Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -2 articles for you...
83
security advisorymalwarebotnetSocksEscort Linux Router Malware Botnet Takedown Operation Lightning
Authorities have dismantled SocksEscort, a service that sold access to a large proxy network built from compromised residential routers. Investigators say much of the infrastructure sat on infected SOHO networking devices, many running embedded Linux firmware. . Instead of running its own servers, the operation pushed customer traffic through hijacked home and small-business routers. Over time, that created a distributed botnet where thousands of compromised systems acted as proxy nodes, letting fraud operations and credential attacks blend into normal residential traffic instead of standing out as activity from known malicious infrastructure. It’s a pattern that shows up again and again with router malware. A device gets compromised, nobody notices, and eventually that bandwidth is part of someone else’s proxy network. The SocksEscort case becomes more interesting once you look at how the network actually operated. Inside the SocksEscort Proxy Network SocksEscort presented itself as a residential proxy service, but the infrastructure behind it looked very different from the commercial proxy platforms people normally think about. Instead of volunteers or paid nodes, the traffic moved through compromised routers sitting in homes and small offices. That distinction changes the entire model. Legitimate proxy networks rely on users knowingly sharing bandwidth. The SocksEscort network relied on devices that had been quietly taken over and turned into relay points. A lot of that control came from AVRecon malware, a Linux-targeting threat uncovered by researchers at Lumen Black Lotus Labs. The malware targeted a wide range of SOHO routers, including models from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel, which tend to run continuously and often sit untouched for years once they’re installed. Once a device was infected, the router effectively became part of the proxy network. AVRecon malware capabilities Linux router malware targeting SOHO networkingdevices device reconnaissance and system information collection command-and-control communication remote command execution proxy relay configuration for routing external traffic The result was a residential proxy network built almost entirely from compromised infrastructure. From the outside, it looked like a typical proxy service, but in reality, the network relied on thousands of infected routers acting as relay points for customer traffic. Once researchers started mapping the SocksEscort infrastructure, it became clear that the network had been running for years. The Scale of the SocksEscort Botnet Once researchers started mapping the SocksEscort infrastructure, it became clear that the network had been running for years. The service itself dates back more than a decade, gradually growing into a proxy network built from compromised residential devices. Investigators eventually tied more than 369,000 compromised IP addresses across 163 countries to the service. Researchers were also seeing around 20,000 devices communicating with the infrastructure each week, suggesting the botnet was constantly shifting as systems dropped off and new ones appeared. At that point, it stops looking like a niche proxy service. It starts looking like a long-running cybercrime infrastructure. The operation generated roughly $5.8 million (€5 million) in criminal revenue before the infrastructure was disrupted. The question I keep coming back to is why routers, especially Linux-based ones, keep showing up in operations like this. Why Linux Routers Keep Becoming Botnet Infrastructure Cases like SocksEscort tend to circle back to the same kind of device. Not servers. Not desktops. Home and small-office routers. Most of those systems run some form of embedded Linux, which makes sense once you think about how networking hardware is built. The operating system itself isn’t the problem. What matters is how long these devices stay online and how rarely they’re updated after they’reinstalled. A router might sit in a closet or under a desk for years without anyone logging into it. When attackers find a way in, that device can quietly become part of a botnet or proxy network and continue operating as if nothing changed. Where attackers usually get in Outdated firmware Default administrative credentials Exposed remote administration interfaces Unsupported hardware that no longer receives updates None of these weaknesses is particularly exotic. They’re the same entry points that have shown up in router botnet campaigns for years. Why infections often go unnoticed Routers operate continuously with little user interaction Proxy network activity generates minimal visible disruption Router security monitoring is uncommon in most environments •AVRecon has been observed flashing custom firmware images through the router’s update mechanism, allowing the malware to persist even after a reboot. That combination makes routers an unusually durable infrastructure once they’re compromised. A device can sit inside a botnet-backed proxy network for months, sometimes years, before anyone realizes it’s participating in the traffic. Which brings us back to the SocksEscort case and how authorities eventually disrupted that infrastructure. Why the SocksEscort Takedown Doesn’t Solve the Router Problem After years of operating in the