Security News > 2020 > February > The “Cloud Snooper” malware that sneaks into your Linux servers
TCP source ports only need to be unique for each outbound connection, so most programmers simply let the operating system choose a port number for them, known in the jargon as an ephemeral port.
Most of the time it won't, because the crooks use source port numbers below 10000, while conventional software and most modern operating systems stick to source port numbers of 32768 and above.
For details of the port numbers used and what they are for, please see the full Cloud Snooper report.
There are five TCP source port numbers that the driver watches out for, and one UDP source port number.
Ironically, leaving just TCP source port 9999 unblocked would allow any "Kill payload" commands to get through, thus allowing the crooks to stop the malware but not to start it up again.
News URL
Related news
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers (source)
- Police detains Smokeloader malware customers, seizes servers (source)
- Oracle says "obsolete servers" hacked, denies cloud breach (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- New BPFDoor Controller Enables Stealthy Lateral Movement in Linux Server Attacks (source)
- Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT (source)
- Watch out for any Linux malware sneakily evading syscall-watching antivirus (source)
- Malicious Go Modules Deliver Disk-Wiping Linux Malware in Advanced Supply Chain Attack (source)
- Linux wiper malware hidden in malicious Go modules on GitHub (source)