Linux SSHD login by a likely malicious caller
Description
AlphaSOC detected a successful SSH login to a Linux system from a network source that had previously been linked to malicious activity. This suggests that a threat actor may have obtained valid credentials. Adversaries commonly leverage SSH to establish initial access, maintain persistence, and execute commands on compromised Linux hosts.
Impact
Successful SSH access grants threat actors direct command-line access to the Linux system, enabling them to execute arbitrary commands, exfiltrate sensitive data, install backdoors, escalate privileges, and move laterally to other systems within the network.
Severity
| Severity | Condition |
|---|---|
Medium | Linux SSHD login by a likely malicious caller |
Investigation and Remediation
Review Linux authentication logs (such as /var/log/auth.log on Debian/Ubuntu
or /var/log/secure on RHEL-based systems, or use journalctl) to identify the
username, source IP address, and session details associated with the suspicious
SSH login. Verify whether the login was authorized and expected from the
identified source. If unauthorized access is confirmed, immediately terminate
active SSH sessions for the affected account, disable or reset the compromised
credentials, and review command history and system logs for signs of malicious
activity.
Consider enforcing multi-factor authentication for SSH access. Audit SSH key
configurations across all users and review ~/.ssh/authorized_keys files for
unauthorized public keys that may have been added for persistence, removing any
suspicious entries.
Known False Positives
- Legitimate users accessing systems through VPNs that exit from shared or previously flagged IP addresses
- Remote access from cloud-based development or testing environments that may share infrastructure with suspicious actors