Hackers Target Linux SSH Servers to Deploy TinyProxy and Sing-box Proxy Tools

Hackers are exploiting poorly managed Linux servers, particularly those with weak SSH credentials, to install proxy tools such as TinyProxy and Sing-box.

The AhnLab Security Intelligence Center (ASEC) has been closely monitoring these intrusions through honeypots mimicking vulnerable SSH services.

Their findings reveal a sophisticated strategy where attackers repurpose legitimate tools for malicious intent, transforming compromised systems into proxy nodes for anonymity or profit.

These attacks underscore the critical need for robust security practices on Linux environments exposed to the public internet.

Proxy Installations on Vulnerable Linux Systems

ASEC’s analysis highlights two distinct attack patterns. In the first scenario, attackers target SSH honeypots with weak credentials, gaining unauthorized access before deploying a malicious Bash script retrieved via commands like wget or curl from URLs such as hxxps://0x0[.]st/8VDs.sh.

This script installs TinyProxy, a lightweight proxy server, using package managers like apt, yum, or dnf, depending on the system’s OS.

Post-installation, the script modifies the TinyProxy configuration file (typically located at /etc/tinyproxy/tinyproxy.conf or /etc/tinyproxy.conf) by removing access control rules and inserting an “Allow 0.0.0.0/0” directive.

This change permits unrestricted external access to port 8888, effectively turning the infected server into an open proxy for malicious activities.

Persistence mechanisms ensure the proxy remains active even after reboots, allowing attackers continuous exploitation.

In a parallel case, attackers deploy Sing-box, an open-source multi-protocol proxy tool supporting vmess-argo, vless-reality, Hysteria2, and TUICv5 protocols.

Commands observed during these attacks include downloading installation scripts from sources like hxxps://raw.githubusercontent[.]com/eooce/sing-box/main/sing-box.sh.

Originally designed to bypass internet restrictions in certain regions for accessing services like ChatGPT or Netflix, Sing-box is abused in this context.

By installing it on compromised overseas Virtual Private Servers (VPS), attackers likely aim to leverage these servers for illegal activities or monetize access to proxy nodes.

The absence of additional malicious payloads in both TinyProxy and Sing-box cases suggests a focused intent to build a network of proxy servers, potentially for concealing other cyberattacks or selling access to cybercriminals.

Urgent Call for Enhanced Linux Server Security

These incidents highlight a disturbing trend of exploiting legitimate software for malicious purposes, a tactic that complicates detection as the tools themselves are not inherently malicious.

According to the Report, ASEC warns that attackers could use these proxy nodes to mask their identities in further attacks or profit by trading access rights in underground markets.

To mitigate such risks, server administrators must prioritize strong, complex passwords and regular updates to thwart brute-force attempts.

Additionally, keeping systems patched against vulnerabilities, deploying firewalls to restrict unauthorized access, and using up-to-date security solutions are essential steps to safeguard exposed Linux servers from becoming unwitting tools in cybercrime networks.

Indicators of Compromise (IOC)

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!