U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New ShellBot bot targets poorly managed Linux SSH Servers

New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn. AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that targets poorly managed Linux SSH servers. The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC […]

RAT

New ShellBot DDoS bot malware, aka PerlBot, is targeting poorly managed Linux SSH servers, ASEC researchers warn.

AhnLab Security Emergency response Center (ASEC) discovered a new variant of the ShellBot malware that was employed in a campaign that targets poorly managed Linux SSH servers.

The ShellBot, also known as PerlBot, is a Perl-based DDoS bot that uses IRC protocol for C2 communications.

The ShellBot performs SSH bruteforce attacks on servers that have port 22 open, it uses a dictionary containing a list of known SSH credentials.

“The ShellBot malware strains that are going to be covered in this post are believed to have been installed after threat actors used account credentials that have been obtained through the use of scanners and SSH BruteForce malware on target systems.” reads the ASEC’s report. “After scanning systems that have operational port 22s, threat actors search for systems where the SSH service is active and uses a list of commonly used SSH account credentials to initiate their dictionary attack.”

Below is a list of the account credentials used by ShellBot operators to compromise the target servers:

UserPassword
deploypassword
hadoophadoop
oracleoracle
root11111
rootPassw0rd
ttxttx2011
ubntubnt

The researchers categorized the ShellBot into three different groups since threat actors can create their own versions: LiGhT’s Modded perlbot v2, DDoS PBot v2.0, and PowerBots (C) GohacK.

LiGhT’s Modded perlbot v2 and DDoS PBot v2.0 supports multiple DDoS attack commands using HTTP, TCP, and UDP protocols. The PowerBots (C) GohacK supports backdoor features, including reverse shell and file downloading capabilities.

The researchers recommend using strong passwords for admin accounts and changing them periodically to protect the Linux server from brute force attacks and dictionary attacks. They also recommend keeping the servers up to date and using security programs.

“If ShellBot is installed, Linux servers can be used as DDoS Bots for DDoS attacks against specific targets after receiving a command from the threat actor. Moreover, the threat actor could use various other backdoor features to install additional malware or launch different types of attacks from the compromised server.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShellBot)