Researcher Scans All IP Addresses of Austria
-
To the surprise of exactly no one, he finds lots of things that shouldn't be exposed to the Internet.
-
Is he even trying? Because I don't see how someone would go straight up to port 80 when port 22 is much more commonplace and juicier, that any IPs with port 22 ssh opened gets banged by a thousand brute force login attempts per day.
Also, has he considered that most servers likely only respond content by domain name as they rely on reverse proxies? If someone's using apache, they already have such technology available.
It looks like to me he's only interested in poorly secured IoTs, and think that IoTs = the biggest vulnerabilities on the web. Except that... poorly secured unix servers is a bigger subset of this? This includes ssh logins, wordpress sites and unix vulnerabilities in general. Hackers typically don't hack servers from port 80, they throw unix vulnerabilities at it instead because most likely the system hasn't been patched. So his methodology is the real ?
-
@_P_ I just realized what your username references. I think.
-
@levicki What makes you so certain that all of those are "researchers" and not, what I think to be much more plausible, bots looking for vulnerable machines to add to their botnet?
-
@brie How do you tell those apart? (Well, there's a few researchers who are just looking for stuff to make their audience at a hacker conference laugh…)
-
@levicki said in Researcher Scans All IP Addresses of Austria:
At this point those so called "researchers" are worse than real bad actors.
Did I say I fucking hate those vulnerability scanners? Each and every one of them is trying to sell you their "protection service" by means of scaring you with their scan results.
This is just a small snippet from a list of 654 IPs which were so far caught trying to connect to my open ports:
Some are random attempts from isolated IPs, and some are just plain fucking abuse originating from multiple hosts within a subnet. It's fucking terrible and those
businessmenidiots should go to jail instead of polluting the internet with their unsolicited traffic.
-
@dkf said in Researcher Scans All IP Addresses of Austria:
@brie How do you tell those apart? (Well, there's a few researchers who are just looking for stuff to make their audience at a hacker conference laugh…)
That's the point. You don't.
Another thing:
@levicki said in Researcher Scans All IP Addresses of Austria:
At this point those so called "researchers" are worse than real bad actors.
Did I say I fucking hate those vulnerability scanners? Each and every one of them is trying to sell you their "protection service" by means of scaring you with their scan results.
I would put those "vulnerability scanners" at roughly the same level as the scammers who show you the Windows event log and then try to sell you a worthless (but expensive) antivirus. They are bad actors. But aside from the fact that he did a port scan, what evidence do you have that this "so called researcher" is one of those guys?
edit: upon reading the article again, he does shill a "security" product that he sells. But what he's doing is not just fear-mongering, in my opinion. The vulnerable systems that he found were real, and need to be secured properly. And frankly, I still believe that the overwhelming majority of the traffic is probably from bots.
-
@brie said in Researcher Scans All IP Addresses of Austria:
They are bad actors.
But if they stopped mumbling and learned to throw their voice so that people at the back of the theatre can hear, they'll be much better.
-
@brie said in Researcher Scans All IP Addresses of Austria:
And frankly, I still believe that the overwhelming majority of the traffic is probably from bots.
Cue speech about The Wall...
-
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
The Wall
Looks like you just need Another Brick
-
@levicki Your door knob analogy is not really appropriate, because if you left your door unlocked, the likely outcome would be coming home one day and finding your TV gone. What you probably wouldn't find is your house having been taken over by a squatter who's using it as a base from which to attack all the other homes in your neighborhood. Leaving your door unlocked pretty much just affects you, but connecting vulnerable machines directly to the web puts the whole internet at risk.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
I certainly don't want 3rd parties and people who I have no contractual obligation with to touch my network in any way.
Then don't connect it to the internet. It's that simple.
If you connect a machine directly to the internet, you're by definition allowing third parties to touch it. Put it behind a firewall or router so that only approved traffic can reach it.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Don't be dense, of course I am not connecting anything directly. I am just wondering why attempting a break in on a mass scale in a virtual world (the same world where you keep your money and passwords to all your property nowadays) is treated as harmless activity and as a matter of fact welcomed as if they are doing us a favor when they are clearly out there to self-promote and peddle their shit.
