cShell DDoS Bot Attack Case Targeting Linux SSH Server (screen and hping3)

Tags

External References

• https://asec.ahnlab.com/
• https://otx.alienvault.com/

Description

A new DDoS malware strain named cShell is targeting poorly managed Linux servers through SSH services. The threat actor uses brute force attacks to gain initial access, then installs the cShell bot developed in Go language. cShell exploits Linux tools 'screen' and 'hping3' to perform various DDoS attacks. It supports multiple DDoS commands, including SYN, ACK, and UDP floods. The malware maintains persistence by registering as a service and can update itself using Pastebin URLs. cShell's simple design leverages existing Linux tools, making it an effective DDoS bot. To protect against such attacks, administrators should use strong passwords, regularly update systems, and implement security measures like firewalls.

Date