News + Trends

How to identify 16,000 attacked servers in the network

10.9.2025

Translation: machine translated

Researchers have taken compromised servers out of circulation on a large scale. To do this, they utilised the peculiarities of a widespread internet protocol and beat the attackers at their own game.

One of the most frequently used network protocols is «Secure Shell» (SSH). It establishes an encrypted channel between client and server that can be used to securely transfer files or routinely maintain and configure systems remotely. A central element of the protocol are so-called public keys, which the servers use to authenticate the client - and this is also a weak point. For example, attackers guess weak passwords and install their own SSH keys. This gives them permanent access to the server. And that's not all: legitimate users are often unaware of this, as their password remains unchanged despite the attack. Identifying such compromised servers across the entire internet is extremely difficult.

Hope is now being raised by an approach that utilises the long-established internet protocol in a new way. A team from the Max Planck Institute (MPI) for Informatics and Delft University of Technology was able to use it to identify attacked servers on a large scale on the Internet. In doing so, they utilised a peculiarity of the SSH authentication protocol that is often overlooked. In order to authenticate itself, a client must first send the public key of a public-private key pair to the server. The server then checks whether this key is available for authorisation. This saves computing power, as the server only sends the client a «challenge-response», i.e. a task that the client can only solve using its public key, if the key sent is actually intended for authentication.

The researchers used this mechanism to identify compromised systems. They sent a total of 52 such public keys, which are known from previous attacks by groups such as «teamtnt», «mozi» or «fritzfrog», to all SSH servers connected to the internet. If one of these servers responds with a challenge to one of the keys, it is clear that attackers have installed their own key on the system - the server has been compromised.

In total, the scans uncovered more than 16,000 compromised servers at hosting suppliers, companies and research institutions, many of which were linked to known malware infrastructure. After affected network operators were informed about the infection, the number of compromised hosts dropped significantly, as follow-up investigations showed.

According to the researchers, the new approach makes the internet safer worldwide. Attackers cannot easily circumvent the detection by using individual keys for each compromised system. According to Anja Feldmann from the MPI, this is not operationally feasible on the scale that large remote-controlled networks of devices botnets would require. This transforms the attackers' strategy of gaining long-term access to systems into a reliable signal for defence.

Spectrum of Science

We are a partner of Spektrum der Wissenschaft and want to make well-founded information more accessible to you. Follow Spektrum der Wissenschaft if you like the articles.

Original article on Spektrum.de

Header image: Shutterstock / VL-PhotoPro

32 people like this article