"You wouldn't download a car, would you?"
-
@levicki If you're getting port scanned from the internet, either your router is misconfigured or you've intentionally put your machine in the DMZ (or perhaps an argument could be made for both). If you're behind a router, the only thing seeing port scans should be the router, and the only connections that reach your machine are ones that you've explicitly approved (either initiated from your end, or created a port forwarding rule in the router).
It's like putting a fence up around your yard to stop the nosy people from trying your door knob constantly.
And scanning ports and listing any open ones found publicly might be the only way to get some people to actually care, before anything really bad happens.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
But it is fiear-mongering -- all of them are shilling some form of security product or service.
I don't think telling you that you should enable your firewall (Windows have one built-in) and adding password to your public facing websites/webcams is "trying to sell you something".
-
@Luhmann said in Researcher Scans All IP Addresses of Austria:
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
The Wall
Looks like you just need Another Brick
Why? Are you saying he's short of a load?
-
@pie_flavor said in Researcher Scans All IP Addresses of Austria:
@_P_ I just realized what your username references. I think.
I'd like to buy a vowel.
-
@Zecc you get equipped with VOWEL
-
I don't see my own post (before refreshing the page). It jumps straight from post 21 to 23 when I scroll. NodeBB
-
@levicki said in Researcher Scans All IP Addresses of Austria:
I assure you it is not but like most normal people I need a few ports open and those idiots keep bashing at them.
If you put up a VPN server because you want to be able to connect to your home network when you are away from home or travelling (meaning you don't know which IP you will be coming from) how do you explicitly approve just your own incoming VPN connections?
The fact that you even need to have those ports open to the internet puts you in a rare category. People who don't know what they're doing almost certainly don't need their machine to be accessible from the internet, and all it takes is a cheap router to solve that.
Regarding your question about IPs, if you really wanted to you could easily just block 99% of the IP addresses in the world because they're foreign IP addresses. But frankly, as long as you know that the ports that you're exposing are secure - that the software is patched when security vulnerabilities are discovered, that the port is protected with a password and it's not an easily guessed or brute-forced password - then there's really no reason to be concerned about it. And I really doubt the amount of incoming traffic is enough to cause problems accessing it yourself, unless you're on a Milwaukee PC internet connection.
@levicki said in Researcher Scans All IP Addresses of Austria:
If they want to make internet more secure I have a better idea.
How about making honeypots and logging all access attempts and then reporting malicious actors to their ISPs so the threat is removed from the Internet?
You could certainly try that.
-
@Zecc said in Researcher Scans All IP Addresses of Austria:
@pie_flavor said in Researcher Scans All IP Addresses of Austria:
@_P_ I just realized what your username references. I think.
I'd like to buy a vowel.
Blame Discourse for making display name 3 characters at least. At least I didn't put emojis there!
-
@brie said in Researcher Scans All IP Addresses of Austria:
And I really doubt the amount of incoming traffic is enough to cause problems accessing it yourself, unless you're on a Milwaukee PC internet connection.
If you are, you have bigger problems than port scanners.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Have you ever heard of Spamhaus DROP and EDROP lists? For every 2 KB of traffic I see from those well known malicious IPs I see 1 KB of traffic from known vulnerability scanners. It won't be long before they are generating the same amount of unsolicited traffic as known malicious actors and that fact alone should be tripping an alarm in everyone's head.
I've seen lots of people keeps claiming "if your machine is on the internet it's free real estate, everyone can poke at it all they want", except that's BS because if you poke at everyone's front door like a locksmith all day, it doesn't take very long before you're stopped in the tracks and arrested for suspicious behaviour.
I blame this on the inability to act on malicious actors on the internet in general. It's the same reason why internet ads are almost universally shit (the only exception I've seen is Carbon) while mobile ads are even worse, and malicious ads like "you're the 10,000th winner!" scam popups and fake fortnite mobile client malware ads on youtube happens all the time: as soon as someone knows that you can't/don't actually enforce your laws, they break all of them to optimize the profit. Meanwhile many snowflakes and the media in general are intentionally missing the point and keeps yelling "but this is internet censorship!" and "but ads are the only viable revenue model that literally powers the internet!". Adblocker is really the greatest invention since internet existed.
