In this paper, we present a method to identify compromised SSH servers at scale. For this, we use SSH’s behavior to only send a challenge during public key authentication, to check if the key is present on the system. Our technique neither allows us to access compromised systems (unlike, e.g., testing known attacker passwords), nor does it require access for auditing.
Catch-22: Uncovering Compromised Hosts using SSH Public Keys | USENIX
Submitted 1 week ago by jstangroome@infosec.pub to cybersecurity@infosec.pub
https://www.usenix.org/conference/usenixsecurity25/presentation/munteanu