{"id":56095,"date":"2024-05-16T13:28:27","date_gmt":"2024-05-16T13:28:27","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/35888\/Linux-Maintainers-Were-Infected-For-2-Years-By-SSH-Dwelling-Backdoor-With-Huge-Reach.html"},"modified":"2024-05-16T13:28:27","modified_gmt":"2024-05-16T13:28:27","slug":"linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/","title":{"rendered":"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach"},"content":{"rendered":"<figure class=\"intro-image intro-left\"> <img decoding=\"async\" src=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg\" alt=\"A cartoon door leads to a wall of computer code.\"><figcaption class=\"caption\"><\/figcaption><\/figure>\n<aside id=\"social-left\" class=\"social-left\" aria-label=\"Read the comments or share this article\"> <a class=\"comment-count icon-comment-bubble-down\" href=\"https:\/\/arstechnica.com\/security\/2024\/05\/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading\/?comments=1\"> <\/p>\n<h4 class=\"comment-count-before\">reader comments<\/h4>\n<p> <span class=\"comment-count-number\">69<\/span> <\/a> <\/aside>\n<p> <!-- cache hit 316:single\/related:a1c3db44ef6c82bce6b426d4579d22c6 --><!-- empty --><\/p>\n<p>Infrastructure used to maintain and distribute the Linux operating system kernel was infected for two years, starting in 2009, by sophisticated malware that managed to get a hold of one of the developers\u2019 most closely guarded resources: the \/etc\/shadow files that stored encrypted password data for more than 550 system users, researchers said Tuesday.<\/p>\n<p>The unknown attackers behind the compromise infected at least four servers inside kernel.org, the Internet domain underpinning the sprawling Linux development and distribution network, the researchers from security firm ESET said. After obtaining the cryptographic hashes for 551 user accounts on the network, the attackers were able to convert half into plaintext passwords, likely through password-cracking techniques and the use of an advanced credential-stealing feature built into the malware. From there, the attackers used the servers to send spam and carry out other nefarious activities. The four servers were likely infected and disinfected at different times, with the last two being remediated at some point in 2011.<\/p>\n<h2>Stealing kernel.org\u2019s keys to the kingdom<\/h2>\n<p>An infection of kernel.org <a href=\"https:\/\/www.theregister.com\/2011\/08\/31\/linux_kernel_security_breach\/\">came to light<\/a> in 2011, when kernel maintainers revealed that 448 accounts had been compromised after attackers had somehow managed to gain unfettered, or \u201croot,\u201d system access to servers connected to the domain. Maintainers <a href=\"https:\/\/arstechnica.com\/information-technology\/2013\/09\/who-rooted-kernel-org-servers-two-years-ago-how-did-it-happen-and-why\/\">reneged on a promise<\/a> to provide an autopsy of the hack, a decision that has limited the public\u2019s understanding of the incident.<\/p>\n<p>Besides revealing the number of compromised user accounts, representatives of the Linux Kernel Organization provided no details other than saying that the infection:<\/p>\n<ul>\n<li>Occurred no later than August 12, 2011, and wasn&#8217;t detected for another 17 days<\/li>\n<li>Installed an off-the-shelf rootkit known as Phalanx on multiple servers and personal devices belonging to a senior Linux developer<\/li>\n<li>Modified the files that both servers and end user devices inside the network used to connect through OpenSSH, an implementation of the SSH protocol for securing remote connections.<\/li>\n<\/ul>\n<aside class=\"ad_wrapper\" aria-label=\"In Content advertisement\"> <span class=\"ad_notice\">Advertisement <\/span> <\/aside>\n<p> In 2014, ESET researchers said the 2011 attack likely infected kernel.org servers with a <a href=\"https:\/\/arstechnica.com\/information-technology\/2014\/03\/10000-linux-servers-hit-by-malware-serving-tsunami-of-spam-and-exploits\/\">second piece of malware<\/a> they called Ebury. The malware, the firm said, came in the form of a malicious code library that, when installed, created a backdoor in OpenSSH that provided the attackers with a remote root shell on infected hosts with no valid password required. In a little less than 22 months, starting in August 2011, Ebury spread to 25,000 servers. Besides the four belonging to the Linux Kernel Organization, the infection also touched one or more servers inside hosting facilities and an unnamed domain registrar and web hosting provider.<\/p>\n<p>A <a href=\"https:\/\/web-assets.esetstatic.com\/wls\/en\/papers\/white-papers\/ebury-is-alive-but-unseen.pdf\">47-page report<\/a> summarizing Ebury&#8217;s 15-year history&nbsp;said that the infection hitting the kernel.org network began in 2009, two years earlier than the domain was previously thought to have been compromised. The report said that since 2009, the OpenSSH-dwelling malware has infected more than 400,000 servers, all running Linux except for about 400 FreeBSD servers, a dozen OpenBSD and SunOS servers, and at least one Mac.