Custome SSH backdoor based on python and paramiko - file server.py

Hunt Hypothesis

The presence of a custom SSH backdoor using Python and Paramiko in the environment indicates potential adversary persistence and remote command execution capabilities. SOC teams should proactively hunt for this behavior to identify and mitigate stealthy, long-term access mechanisms that may evade traditional detection methods.

YARA Rule

rule custom_ssh_backdoor_server
{

    meta:
        description = "Custome SSH backdoor based on python and paramiko - file server.py"
        author = "Florian Roth"
        reference = "https://goo.gl/S46L3o"
        date = "2015-05-14"
        hash = "0953b6c2181249b94282ca5736471f85d80d41c9"

    strings:
        $s0 = "command= raw_input(\"Enter command: \").strip('n')" fullword ascii
        $s1 = "print '[-] (Failed to load moduli -- gex will be unsupported.)'" fullword ascii
        $s2 = "print '[-] Listen/bind/accept failed: ' + str(e)" fullword ascii
        $s3 = "chan.send(command)" fullword ascii
        $s4 = "print '[-] SSH negotiation failed.'" fullword ascii
        $s5 = "except paramiko.SSHException, x:" fullword ascii

    condition:
        filesize < 10KB and 5 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

References

• https://goo.gl/S46L3o
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Script
  Description: A legitimate system maintenance script uses paramiko to connect to a remote server for backup purposes.
  Filter/Exclusion: Check for known maintenance scripts in predefined directories (e.g., /etc/cron.d/, /opt/maintenance/) and exclude files with known maintenance script names (e.g., backup_script.py, system_check.py).

• Scenario: Admin Task - Remote Server Configuration
  Description: An administrator uses a Python script with paramiko to configure a remote server during a routine administrative task.
  Filter/Exclusion: Exclude files executed from known admin directories (e.g., /root/scripts/, /home/admin/scripts/) and filter by user (e.g., user == "root" or user == "admin").

• Scenario: CI/CD Pipeline Deployment Script
  Description: A deployment script uses paramiko to connect to a remote server and deploy code as part of a CI/CD pipeline.
  Filter/Exclusion: Exclude files in CI/CD directories (e.g., /opt/jenkins/workspace/, /var/lib/jenkins/workspace/) and filter by known CI/CD tool names (e.g., deploy_pipeline.py, ci_deployment.py).

• Scenario: Log Analysis Tool with Remote Access
  Description: A log analysis tool uses paramiko to access remote servers for log aggregation and analysis.
  Filter/Exclusion: Exclude files associated with log analysis tools (e.g., log_collector.py, log_analyzer.py) and filter by known log analysis tool directories (e.g., /opt/log_analysis/, /var/log_tools/).

• Scenario: Internal Monitoring Tool with SSH Tunneling
  Description: An internal monitoring tool uses paramiko to establish