-
@_P_ said in Researcher Scans All IP Addresses of Austria:
@Zecc said in Researcher Scans All IP Addresses of Austria:
@pie_flavor said in Researcher Scans All IP Addresses of Austria:
@_P_ I just realized what your username references. I think.
I'd like to buy a vowel.
Blame Discourse for making display name 3 characters at least. At least I didn't put emojis there!
Except you joined in January.
-
@pie_flavor said in Researcher Scans All IP Addresses of Austria:
@_P_ said in Researcher Scans All IP Addresses of Austria:
@Zecc said in Researcher Scans All IP Addresses of Austria:
@pie_flavor said in Researcher Scans All IP Addresses of Austria:
@_P_ I just realized what your username references. I think.
I'd like to buy a vowel.
Blame Discourse for making display name 3 characters at least. At least I didn't put emojis there!
Except you joined in January.
That's no reason not to blame Discourse.
-
@Gribnit as of yet I have not found anything where there is ever a reason to blame Discourse.
-
@brie said in Researcher Scans All IP Addresses of Austria:
that the port is protected with a password and it's not an easily guessed or brute-forced password
Cryptokeys are better, for protocols that support them, because they spread the randomness better.
-
@pie_flavor said in Researcher Scans All IP Addresses of Austria:
@Gribnit as of yet I have not found anything where there is ever a reason to blame Discourse.
We call that selectively hard of understanding.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Did you visit that Austrian guy website or RTFA? Did you not see what he is pitching? How exactly is he telling those people he scanned that they should turn on firewall and add passwords? Did he call every single one of them before publishing his findings and given them time to close the holes? Same with every other vulnerability scanner -- they act out of their own selfish interest others be damned and I am literally sick of that bullshit.
No need as long as no specific IP address is given. And with only IP address you don't have way to tell them secure their network appliance. Their own ISP is in better position to do so.
Actually the datacenter used by one of my previous company will send you periodic network scan report in order to remind you closing your holes. Maybe you should send email to their ISP suggesting they do so if you want to. Just thought they would not be interested unless got motivated by their government or massive DDOS happening inside their network.
How about making honeypots and logging all access attempts and then reporting malicious actors to their ISPs so the threat is removed from the Internet?
Go do that if you want.
Actually if you configure your router to "log everything", you can already do that.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
listing any open ones found publicly on their website
Does anyone actually do this?
-
@levicki said in Researcher Scans All IP Addresses of Austria:
And with only IP address you don't have way to tell them secure their network appliance. Their own ISP is in better position to do so.
So what is the point in fucking scanning them in the first place if you can't tell them they are vulnerable, but at the same time you are telling everyone else about it?!?
To tell the public how bad the current situation is,
Go do that if you want.
Not me you dimwit, THEM. THE RESEARCHERS.
Actually if you configure your router to "log everything", you can already do that.
Are you dense on purpose or you just don't understand English?
Researchers are the ones who should be doing that instead of bloody scanning.
AFAIK they've already do that. Go search for "honeypot report" and you can find a lot of such report by security researchers.
However "honeypot report" only tell you how frequent the ports are scanned, and serves no purpose on telling you how worse networking appliances of the public are secured. And that's the whole point of this report.
It's more or less the same as filming people crossing road without following the traffic lights (or other road safety appliances) to show you how inadequate the "road safety awareness" the public has, then telling you what you should do. I don't really think it's selling you something when all things it listed don't cost you money.
-
@brie said in Researcher Scans All IP Addresses of Austria:
and not, what I think to be much more plausible, bots looking for vulnerable machines to add to their botnet?
