CRITICAL: Compromised SSH Host Special Report

DESCRIPTION LAST UPDATED: 2024-05-30

DEFAULT SEVERITY LEVEL: CRITICAL

This Special Report contains information about hosts running SSH services that are known to be compromised, because they have known public malicious SSH keys installed which facilitate remote access. For more details on the issue, please read “Public SSH keys can leak your private infrastructure“. The data was obtained through collaboration with an external third party (thank you!).

Shadowserver Special Reports are unlike all of our other standard free daily network reports. They do not cover a specific daily 24 hour time period.

Instead, we send out Special Reports in situations where we are able to share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit. Sometimes there are incidents when it would be useful to be able to notify potential victims about events or breaches that may have impacted them outside of the previous 24 hour period, when it may take a number of days for incident responders to conduct forensic investigations and analyzed data becomes available for sharing with potential victims. Although the events included in these Special Reports will fall outside of our usual 24 hour daily reporting window, we believe that there would still be significant benefit to our constituents in receiving and hopefully acting on the retrospective data.

If you have missed a Special Report because you were NOT yet a subscriber at the time a report was pushed out, simply subscribe for your network now and specifically request all recent Shadowserver Special Reports – and we will regenerate them specifically for your network, at no cost.

Note that the data shared across special reports may differ on a case by case basis, hence the report formats for different Special Reports may be different.

Severity levels are described here.

If you receive a compromissed SSH alert from us, make sure to investigate, since malicious actors likely have remote access to the device via SSH.

For the 2024-05-29 dated special report (see filename prefix below), the report was extended to include an account field.

Filename prefix(s): 2023-12-17-special, 2024-01-29-special, 2024-05-29-special.

Fields

  • timestamp
    The timestamp when an event was observed (UTC+0)
  • ip
    IP address of the affected device.
  • port
    TCP or UDP port identified
  • protocol
    Protocol
  • asn
    Autonomous System Number of the affected device
  • geo
    Country of the affected device
  • region
    Region of the affected device
  • city
    City of the affected device
  • hostname
    Hostname of the affected device (may be from reverse DNS)
  • naics
    North American Industry Classification System Code
  • sector
    Sector of the IP in question
  • tag
    Additional tags for more insight (ssh-compromised-host)
  • public_source
    Source of the data
  • status
    Status of the affected IP (compromised in this case)
  • detail
    Unused
  • account
    The remote account that the key check is made against (typically root but may be some other)
  • method
    Unused
  • device_vendor
    Device vendor, if identified
  • severity
    Severity level
  • server_signature
    Server public signature
  • server_host_key
    Server public host key
  • malpubkey_sha256
    Threat actor public SSH key installed on server

Sample

"timestamp","ip","port","protocol","asn","geo","region","city","hostname","naics","sector","tag","public_source","status","detail","account","method","device_vendor","severity","server_signature","server_host_key","malpubkey_sha256"
"2010-02-10 00:00:00",192.168.0.1,22,tcp,64512,ZZ,Region,City,node01.example.com,0,"Communications, Service Provider, and Hosting Service",ssh;ssh-compromised-host,,compromised,,,,,critical,lFGNi9f8eKV/mkrYX3SqGYw31u11BA2rY8cXm8XOFwRUtQHdnZ1oExsEEbNcSlzVRMTeQCOqSvhqQLWGKB09OQ==,lFGNi9f8eKV/mkrYX3SqGYw31u11BA2rY8cXm8XOFwRUtQHdnZ1oExsEEbNcSlzVRMTeQCOqSvhqQLWGKB09OQ==,a90142adda82b41be4d237d238efd25bb19f7b7985c2d3cbdd7d0772a0dffb95
"2010-02-10 00:00:01",192.168.0.2,22,tcp,64512,ZZ,Region,City,node02.example.com,0,"Communications, Service Provider, and Hosting Service",ssh;ssh-compromised-host,,compromised,,,,,critical,jAXCeOMbtDtT+apmZ9ydtpwk8dFNOvBqQr69/fV2pgD64TJPeg+0Fv8TLaDYp0P8k3tw7EDQK5M0LgLj96OUtQ==,jAXCeOMbtDtT+apmZ9ydtpwk8dFNOvBqQr69/fV2pgD64TJPeg+0Fv8TLaDYp0P8k3tw7EDQK5M0LgLj96OUtQ==,f1bdbf0149ead32598f063b87b14f029964c81c8309d6dfe54fc40e4ba5aaa91
"2010-02-10 00:00:02",192.168.0.3,22,tcp,64512,ZZ,Region,City,node03.example.com,0,"Communications, Service Provider, and Hosting Service",ssh;ssh-compromised-host,,compromised,,,,,critical,Zs8UINk6w59IH6D3ySKgC3UnLVtkIfN0F2WWYfyfgdQsHg+9t/ziAt7hIJd7oIURL34y3UGbEvR9QM0zVFOXbg==,Zs8UINk6w59IH6D3ySKgC3UnLVtkIfN0F2WWYfyfgdQsHg+9t/ziAt7hIJd7oIURL34y3UGbEvR9QM0zVFOXbg==,76ee51b288762091f96980295f543ece287b820796334f9db8a14d393432c7f3

Our 132 Report Types

« Back to Network Reporting