Linux Servers Hijacked: Attackers Install Legitimate Proxy Software for Covert Operations
Ddos 
The AhnLab SEcurity intelligence Center (ASEC) has uncovered a series of attacks on poorly secured Linux servers, where instead of deploying classic malware, attackers quietly install legitimate proxy software to hijack system resources for nefarious purposes.
According to ASEC, these attacks target vulnerable Linux machines—particularly those accessible via SSH and protected by weak credentials—using honeypot traps to study attacker behavior. “One of the representative honeypots is the SSH service that uses weak credentials, which is targeted by a large number of DDoS and coinminer attackers,” ASEC noted.
Rather than dropping ransomware or cryptominers, the attackers in these campaigns focus on transforming compromised machines into proxy nodes using open-source software like TinyProxy and Sing-box.
“ASEC has identified cases where Linux servers were attacked to install proxies… It appears that the attackers aim to use the infected systems as proxy nodes.”
This shift in attacker methodology signals a broader abuse of legitimate tools—allowing them to avoid traditional security detection mechanisms while still benefiting from unauthorized access.
In one scenario, attackers exploited a vulnerable server and executed the following Bash command:
This script installs TinyProxy, alters its configuration by removing restrictive access rules, and enables full external access with the rule: Allow 0.0.0.0/0.
This grants unrestricted usage of port 8888, allowing attackers or their customers to route malicious traffic through the compromised server.
A more sophisticated case involved Sing-box, a multipurpose proxy tool supporting protocols such as vmess-argo, vless-reality, Hysteria2, and TUICv5. Originally intended to bypass internet restrictions for services like Netflix and ChatGPT, the tool was abused by attackers who installed it via:
ASEC remarks that the threat actors “gained unauthorized access to others’ systems to install Sing-box, and it appears that the attacker intended to use it for illegal or profit-making purposes.”
The installation was often followed by further deployment of an SSH management tool, suggesting an attempt to maintain persistent access or manage multiple compromised systems.
Unlike traditional malware that locks, encrypts, or mines, these proxy-installing attacks monetize access—either by hiding attacker activity behind an innocent IP address or by selling proxy access to third parties on criminal marketplaces.
“A notable characteristic is the abuse of legitimate tools—such as TinyProxy or open-source software like Sing-box—rather than using traditional proxy malware,” ASEC concludes.
Related Posts:
- CVE-2023-49606 (CVSS 9.8): Tinyproxy Zero-Day Threatens Thousands
- Beware of “How to Fix” Button: New Phishing Emails Trick Users into Executing Malicious Commands
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