Datum point - the latter is what I seem to get a lot of:
Showing rows 0 - 24 (326 total, Query took 0.1275 seconds.) SELECT count(*), rule_id, description, src_ip FROM alerts_rules WHERE a_level > 5 AND timedate BETWEEN DATE_SUB(NOW(), INTERVAL 30 DAY) AND NOW() GROUP BY rule_id, description, src_ip ORDER BY count(*) desc count(*) rule_id description src_ip 964 1003 Non standard syslog message (size too large). (null) 884 2902 New dpkg (Debian Package) installed. (null) 236 2903 Dpkg (Debian Package) removed. (null) 126 550 Integrity checksum changed. (null) 93 551 Integrity checksum changed again (2nd time). (null) 40 552 Integrity checksum changed again (3rd time). (null) 33 31508 Blacklisted user agent (known malicious user agent... 213.239.216.194 31 31508 Blacklisted user agent (known malicious user agent... 148.251.244.137 28 31508 Blacklisted user agent (known malicious user agent... 144.76.176.171 22 31508 Blacklisted user agent (known malicious user agent... 144.76.118.82 21 31508 Blacklisted user agent (known malicious user agent... 69.30.226.234 20 31508 Blacklisted user agent (known malicious user agent... 213.136.88.198 18 31508 Blacklisted user agent (known malicious user agent... 148.251.120.201 18 31103 SQL injection attempt. 173.249.25.211 17 31508 Blacklisted user agent (known malicious user agent... 5.189.172.182 16 31508 Blacklisted user agent (known malicious user agent... 5.9.108.254 16 31508 Blacklisted user agent (known malicious user agent... 207.180.221.167 15 31508 Blacklisted user agent (known malicious user agent... 94.154.239.69 14 31508 Blacklisted user agent (known malicious user agent... 173.249.63.71 14 31103 SQL injection attempt. 2001:41d0:51:1::146e 12 31508 Blacklisted user agent (known malicious user agent... 178.151.245.174 12 31508 Blacklisted user agent (known malicious user agent... 173.212.241.58 10 31508 Blacklisted user agent (known malicious user agent... 148.251.69.139 10 31508 Blacklisted user agent (known malicious user agent... 207.180.225.4 10 31508 Blacklisted user agent (known malicious user agent... 148.251.8.250
Then again, I have ssh running on something that isn't 22, and the mail server is tied down quite a bit.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
What has to be done is to mandate that manufacturers of those networking appliances have to provide reasonable OOBE security for their products. That means:
- Not using Linux kernel 2.4 in 2019
- Providing automatic and timely security update during the product life
- Not having admin credentials hardcoded and not having same default password for every device
- Not having manufacturer permanent backdoors exposed on unsecured ports
- Not having WPS, WEP, and WPA for Wi-Fi devices
- Not defaulting SSID to open mode
- Not making web interfaces with cross-origin vulneraiblities and injection vulnerabilities in 2019
- Not enabling UPNP and every other possible service by default
- Not using HTTP and telnet access at all
- Not requiring signing up for shitty cloud service (which can be hacked) to use the device
And the list goes on and on.
But sure, you can keep harping how it's all the fault of those pesky users who don't know how to configure their network appliances.
The vendor of router I'm using offering free onsite technical support to configure the router securely if you call their hotline. However I think this is made possible only because Hong Kong is so small that the transportation cost is relatively insignificant.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Ever heard of shodan.io? Also try censys.io which I linked above.
Oh. See, I thought you were talking about security researchers that publish this information online and tell you to pay them to fix it.
Because neither shodan.io or censys.io fit that description....... In fact, they both appear to be targeted at enterprises who might not know their exposure level, so that they can search for their assets on a convenient platform. In fact, that sounds to me like a useful service, not an evil one.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
- Not using Linux kernel 2.4 in 2019
- Providing automatic and timely security update during the product life
- Not having admin credentials hardcoded and not having same default password for every device
- Not having manufacturer permanent backdoors exposed on unsecured ports
- Not having WPS, WEP, and WPA for Wi-Fi devices
- Not defaulting SSID to open mode
- Not making web interfaces with cross-origin vulneraiblities and injection vulnerabilities in 2019
- Not enabling UPNP and every other possible service by default
- Not using HTTP and telnet access at all
- Not requiring signing up for shitty cloud service (which can be hacked) to use the device
Don't hold your breath. Most things in your list would cost money, and/or decrease the ease of use (thus increasing support costs and customer frustration). So it's not gonna happen until we start passing laws that punish poor security with heavy fines and/or jail time.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Riiiight... so why are they scanning random people like me on my home IP and not those enterprises you are talking about?
