Attackers are mass-scanning websites for directories holding SSH private keys so they can hack into websites with any unintentionally exposed credentials.
SSH (Secure Socket Shell) is a program created to allow users to log into another computer over a network, to execute commands on that computer and to move files to and from that computer.
The SSH authentication could depend on login credentials (username and password), or on a “key-based” authentication. When using key-based auth method, users generate an encryption key combination, a public and private key. The public key is stored on the server that users want to connect to it. The private key is stored by the users in a local SSH configuration directory on the server.
According to Wordfence:
“In the past 24 hours, we have seen a new attacker start mass-scanning websites for private SSH keys,”
“If your private SSH key ever gets out, anyone can use it to sign in to a server where you have set up key-based authentication. It is very important to keep your private key safe.”
Cybercriminals are mass-scanning the web searching for web directories holding the words, or mixtures of words, such as “root,” “ssh,” or “id_rsa.”
Server administrators are recommended to check if they haven’t unintentionally uploaded their SSH private key on their public servers.