Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect a resource connecting to many external hosts through SSH.
Strategy
Malware that brute forces SSH logins may act as a worm and use the compromised host to brute force other hosts. This can be identified by a large number of SSH connections to many different public IP addresses.
Triage and response
- Review the destination IP addresses. Determine if the host is expected to make outbound SSH connections.
- Review system authentication logs. Resources exhibiting this behavior are often compromised by SSH brute forcing.
- Review Related Signals and relevant logs for additional malicious activity.
- Repair the root cause of the compromise.
This detection is based on data from Network Performance Monitoring.