* * * * *

                 Oh, so that's what an ssh scanner looks like

Between metro ethernet [1] woes and a customer's server either attacking
other machines, or being attacked by other machines (it was never made clear
in what direction the excessive network traffic was travelling), I was made
aware that one of our servers was generating a large amount of outgoing ssh
traffic.

When I logged in, sure enough, one ps aux code later:

> rob      30289  0.0  0.0  8632 2284 pts/1    S    10:53   0:00 ./ssh-scan 100
>

Only, about four score and seven more copies than the one just listed there.
It looks like regular user accounts were compromised (it's a dedicated server
to one of our clients so we don't have full control over it). Not much else
to do but kill off the offending processes (and finding a second compromised
account running an IRC (Internet Relay Chat) bot), locking out the account
and looking at said ssh-scan program.

Interesting stuff—found one file named vuln.txt that seemed to have a list of
servers with default accounts and passwords.

Hmmmm …

I tried one system listed in the vuln.txt file and got the following:

> -------------------------
> Mitel Networks SME Server
> -------------------------
>
>
> Standard user login services have been disabled.
>
>
> Type "end" and press ENTER to terminate this connection:
>
>
>

I tried another vulnerable system, and was able to actually get a shell:

> [spc]shell:~>ssh tester@XXXXXXXXXXXXXX
> tester@XXXXXXXXXXXXXX's password:
> -bash-2.05b$
>

But when I tried to actually use system, it was rather limited. The only
commands available were ls, mkdir, mv, pwd, rm, sh, groups, id, ssh and bash
and a bunch of builtin shell commands.

Makes it kind of hard to look around, but with discussion with an unnamed
friend of mine, we came up with the following to actually view the few files
that existed on this system:

> (while true ; do read && echo $REPLY ; done) <filename
>

I'm beginning to think these ssh scans aren't for vulnerable Unix systems,
but embedded systems with manufacterer backdoors built in that a certain
clientel of user are using to their own nefarious schemes.

[1] http://en.wikipedia.org/wiki/Metro_Ethernet

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.