The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, January 10, 2007

Oh, so that's what an ssh scanner looks like

Between metro ethernet woes and a customer's server either attacking other machines, or being attacked by other machines (it was never made clear in what direction the excessive network traffic was travelling), I was made aware that one of our servers was generating a large amount of outgoing ssh traffic.

When I logged in, sure enough, one ps aux code later:

rob      30289  0.0  0.0  8632 2284 pts/1    S    10:53   0:00 ./ssh-scan 100

Only, about four score and seven more copies than the one just listed there. It looks like regular user accounts were compromised (it's a dedicated server to one of our clients so we don't have full control over it). Not much else to do but kill off the offending processes (and finding a second compromised account running an IRC bot), locking out the account and looking at said ssh-scan program.

Interesting stuff—found one file named vuln.txt that seemed to have a list of servers with default accounts and passwords.

Hmmmm …

I tried one system listed in the vuln.txt file and got the following:

Mitel Networks SME Server

Standard user login services have been disabled.

Type "end" and press ENTER to terminate this connection: 

I tried another vulnerable system, and was able to actually get a shell:

[spc]shell:~>ssh tester@XXXXXXXXXXXXXX
tester@XXXXXXXXXXXXXX's password: 

But when I tried to actually use system, it was rather limited. The only commands available were ls, mkdir, mv, pwd, rm, sh, groups, id, ssh and bash and a bunch of builtin shell commands.

Makes it kind of hard to look around, but with discussion with an unnamed friend of mine, we came up with the following to actually view the few files that existed on this system:

(while true ; do read && echo $REPLY ; done) <filename

I'm beginning to think these ssh scans aren't for vulnerable Unix systems, but embedded systems with manufacterer backdoors built in that a certain clientel of user are using to their own nefarious schemes.

Obligatory Picture

[“I am NOT a number, I am … a Q-CODE!”]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.