I was recently reading an interesting article about setting up an SSH honeypot to track malicious activity (article avaliable here http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts)
The article mentions that after an attacker gained SSH access to a server, they installed an IRC bot. Now, my knowledge of IRC is very limited, but I imagine that this allows the compromised server to listen for future commands.
After thinking about this for a while I realised how clever this is, since it would remain active even if the SSH credentials were altered or the port closed completely. However, the main benifit would be that the attacker could issue a single command to multiple compromised servers simultaneously, and that could be incredibly useful in a non-malicous enviroment.
For example, I have a moderate sized Internet of Things network at home. Being able to communicate with each one at the same time would be amazing compared to open up individual SSH connections. But I am still confused about how this works.
Am I right in thinking that:
- There is a central IRC server
- Each client can connect to the server and listen for commands
- The client grabs the command and executes it as a linux command.
I.e., if I 'said' in my message, "free -m", each client would read the message and copy it to the command console, execute the command, and then maybe send the result back as another message.
If this is the case, does anyone know of any tutorials for this sort of setup? I've looked quite a lot online but can't really find anything useful.