Security News > 2020 > February > The “Cloud Snooper” malware that sneaks into your Linux servers
TCP source ports only need to be unique for each outbound connection, so most programmers simply let the operating system choose a port number for them, known in the jargon as an ephemeral port.
Most of the time it won't, because the crooks use source port numbers below 10000, while conventional software and most modern operating systems stick to source port numbers of 32768 and above.
For details of the port numbers used and what they are for, please see the full Cloud Snooper report.
There are five TCP source port numbers that the driver watches out for, and one UDP source port number.
Ironically, leaving just TCP source port 9999 unblocked would allow any "Kill payload" commands to get through, thus allowing the crooks to stop the malware but not to start it up again.
News URL
Related news
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- Perfctl malware strikes again as crypto-crooks target Docker Remote API servers (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services (source)
- Chinese hackers target Linux with new WolfsBane malware (source)