SSH Rootkit Attack Risk

TL;DR

Yes, a running SSH connection to a rootkit-infected VPS can be used to attack your client machine. The rootkit gives an attacker control of the server and potentially your session. Immediately disconnect, investigate, and restore from backups if necessary.

Understanding the Risk

A rootkit hides malicious software on a system, granting attackers persistent access even after reboots. If a VPS you connect to via SSH is compromised with a rootkit, the attacker can:

• Monitor your session: They can see everything you type and do within that SSH connection.
• Redirect traffic: Steal credentials or inject malicious code into downloads.
• Use the VPS as a launchpad: Attack other systems on your network.
• Compromise your client machine directly: Exploit vulnerabilities in your SSH client or operating system.

Steps to Take Immediately

1. Disconnect the SSH Session: Terminate the connection immediately. Do not simply close the terminal window; use a proper disconnect command (see step 2).
2. Properly Disconnect: Use one of these methods:
   • Type

     exit

     in the SSH session.

   • Press Ctrl+D.
   • Close the connection from your terminal using its built-in disconnect function (e.g., ‘Kill Session’ in some terminals).
3. Change Passwords: Change passwords for all accounts on both the VPS and any accounts you used to connect to it, especially if you use the same password elsewhere.

Investigating the VPS

Determining if a rootkit is present requires careful investigation. This is best done from a clean system – not through the compromised SSH connection.

1. Boot from Live Media: Boot your VPS from a trusted live Linux distribution (e.g., Ubuntu, Debian). This allows you to examine the filesystem without running the potentially infected operating system.
2. Run Rootkit Scanners: Use rootkit detection tools like:
   • rkhunter:

     sudo rkhunter --checkall

     (Install with sudo apt install rkhunter on Debian/Ubuntu).

   • chkrootkit:

     sudo chkrootkit

     (Install with sudo apt install chkrootkit on Debian/Ubuntu).

   Note: Rootkit scanners are not foolproof. They can miss sophisticated rootkits.

3. Check System Logs: Examine system logs for suspicious activity, particularly around the time of potential compromise. Look in files like /var/log/auth.log (authentication), /var/log/syslog, and /var/log/kern.log.
4. Inspect Running Processes: Use tools like ps aux or top to look for unusual processes. Compare the output with a known-good system if possible.
5. File Integrity Monitoring: If you have file integrity monitoring (e.g., AIDE) enabled, check for modified system files.

Protecting Your Client Machine

1. Scan your client machine: Run a full antivirus and anti-malware scan on the computer you used to connect to the VPS.
2. Update Software: Ensure your operating system, SSH client, and all other software are up to date with the latest security patches.
3. Review SSH Configuration:
   • Disable Password Authentication: Use SSH keys instead of passwords for increased security. Edit /etc/ssh/sshd_config and set PasswordAuthentication no. Restart the SSH service after making changes (

     sudo systemctl restart sshd

     ).

   • Change Default Port: Change the default SSH port (22) to a non-standard port. Edit /etc/ssh/sshd_config and change the Port directive. Restart the SSH service after making changes.
   • Limit User Access: Only allow necessary users to connect via SSH.

Recovery

If you suspect a deep compromise, the safest course of action is often to:

• Rebuild the VPS: Completely wipe and reinstall the operating system from a trusted source.
• Restore from Backup: If you have clean backups (created before the suspected compromise), restore your data from those backups.