Hackers launched SSH brute-force attacks on Linux systems to deploy Chaos backdoors

Chaos backdoors

According to securityaffairs on February 23, the researchers found that hackers are using SSH password attacks on the weak Linux system launched a brute force attack to deploy a backdoor called Chaos. It is reported that the backdoor may be used by field attacker Linux servers worldwide.

According to GoSecure experts, the back door to Chaos is actually one of the “sebd” Linux rootkit components that were used as early as 2013.

 

Because Chaos backdoors do not rely on any exploits, GoSecure researchers think it’s not complicated. And the back door is not advanced because it’s just that administrators can not set strong passwords for their servers. But there’s a clever advantage with the Chaos backdoor, which opens a raw socket on port 8338 and listens for commands on it. GoSecure experts said:

Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes. However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service.

So how to check if the user’s system is infected? Related experts suggest running netstat -lwp as root to detect. In addition, because Chaos is not a stand-alone but has at least one IRC Bot with remote code execution capabilities, GoSecure recommends that infected hosts be reinstalled from a solid backup and provide a new set of credentials.

Read more

Chaos: a Stolen Backdoor Rising Again

Source: SecurityAffairs