Linux SSH servers targeted by new RapperBot botnet

BleepingComputer reports that Linux SSH servers have been besieged by brute-force attacks from the novel Mirai trojan-based RapperBot botnet since mid-June. More than 3,500 unique IP addresses around the world have been scanned by RapperBot as it sought to brute-force Linux SSH servers, according to a report from Fortinet. Despite being a forked version of Mirai, RapperBot was found to have unique functionality, as well as a dedicated command-and-control protocol and post-compromise activity mainly aimed at achieving initial server access. "Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.