Over 16,000 compromised servers uncovered using Secure Shell key probing method

An international research team from the Max Planck Institute (MPI) for Informatics in Saarbrücken, Germany, and the Delft University of Technology in the Netherlands has developed a method to detect compromised hosts at an internet scale by probing servers with public SSH keys previously observed in attacker operations.

This way, the team was able to identify more than 16,000 compromised hosts. Their findings have now been published at the USENIX Security Symposium 2025, where they were awarded a Distinguished Paper Award and the Internet Defense Prize.

Secure Shell (SSH) is one of the most common tools used to manage servers remotely. It provides a secure, encrypted channel between a client and a server, allowing users to log in, execute commands, and transfer files safely. SSH is widely used by system administrators and developers for maintaining and configuring remote systems.

When a machine is compromised, attackers often install their own SSH keys to guarantee persistent access. From that moment on, they can freely connect and use the machine as they desire. This technique is stealthy: the legitimate user’s password remains unchanged, so typical alerts are never triggered. Detecting such compromises at internet scale is not a trivial task.

In their work presented at the USENIX Security Symposium 2025, a conference on computer and network security, the team consisting of Cristian Munteanu, Prof. Dr. Anja Feldmann and Dr.-Ing. Tobias Fiebig of MPI for Informatics and Prof. Dr. Georgios Smaragadakis of Delft University of Technology introduced “Catch-22: Uncovering Compromised Hosts using SSH Public Keys.”

The method relies on a subtle feature of SSH’s authentication protocol. When a client offers a public key, the server only responds with a cryptographic challenge if that key is on its list of authorized keys. By probing servers with public keys previously observed in attacker operations, it was possible to identify machines where those keys have been installed, indicating compromised systems. “Crucially, we never complete authentication, and we do not even know the private keys – the response with the challenge alone is enough,” explains first author Cristian Munteanu.

The researchers implemented this technique at internet scale by scanning both IPv4 and IPv6 address ranges with 52 keys, which could be linked by a collaborating company from the security sector to attacks of malicious actors like “teamtnt,” “mozi” or “fritzfrog.”

To ensure reliability, they validated their findings across multiple SSH implementations, filtered out noisy servers using “canary” test keys, and cross-checked results against botnet intelligence. A “canary” key refers to a newly generated SSH key that is not installed on any server and, therefore, must never hit. If a server responds to this key, it is excluded from further scanning, as it may produce unreliable or misleading results.

The scans revealed more than sixteen thousand compromised machines across hosting providers, enterprises, and academic networks, many of which were linked to known malware infrastructures.

To make a contribution to internet security beyond making the measurements, the researchers collaborated with the Shadowserver Foundation, and the German Federal Office for Information Security (BSI) as well as the Computer Emergency Response Team for Germany’s federal authorities (CERT-Bund) based there. The Shadowserver Foundation is a nonprofit organization that specializes in large-scale security notifications to responsibly notify network operators and national Computer Emergency Response Teams (CERTs). Follow-up scans after Shadowserver’s reports showed a clear decrease in the number of compromised hosts.

“The main contribution of Catch-22 is to demonstrate that a long-standing internet protocol can be used in new ways to improve defense. The strength of the method lies in the fact that attackers cannot easily evade detection by switching to random keys for every compromised host, since managing thousands of unique keys across large botnets or infrastructures does not scale operationally,” says Feldmann, scientific director of the Internet Architecture department at MPI for Informatics.

By observing whether servers recognize known attacker keys, the new method can uncover compromises remotely, at scale, and with very few false positives. This turns the attackers’ own persistence strategy into a reliable signal for defenders and provides a practical tool to strengthen internet security.