WTF is home.pl?

Cabbage

According to https://www.shodan.io/report/KKSETG6u, one particular webhosting farm in Poland called home.pl has more exposed Postgres databases than the entire United States.

Given their apparent scale, why have I never heard of these people? Are they actually selling their IPs to other cloud companies, creating a bunch of false positives? Are Poles particularly pro-Postgres and sloppy about firewalls? I'm really puzzled about how I can never have even heard of a webhosting company who these stats make look like they're twice as big as AWS.

Any insight?

Gąska

@cabbage said in WTF is home.pl?:

Given their apparent scale, why have I never heard of these people?

Because you're not Polish?

DCoder

@cabbage said in WTF is home.pl?:

WTF is home.pl?

A Perl script?

@cabbage said in WTF is home.pl?:

According to https://www.shodan.io/report/KKSETG6u, one particular webhosting farm in Poland called home.pl has more exposed Postgres databases than the entire United States.

Define "exposed". I can see how a sloppy default server config propagated to all their servers would leave Postgres open for connections from the outside world, but you'd still need valid credentials/an auth bug/equally sloppy default credentials to get any data out.

In a similar vein, one project of mine is hosted on Hetzner, their servers had the same open door config for MySQL. We asked tech support to restrict it, "lol nope our (handmade) control panel needs this access to manage the server". Dafuq.

@cabbage said in WTF is home.pl?:

Given their apparent scale, why have I never heard of these people? Are they actually selling their IPs to other cloud companies, creating a bunch of false positives? Are Poles particularly pro-Postgres and sloppy about firewalls?

Their website says:

150.000 virtual servers

Shodan is showing ~200k instances on their servers, that's not so far off.

@cabbage said in WTF is home.pl?:

I'm really puzzled about how I can never have even heard of a webhosting company who these stats make look like they're twice as big as AWS.

They're not twice as big as AWS, they just have twice as many wide open Postgres instances than AWS does. IIRC, such configuration is not the AWS default. AWS was reporting 1M active customers, from individuals to behemoth enterprises, back in 2016, surely they've grown since then.

Gribnit

@cabbage So, free Postgres hosting?

Gąska

@gribnit not free. They're one of the more expensive providers.

Gribnit

@gąska Sounds like it's being offered for free to me.

Gąska

@gribnit something must have changed in the last 15 years then.

Scarlet_Manuka

@gąska He didn't mean knowingly offered for free. Or that you would need to be one of their customers to use it.

Gąska

@scarlet_manuka in other words, he completely ignored the post directly above his in order to make a cheap joke.

Scarlet_Manuka

@gąska The only bit I can see in that post that's at all relevant is this:

Define "exposed". I can see how a sloppy default server config propagated to all their servers would leave Postgres open for connections from the outside world, but you'd still need valid credentials/an auth bug/equally sloppy default credentials to get any data out.

Which is pure speculation. And, in particular, the pairing of "sloppy default server config" with "equally sloppy default credentials" is not particularly improbable.

Gąska

@scarlet_manuka said in WTF is home.pl?:

@gąska The only bit I can see in that post that's at all relevant is this:

Define "exposed". I can see how a sloppy default server config propagated to all their servers would leave Postgres open for connections from the outside world, but you'd still need valid credentials/an auth bug/equally sloppy default credentials to get any data out.

Which is pure speculation.

So is assuming the opposite.

Scarlet_Manuka

@gąska Surely at least some of those 200,000 databases will have easily-guessed admin credentials.

Gąska

@scarlet_manuka even a very likely speculation is still a speculation. Put a message in one of those DBs and give us credentials to read it, and then you'll prove that it's more than just speculation.

Adynathos

@scarlet_manuka said in WTF is home.pl?:

@gąska Surely at least some of those 200,000 databases will have easily-guessed admin credentials.

Surely many of them are some test DBs that contain no data and that people set up and forgot they are running.

Gribnit

@gąska said in WTF is home.pl?:

in order to make a cheap joke.

No. I did that in order to provide an easier form of the punchline for a cheap joke I had already made but that people weren't getting.

Cabbage

@gąska said in WTF is home.pl?:

@scarlet_manuka in other words, he completely ignored the post directly above his in order to make a cheap joke.

Yes, but in fairness, that's more or less what I'd expect here. It's the Daily WTF forum, not the Very Serious Conversations About Things That Profoundly Matter forum.

sockpuppet7

@cabbage dunno, I think their servers are corrupted, their page is all random characters:

Onyx

@dcoder said in WTF is home.pl?:

Define "exposed". I can see how a sloppy default server config propagated to all their servers would leave Postgres open for connections from the outside world, but you'd still need valid credentials/an auth bug/equally sloppy default credentials to get any data out.

I don't know what their control panel thing does, but at least when I install Postgres "default credentials" (if you can call them that in this case) won't allow outside connections. It only listens on localhost, and, IIRC, only on a UNIX socket, not on the actual network interface.

The only way to connect to a database is to log in locally as the user postgres after which you can connect to the server with no credentials whatsoever. Also, the postgres user has no password AFAIK, you need to do su postgres, effectively meaning you need to know the root password.

This is Debian though, YMMV.

PleegWat

@sockpuppet7 I don't know what a rok is, but 0 zl sounds like it's not a bad deal?

Dreikin

@pleegwat said in WTF is home.pl?:

I don't know what a rok is

0_1530544083793_1a323c27-4244-4359-9c34-2294d067a41c-image.png

Serious answer

0_1530544206821_6f88d021-2d11-4e95-998b-87306031bb47-image.png

remi

@dreikin said in WTF is home.pl?:

So, somewhat similar to 52 half-fortnights?

MrL

@scarlet_manuka said in WTF is home.pl?:

@gąska Surely at least some of those 200,000 databases will have easily-guessed admin credentials.

When you create a db on home.pl, credentials are generated for you. So no admin/admin by default.
I don't know about adding users to the db though.

Also, home.pl is terrible.

mott555

@pleegwat said in WTF is home.pl?:

I don't know what a rok is

It's what they called the ball in the only sports game I ever liked.

HyperBlade - Wikipedia

Filed Under: Money doesn't grow on trees, but our hands do!, SuperQue: The Nuclear-Powered Barbecue. Burgers "Well-Done" in "Rare" Time!, Something about boneless square-shaped chickens but I can't recall that one

Gąska

@remi said in WTF is home.pl?:

@dreikin said in WTF is home.pl?:

So, somewhat similar to 52 half-fortnights?

Good luck getting 2600 kills with one rock.

blakeyrat

@remi said in WTF is home.pl?:

So, somewhat similar to 52 half-fortnights?

I think a twelvemonth is more like a baker's dozen quadweek, but not exactly because there's leftovers.

pie_flavor

@blakeyrat said in WTF is home.pl?:

@remi said in WTF is home.pl?:

So, somewhat similar to 52 half-fortnights?

I think a twelvemonth is more like a baker's dozen quadweek, but not exactly because there's leftovers.