Between metro ethernet [1] woes and a customer's server either attacking other machines, or being attacked by other machines (it was never made clear in what direction the excessive network traffic was travelling), I was made aware that one of our servers was generating a large amount of outgoing ssh traffic.
When I logged in, sure enough, one ps aux code later:
>
```
rob 30289 0.0 0.0 8632 2284 pts/1 S 10:53 0:00 ./ssh-scan 100
```
Only, about four score and seven more copies than the one just listed there. It looks like regular user accounts were compromised (it's a dedicated server to one of our clients so we don't have full control over it). Not much else to do but kill off the offending processes (and finding a second compromised account running an IRC (Internet Relay Chat) bot), locking out the account and looking at said ssh-scan program.
Interesting stuff—found one file named vuln.txt that seemed to have a list of servers with default accounts and passwords.
Hmmmm …
I tried one system listed in the vuln.txt file and got the following:
>
```
-------------------------
Mitel Networks SME Server
-------------------------
Standard user login services have been disabled.
Type "end" and press ENTER to terminate this connection:
```
I tried another vulnerable system, and was able to actually get a shell:
>
```
[spc]shell:~>ssh tester@XXXXXXXXXXXXXX
tester@XXXXXXXXXXXXXX's password:
-bash-2.05b$
```
But when I tried to actually use system, it was rather limited. The only commands available were ls, mkdir, mv, pwd, rm, sh, groups, id, ssh and bash and a bunch of builtin shell commands.
Makes it kind of hard to look around, but with discussion with an unnamed friend of mine, we came up with the following to actually view the few files that existed on this system:
>
```
(while true ; do read && echo $REPLY ; done) <filename
```
I'm beginning to think these ssh scans aren't for vulnerable Unix systems, but embedded systems with manufacterer backdoors built in that a certain clientel of user are using to their own nefarious schemes.