I’m an administrator of a VPS (Virtual Private Server). A few days ago I noticed something weird on the VPS : a weird process running a Perl script, that redirects its output to the O mighty black hole: /dev/null. The prompt variable of Bash (PS1) was set to be empty and the script itself was written like a VBA code (without indentation or line breaks). When I made a quick glance at the script, I saw that one Regex inside was looking for a command such as rmdir (for example), and it will unlink a directory.
Sounds like a back door that someone wrote, and all that it needs now is to open a shell for you and get over with it …
Well NO! This script was used by KDE (in this case) for simple SSH connection, that mimics the behavior of sftp, but over a simple ssh connection. The owner of the VPS used the KDE’s way (Konqueror ?) to login into the server… and KDE installed the script for the user.
Now when the user logged in, the commands “users” and “who” will not show you the user itself (“who -a” will show something, but not who is the user or the IP of the connected user). “last” also will not give you much information about the login, and if you try to hide the process, then even “ps” will not help (I first saw that issue using ps)…
Oh btw the script also read and wrote information to and from /var/log/messages.
BTW, this script implements the FISH protocol.
How do I know that you ask? Well thats what the Perl script says 😛 .
It seems that KDE (and other clients) try to help their users by implementing a sftp like actions without leaving the ssh client.
Sounds cool ? well I guess so… but then again, it IS a back door. That is if someone will be able to make the “server” talk with him without any need for authentication.
People should stop being lazy, and start using the right tool for the right job. Using FISH, can be exploited the same way that rlogin, telnet and NULL Session are .