background, the infrastructure behind SocksEscort eventually drew the attention of authorities . The joint investigation, known as Operation Lightning, focused on dismantling the service itself rather than attempting to track down every compromised router spread across residential networks. The response focused on dismantling the service itself rather than trying to track down every compromised router spread across residential networks. Authorities seized 34 domains and 23 servers across seven countries, dismantling the infrastructure used to operate the proxy service, and cryptocurrency connected to theoperation was frozen. In practical terms, that removed the platform that had been selling access to the proxy network. But taking down the service doesn’t automatically clean the devices that were already compromised. Many of the routers that once formed part of the SocksEscort network may still be online today, running the same firmware and configurations that allowed the compromise in the first place. What This Means for Linux Users and Administrators For most administrators, the takeaway from the SocksEscort case isn’t the malware itself. It’s the device lifecycle behind it. Routers and edge devices often stay in service far longer than the systems around them. They get installed, configured once, and then quietly run for years without firmware updates, configuration reviews, or security monitoring. That’s exactly the kind of environment operations like this depend on. If a router ends up inside a botnet or proxy network, the device may continue operating normally while routing traffic for someone else. In many cases, the first signal is an abuse notice from an ISP or unusual outbound traffic patterns that don’t match normal network activity. For administrators responsible for Linux-based networking devices, a few checks are worth making: Confirm routers are running the current firmware Replace hardware that no longer receives vendor updates Disable remote administration interfaces that are not required Change default or long-standing administrative credentials Review outbound traffic patterns from edge devices Isolate routers and IoT devices from internal networks where possible Administrators investigating suspicious router activity may also want to check for processes listening on port 48102 or the presence of a jid.pid file in /tmp, both indicators previously associated with AVRecon infections. None of these steps is complicated, but they’re often overlooked once a device is deployed, which is exactly the kind of gap operations like SocksEscorttend to rely on. That’s also why incidents like this keep resurfacing. The devices involved are rarely high-profile servers or hardened infrastructure. More often, they’re ordinary routers sitting at the edge of a network, quietly running the same firmware they had the day they were installed. . SocksEscort proxy network dismantled by authorities using compromised Linux routers shows ongoing threats from malware.. Linux Router Malicious Activity, SocksEscort Malware Disruption, Embedded Linux Security Issues, Cybercrime Infrastructure, SOHO Device Protection. . MaK Ulac
Mar 13, 2026
•
Hacks/Cracks
83
cyber threatmalware alertlinux routerGobRAT Malware Alert: Internet-Exposed Linux Routers Under Attack
Linux routers in Japan are the target of a new Golang remote access trojan (RAT) called GobRAT. "Initially, the attacker targets a router whose WEBUI is open to the public, executes scripts possibly by using vulnerabilities, and finally infects the GobRAT," the JPCERT Coordination Center (JPCERT/CC) said in a report published today. . The compromise of an internet-exposed router is followed by the deployment of a loader script that acts as a conduit for delivering GobRAT, which, when launched, masquerades as the Apache daemon process (apached) to evade detection. The loader is also equipped to disable firewalls, establish persistence using the cron job scheduler, and register an SSH public key in the .ssh/authorized_keys file for remote access. GobRAT, for its part, communicates with a remote server via the Transport Layer Security ( TLS ) protocol to receive as many as 22 different encrypted commands for execution. The link for this article located at The Hacker News is no longer available. . Infiltration of unsecured wireless devices results in the spread of Raccoon Stealer malware throughout the United States.. Remote Access Trojan, Linux Router Attack, GobRAT Malware, Cyber Threat Japan, Golang Trojan. . LinuxSecurity.com Team
Jun 02, 2023
•
Hacks/Cracks
76
network securitysql injectionsecurity conferenceSQL Injection Risks in Linux Routers Explored at Black Hat and Defcon
Security researcher Zachary Cutlip (my pic left) took the stage at both Black Hat and Defcon conferences this weekend.. His talk was about doing SQL Injection on MIPS Powered SOHO routers - and in particular he aimed at the Linux powered Netgear WNDR3700. After sitting through an hour of this guy's presentation at Black Hat (I didn't bother to see it a second time at Defcon) the answer is: kinda/sorta. The link for this article located at Internet News is no longer available. . During the Black Hat and Defcon conferences, Alex Thompson addresses XSS attacks in network devices running on Linux firmware.. SQL Injection, Linux Routers, Network Security, Security Research, Threat Assessment. . Anthony Pell
Aug 01, 2012
•
Organizations/Events
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More