<\/p>\n<p>Researcher Marc-Etienne M. L\u00e9veill\u00e9 wrote:<\/p>\n<blockquote>\n<p>In our 2014 paper, we mentioned that there was evidence that kernel.org, hosting the source code of the Linux kernel, had been a victim of Ebury. Data now at our disposal reveals additional details about the incident. Ebury had been installed on at least four servers belonging to the Linux Foundation between 2009 and 2011. It seems these servers acted as mail servers, name servers, mirrors, and source code repositories at the time of the compromise. We cannot tell for sure when Ebury was removed from each of the servers, but since it was discovered in 2011 it is likely that two of the servers were compromised for as long as two years, one for one year and the other for six months.<\/p>\n<p>The perpetrator also had copies of the \/etc\/shadow files, which overall contained 551 unique username and hashed password pairs. The cleartext passwords for 275 of those users (50%) are in possession of the attackers. We believe that the cleartext passwords were obtained by using the installed Ebury credential stealer, and by brute force.<\/p>\n<\/blockquote>\n<p>The researcher said in an email that the Ebury and Phalanx infections appear to be separate compromises by two unrelated threat groups. Representatives of the Linux Kernel Organization didn\u2019t respond to emails asking if they were aware of the ESET report or if its claims were accurate. There is no indication that either infection resulted in tampering with the Linux kernel source code.<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/35888\/Linux-Maintainers-Were-Infected-For-2-Years-By-SSH-Dwelling-Backdoor-With-Huge-Reach.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[10932],"class_list":["post-56095","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-blogs","tag-headlinehackerlinuxcyberwarbackdoorcryptography"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-16T13:28:27+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach\",\"datePublished\":\"2024-05-16T13:28:27+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/\"},\"wordCount\":734,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cdn.arstechnica.net\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/backdoor-800x450.jpeg\",\"keywords\":[\"headline,hacker,linux,cyberwar,backdoor,cryptography\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/\",\"name\":\"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/cdn.arstechnica.net\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/backdoor-800x450.jpeg\",\"datePublished\":\"2024-05-16T13:28:27+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#primaryimage\",\"url\":\"https:\\\/\\\/cdn.arstechnica.net\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/backdoor-800x450.jpeg\",\"contentUrl\":\"https:\\\/\\\/cdn.arstechnica.net\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/backdoor-800x450.jpeg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,linux,cyberwar,backdoor,cryptography\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackerlinuxcyberwarbackdoorcryptography\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/","og_locale":"en_US","og_type":"article","og_title":"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-05-16T13:28:27+00:00","og_image":[{"url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach","datePublished":"2024-05-16T13:28:27+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/"},"wordCount":734,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#primaryimage"},"thumbnailUrl":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg","keywords":["headline,hacker,linux,cyberwar,backdoor,cryptography"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/","url":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/","name":"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#primaryimage"},"thumbnailUrl":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg","datePublished":"2024-05-16T13:28:27+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#primaryimage","url":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg","contentUrl":"https:\/\/cdn.arstechnica.net\/wp-content\/uploads\/2021\/03\/backdoor-800x450.jpeg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/linux-maintainers-were-infected-for-2-years-by-ssh-dwelling-backdoor-with-huge-reach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,linux,cyberwar,backdoor,cryptography","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackerlinuxcyberwarbackdoorcryptography\/"},{"@type":"ListItem","position":3,"name":"Linux Maintainers Were Infected For 2 Years By SSH-Dwelling Backdoor With Huge Reach"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56095","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56095"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56095\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}