Investigating an SSH Brute‑Force Compromise and Hidden Mining Malware on a Linux Server

1. Confirm Security Incident

The client received an alert from their telecom‑managed data center indicating outbound attack traffic from one of their servers. Communication with the server’s operations team revealed that the service, originally intended for internal‑network use only, was exposed to the public Internet, reachable via ping and with SSH (port 22) open. This confirmed that the server had been compromised.

2. Log Analysis

Investigation focused on the possibility of an SSH brute‑force attack. Most logs under /var/log had been cleared, but the secure log remained intact. It showed a large number of failed SSH login attempts and several successful root logins after repeated failures, matching typical brute‑force behavior. Threat‑intelligence checks linked the attacking IPs to prior malicious scanning activity.

3. System Analysis

A thorough review of critical system configurations, accounts, and historical records was performed to assess impact. The /root/.bash_history file had been wiped, while no other obvious anomalies were found.

4. Process and Service Analysis

Active processes, network connections, startup items, and scheduled tasks (cron) were examined.

Abnormal Network Connection

Network inspection revealed an outbound connection to a known Linux backdoor program named te18. Online scanning identified the file as a malicious backdoor.

Abnormal Cron Job

Review of crontab entries uncovered a suspicious scheduled task. Analysis of the task’s executable and parameters indicated it was a cryptocurrency mining program. The associated mining pool configuration file was also identified.

5. File Analysis

In the /root directory, malicious code and related operation files planted by the attacker were discovered. A hidden directory /root/.s/ was used to store the mining binaries.

6. Backdoor Detection

The system was scanned with RKHunter to locate any remaining rootkits or backdoors.

7. Summary and Hardening Recommendations

The investigation concluded that the attacker gained root access via SSH brute‑force, then installed a mining program and a backdoor. Recommended mitigations include:

Delete the malicious cron job (remove its entry from /var/spool/cron/root) and all malicious files planted on the server.

Reset passwords for all system accounts, enforcing a policy of at least eight characters with upper‑ and lower‑case letters, numbers, and special symbols.

Close SSH access from the public Internet unless required; alternatively, change the default SSH port and restrict allowed source IPs.