Security News > 2020 > February > The “Cloud Snooper” malware that sneaks into your Linux servers
TCP source ports only need to be unique for each outbound connection, so most programmers simply let the operating system choose a port number for them, known in the jargon as an ephemeral port.
Most of the time it won't, because the crooks use source port numbers below 10000, while conventional software and most modern operating systems stick to source port numbers of 32768 and above.
For details of the port numbers used and what they are for, please see the full Cloud Snooper report.
There are five TCP source port numbers that the driver watches out for, and one UDP source port number.
Ironically, leaving just TCP source port 9999 unblocked would allow any "Kill payload" commands to get through, thus allowing the crooks to stop the malware but not to start it up again.
News URL
Related news
- 'Hadooken' Linux malware targets Oracle WebLogic servers (source)
- New Linux malware Hadooken targets Oracle WebLogic servers (source)
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Stealthy 'sedexp' Linux malware evaded detection for two years (source)
- New Linux Malware 'sedexp' Hides Credit Card Skimmers Using Udev Rules (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- New Linux Malware Campaign Exploits Oracle Weblogic to Mine Cryptocurrency (source)
- VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)