Wednesday, January 10, 2007
Oh, so that's what an ssh scanner looks like
Between metro ethernet woes
and a customer's server either attacking other machines, or being attacked
by other machines (it was never made clear in what direction the excessive
network traffic was travelling), I was made aware that one of our servers
was generating a large amount of outgoing
When I logged in, sure enough, one
ps aux code later:
rob 30289 0.0 0.0 8632 2284 pts/1 S 10:53 0:00 ./ssh-scan 100
Only, about four score and seven more copies than the one just listed
there. It looks like regular user accounts were compromised (it's a
dedicated server to one of our clients so we don't have full control over
it). Not much else to do but kill off the offending processes (and finding
a second compromised account running an IRC bot), locking out the account and looking at said
Interesting stuff—found one file named
seemed to have a list of servers with default accounts and passwords.
I tried one system listed in the
vuln.txt file and got the
------------------------- Mitel Networks SME Server ------------------------- Standard user login services have been disabled. Type "end" and press ENTER to terminate this connection:
I tried another vulnerable system, and was able to actually get a shell:
[spc]shell:~>ssh tester@XXXXXXXXXXXXXX tester@XXXXXXXXXXXXXX's password: -bash-2.05b$
But when I tried to actually use system, it was rather limited.
The only commands available were
and a bunch of builtin shell commands.
Makes it kind of hard to look around, but with discussion with an unnamed friend of mine, we came up with the following to actually view the few files that existed on this system:
(while true ; do read && echo $REPLY ; done) <filename
I'm beginning to think these
ssh scans aren't for vulnerable
Unix systems, but embedded systems with manufacterer backdoors built in that
a certain clientel of user are using to their own nefarious schemes.