Linux Maintainers Infected by SSH-Dwelling Backdoor: A Two-Year Compromise


In a shocking revelation, it has been disclosed that the infrastructure used to maintain and distribute the Linux operating system kernel was compromised for two years by sophisticated malware. This critical breach, involving the Ebury backdoor, has had far-reaching implications for Linux security. This article delves into the details of the attack, its impact, and the lessons learned.

The Ebury Malware: A Deep Dive

Date Disclosed: May 15, 2024

What is Ebury?

Ebury is a highly sophisticated piece of malware that creates a backdoor in OpenSSH servers. This backdoor allows attackers to gain remote root access to infected servers without requiring a valid password. The malware specifically targeted the Linux operating system but also affected a small number of FreeBSD, OpenBSD, SunOS, and Mac servers.

Timeline of the Compromise

2009 – 2011: The infection began in 2009 and went undetected until 2011. During this period, the malware compromised at least four servers inside, the central domain for Linux development and distribution.

August 2011: The compromise was discovered, revealing that attackers had obtained cryptographic hashes for 551 user accounts. Through advanced password-cracking techniques, they converted about half of these hashes into plaintext passwords.

How Ebury Spread

Ebury’s propagation was highly effective due to multiple methods:

  1. Credential Stuffing: Using compromised credentials to access new servers.
  2. Exploitation of Vulnerabilities: Including the Dirty COW vulnerability and a zero-day in the Control Web Panel.
  3. Adversary-in-the-Middle (AitM) Attacks: Intercepting network traffic to steal SSH credentials.
  4. Spreading through Hypervisors and Containers: Infecting all subsystems connected to a compromised hypervisor or container.
  5. Compromise of Hosting Providers: Spreading to all servers connected to a compromised hosting provider.

Impact of the Breach

550+ Compromised Accounts: The attackers managed to obtain sensitive information from over 550 accounts. The stolen data was used to send spam and conduct other malicious activities.

400,000+ Servers Infected: Over 15 years, Ebury infected more than 400,000 servers. Although not all were compromised simultaneously, the malware maintained a significant presence.

Targeted Environments: Ebury successfully spread across various environments, including universities, enterprises, ISPs, cryptocurrency exchanges, and hosting providers.

Security Measures and Recommendations

Detection and Response:

  • Regular Audits: Conduct frequent security audits to detect and respond to breaches promptly.
  • Strong Password Policies: Enforce strong password policies and use multi-factor authentication (MFA) to mitigate credential stuffing attacks.
  • Patch Management: Regularly update and patch systems to protect against known vulnerabilities.

Preventive Measures:

  • Network Segmentation: Implement network segmentation to limit the spread of malware.
  • Monitoring and Logging: Utilize comprehensive monitoring and logging to detect unusual activities.
  • Security Awareness Training: Educate users about phishing and other common attack vectors.


The Ebury malware incident underscores the importance of robust security practices in maintaining the integrity of critical infrastructure. By understanding the methods used by attackers and implementing effective security measures, organizations can better protect their systems against similar threats. Stay vigilant and proactive in securing your Linux environments to prevent future compromises.

Stay Informed

For more detailed insights and updates on cybersecurity threats, follow our blog and subscribe to our newsletter. Protect your systems and stay ahead of potential attacks by staying informed about the latest security developments.