentation nix
fangjiafu
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
APNIC
 
DevSecCon Singapore 2018 - System call auditing made effective with machine l...
DevSecCon
 
Cent os 5 ssh
Alejandro Besne
 
Hack the box open admin writeup
tamlaiyin
 
Applying ML for Log Analysis
DoiT International
 
Server hardening
Teja Babu
 
An introduction to SSH
nussbauml
 
Fail2ban - the system security for green hand -on linux os
Samina Fu (Shan Jung Fu)
 
CentOS Linux Server Hardening
MyOwn Telco
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Linuxserver harden
Gregory Hanis
 
China.z / Trojan.XorDDOS - Analysis of a hack
hendrikvb
 
Security Walls in Linux Environment: Practice, Experience, and Results
Igor Beliaiev
 
Ad

Recently uploaded (20)

PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PPTX
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PPTX
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
PDF
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
PDF
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
PPTX
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
PPTX
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
Weekly report ppt - harsh dattuprasad patel.pptx
bikerslovers123
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Monitoring Stack: Grafana, Loki & Promtail
GhanshyamSwami3
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
iTop VPN Crack Latest Version Full Key 2025
hashmianya37
 
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
Oracle Fusion HCM Cloud Demo for Beginners
DharanOracleerp
 
Log360_SIEM_Solutions Overview PPT_Feb 2020.pptx
nonameist3434
 

SSH Brute Force Attack

  • 1. SSH Brute Force Attack On AWS Blockchain Instance GROOTS AWS.
  • 2. 1. Continuously CPU utilization increased by kswap0 process. 2. It breached 100% CPU utilization. 3. Un-necessary SSH attempts get increased. Impact
  • 3. One of the malware trying to penetrate the network of our customer who used aws blockchain server. That malware is known as “Shellbot”. The botnet uses brute force and SSH exploit (exploit Shellshock Flaw and vulnerability) to achieve remote access to the target systems, including blockchain server. Summary
  • 4. Technical Observation In next slide attached brute attack diagram, it shows SSH brute force attack. The SSH access or auth log shows request come from different IP’s and user’s. Using this trick, brute force is able to bypass lockout login mechanism such as Fail2ban. Once instance is fully compromised, attacker installed hacking suite. All the malicious logic is managed by bash or perl scripts.
  • 5. SSH Brute Attack - SSH Observation ● Check SSH auth login log file - cat /var/log/auth.log | tail cat /var/log/auth.log | egrep -i fail
  • 7. SSH Brute Attack - SSH Observation ● Check SSH auth login log file - $ cat /var/log/auth.log | tail $ cat /var/log/auth.log | egrep -i fail ● Get the total SSH user login attempts. $ cat /var/log/auth.log | egrep -i fail | egrep -i “invalid user” | wc -l ● Get the SSH user login name list & count. $ cat /var/log/auth.log | egrep -i fail | egrep -i “invalid user” | cut -d ‘ ‘ -f11 | sort | uniq -c | sort -nr | head
  • 8. ● Find out un-necessary cron jobs of all system users & remove it. $ sed 's/^([^:]*):.*$/crontab -u 1 -l 2>&1/' /etc/passwd | grep -v "no crontab for" | sh Expected output - 1 1 */2 * * /var/lib/postgresql/.configrc/a/upd>/dev/null 2>&1 @reboot /var/lib/postgresql/.configrc/a/upd>/dev/null 2>&1 5 8 * * 0 /var/lib/postgresql/.configrc/b/sync>/dev/null 2>&1 @reboot /var/lib/postgresql/.configrc/b/sync>/dev/null 2>&1 0 0 */3 * * /tmp/.X25-unix/.rsync/c/aptitude>/dev/null 2>&1 SSH Brute Attack - Observation & Action
  • 9. ● Navigate to the directories which are observed in unrelated cron jobs and remove unrelated executable files. ● Verify the valid outbound connections established from the server to other hosts. $netstat -tupn | grep -E "*ESTABLISHED" Expected output: 172.31.44.75:45280 212.227.140.133:22 ESTABLISHED 18631/tsm ● In case the connections are unrelated and suspicious, check the details using its PID and kill such suspected processes. $ lsof 18631 $ kill 18631 SSH Brute Attack - Observation & Action
  • 10. Thank you !!! Groots Software Technologies. Would you recommend this solution? Write your review here.