You should talk to your ISP and make sure the
IS_BUSINESS
bit is off. Maybe turn theEVIL
bit on too - hackers don't usually try to hack their own.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
It does not necessarily make things more expensive or harder to use. For example instead of:
user: admin pass: admin
There could be:
user: admin pass: <router serial number or some other text printed on the sticker on the bottom>
Once you enter those for the first time, you should first be taken to the page that makes you create a new secure password.
That would already be tremendous improvement over the current situation.
Have you ever done tech support on the phone?
The user will forget the password.
Then he'll have trouble locating the equipment.
Then he'll accidentally unplug the power supply when turning it over.
Then he'll try to remember what's written, but will forget it once he's returned to his desk.
Then he'll bring a notepad, but will misread the text, or copy the wrong part of the sticker.
Ad nauseam
-
@Zerosquare That's why the router just grants access to anyone using the right protocol on port 65521 on the external interface, so support can fix the settings for you.
That protocol probably being plain HTTP.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Also, why would I give a shit about support? Not my problem, I don't work support.
It's usually a good thing to give a shit about other people
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Since they will have to setup the device again, the next time they won't forget the fucking password.
Your optimism is so cute
Also, why would I give a shit about support? Not my problem, I don't work support.
I don't either, but that's irrelevant. The companies manufacturing do care about support. So they're not going to implement better security at the expense of increased support costs.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Unless it is mandated by law.
It can be mandated by law, but it will achieve nothing unless harsh penalties for bad security are introduced. If it's cheaper to pay the fine that it is to do the right thing, companies will break the law without second thought.
@levicki said in Researcher Scans All IP Addresses of Austria:
Otherwise we will have proliferation of "scanning will continue until Internet improves".
Focusing on the security researchers is... well, strange. Maybe they're not always good-mannered, but any random malware does orders of magnitude more damage than all of the security researchers combined. Even if you could prevent them from scanning, you'd be left with 99.9% of the problem.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Otherwise we will have proliferation of "scanning will
continue untilintensify as Internet improves".FTFY .
-
@Zerosquare said in Researcher Scans All IP Addresses of Austria:
It can be mandated by law, but it will achieve nothing unless harsh penalties for bad security are introduced.
Would kneecapping the CEO and telling him that his children are next count as harsh? Asking for a friend…
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Nice joke, but shodan.io and shadowserver.org are scanning everyone, and there are many others who do so.
Yes exactly.
-
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
FTFY .
I don't see what you count as an internet improvement here, just ever-growing packet noise wasting collective bandwidth, resources, and electricity.
What?
-
@levicki said in Researcher Scans All IP Addresses of Austria:
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
FTFY .
I don't see what you count as an internet improvement here, just ever-growing packet noise wasting collective bandwidth, resources, and electricity.
What?
What one more goddam time.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
Describe Mr. Marsellus.
I have never seen the man in my life.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
I have never seen the man in my life.
You missed a great movie.
Arrow is pointing to the source of your confusion. I don't see scanning as doing anything to improve the Internet.
I sense your confusion. The sentence (to me) does not imply scanning as the cause of the Internet improving. Maybe I'm not Englishing well.
-
@levicki said in Researcher Scans All IP Addresses of Austria:
@Tsaukpaetra said in Researcher Scans All IP Addresses of Austria:
I sense your confusion. The sentence (to me) does not imply scanning as the cause of the Internet improving. Maybe I'm not Englishing well.
Original said "scanning will continue until internet improves" (implying that "internet improves" part may or may not happen).
You changed to "scanning will intensify as internet improves" and I read that as if you are expecting that Internet will somehow improve while I don't see it improving while scanning is there, let alone if it is intensifying.
But as I said once, English is not my primary language.
Perhaps if the words were switched around, which cannot be depicted with del/ins tags:
"As Internet improves, scanning will intensify."
-
@levicki said in Researcher Scans All IP Addresses of Austria:
@Tsaukpaetra Still implies Internet will improve. Not going to happen with scanners on it.
Scanners do not affect the improvement of the internet.