Brutus
Description
We'll explore a scenario where a Confluence server was brute-forced via its SSH service. After gaining access to the server, the attacker performed additional activities, which we can track using auth.log
Summary
On 2025‑03‑06 the Confluence server (ip-172-31-35-28) was brute‑forced over SSH from IP 65.2.161.68 resulting in multiple successful root and user logins. The attacker created a new local account (cyberjunkie), added it to sudo, changed its password, and used it to execute commands including reading /etc/shadow and downloading a persistence tool. Impact: Root compromise and persistent access.
Files & Artifacts
wtmpis a binary file in Linux-based systems located at/var/log/wtmpthat records a history of all user logins, logouts, and system shutdowns or reboots. It is used by system administrators for monitoring user activity, troubleshooting login issues, and analyzing system usage.auth.logis a file in Linux systems that records authentication events, such as user login attempts, successful or failed logins, and administrative actions like using thesudocommand.
Event Types Observed
Indicators of Compromise (IOCs)
IP Address
65.2.161.68
External attacker performing brute force
Username
root, cyberjunkie
Compromised and attacker-created accounts
File/Tool
linper.sh
Linux persistence toolkit
URL
https://github.com/montysecurity/linper/main/linper.sh
Remote payload source
Chronological Attack Timeline
Brute force activity
During the analysis, a brute force attack commenced on March 6 at 06:31:31, producing a total of 82 failed/invalid attempts.
Successful Compromise
At 06:31:40, one of the brute force attempts successfully guessed the root account password, resulting in a complete compromise of the server.
At 06:31:40 to 06:32:45, an authentication was recorded:
Session 34 was a successful brute force attempt.
Session 37 involved manual root user authentication.
Post-Compromise Actions
At 06:34:18 an account was created on the server called cyberjunkie.
T1136.001 Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Between 06:34:18 and 06:35:15, the malicious actor created a group named cyberjunkie, created a user with the same name, set the password, updated the information, and granted administrative privileges to ensure the persistence on the server.
Bad Actor logged out
At 06:37:24, the root user logged out of Session 37.
At 06:37:34, the malicious actor logged into the system using the cyberjunkie account.
Finally, the account cyberjunkie read the /etc/shadows file in order to validate the high privilege permissions for the subsequently downloaded linper to maintain persistence on the system.
Tool: https://github.com/montysecurity/linper
Recommendations
Disable root SSH login (
PermitRootLogin no)Enforce key-based authentication
Enable fail2ban or equivalent SSH brute-force protection
Audit
/etc/sudoersfor unauthorized usersRotate all credentials and remove
cyberjunkieaccountReview
/etc/rc.localand crontabs for persistence traces
Last updated