Hackers are exploiting poorly managed Linux servers, particularly those with weak SSH credentials, to install proxy tools such as TinyProxy and Sing-box.
The AhnLab Security Intelligence Center (ASEC) has been closely monitoring these intrusions through honeypots mimicking vulnerable SSH services.
Their findings reveal a sophisticated strategy where attackers repurpose legitimate tools for malicious intent, transforming compromised systems into proxy nodes for anonymity or profit.
These attacks underscore the critical need for robust security practices on Linux environments exposed to the public internet.
Proxy Installations on Vulnerable Linux Systems
ASEC’s analysis highlights two distinct attack patterns. In the first scenario, attackers target SSH honeypots with weak credentials, gaining unauthorized access before deploying a malicious Bash script retrieved via commands like wget or curl from URLs such as hxxps://0x0[.]st/8VDs.sh.
This script installs TinyProxy, a lightweight proxy server, using package managers like apt, yum, or dnf, depending on the system’s OS.
Post-installation, the script modifies the TinyProxy configuration file (typically located at /etc/tinyproxy/tinyproxy.conf or /etc/tinyproxy.conf) by removing access control rules and inserting an “Allow 0.0.0.0/0” directive.
This change permits unrestricted external access to port 8888, effectively turning the infected server into an open proxy for malicious activities.
Persistence mechanisms ensure the proxy remains active even after reboots, allowing attackers continuous exploitation.
In a parallel case, attackers deploy Sing-box, an open-source multi-protocol proxy tool supporting vmess-argo, vless-reality, Hysteria2, and TUICv5 protocols.
Commands observed during these attacks include downloading installation scripts from sources like hxxps://raw.githubusercontent[.]com/eooce/sing-box/main/sing-box.sh.
Originally designed to bypass internet restrictions in certain regions for accessing services like ChatGPT or Netflix, Sing-box is abused in this context.
By installing it on compromised overseas Virtual Private Servers (VPS), attackers likely aim to leverage these servers for illegal activities or monetize access to proxy nodes.
The absence of additional malicious payloads in both TinyProxy and Sing-box cases suggests a focused intent to build a network of proxy servers, potentially for concealing other cyberattacks or selling access to cybercriminals.
Urgent Call for Enhanced Linux Server Security
These incidents highlight a disturbing trend of exploiting legitimate software for malicious purposes, a tactic that complicates detection as the tools themselves are not inherently malicious.
According to the Report, ASEC warns that attackers could use these proxy nodes to mask their identities in further attacks or profit by trading access rights in underground markets.
To mitigate such risks, server administrators must prioritize strong, complex passwords and regular updates to thwart brute-force attempts.
Additionally, keeping systems patched against vulnerabilities, deploying firewalls to restrict unauthorized access, and using up-to-date security solutions are essential steps to safeguard exposed Linux servers from becoming unwitting tools in cybercrime networks.
Indicators of Compromise (IOC)
| Type | Value |
|---|---|
| MD5 | 16d1dfa35d64046128290393512171ce |
| MD5 | 35d79027834a3b6270455f59b54f2e19 |
| URL | hxxps://0x0[.]st/8VDs[.]sh |
| URL | hxxps://raw[.]githubusercontent[.]com/eooce/sing-box/main/sing-box[.]sh |
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
