The data was generated using a stateless scanner used to create Shodan. A free, open-source scanner called Zmap is readily available for anybody that wants to do it themselves! And the map itself was generated using the Python matplotlib library.
It took about 5 hours to ping all IPs on the Internet, then another 12+ hours to generate the map.
Edit: Omg thank you to whoever gave me gold :)
Edit 2: I've just uploaded some higher resolution images that can be used as wallpapers: https://imgur.com/a/CYH0D
Doesn't have to be a intelligence agency. there's entire websites dedicated to giving people easy access to internet connected cameras, as well as other IoT devices.
There are 1.8 million MySQL databases on the Internet that allow anybody from the outside to connect to them, so I wish people wouldn't focus solely on MongoDB:
https://www.shodan.io/search?query=product%3A%22MySQL%22+-allowed+-blocked
Let me introduce you to Shodan
When I ran the scan it showed: 331,854 systems that reported it open
And yes there are people out there stupid enough to open ports like that to the internet, so is it possible? Maybe, we will need to wait for further information from the investigations im sure are happening as we speak
>WTF, wo gibts solche Tabellen?
Shodan wäre ein Startpunkt. Illegal ist da nichts. Findet man auch mehr Zeug, das Deppen ins Internet hängen. Kraftwerke zum Beispiel.
I have one of these. I usually keep it turned off and its behind my router's firewall with all the cloud services disabled.
My question is: who in the world keeps their NAS exposed blindly to the internet?
It's even worse than that: some of these bots are running Ronin nodes so that they can view pending transactions and submit their own transactions to buy an Axie immediately—even before the auction listing hits the blockchain (not just the site).
You can see this with Shodan: https://www.shodan.io/search?query=ronin+port%3A%228545%22.
One of these endpoints is exposed and points to this account: https://explorer.roninchain.com/address/ronin:a2574f619067aa42296999e6271f147cb1dfa88c
You can see bot-like activity on that account where it's attempting to quickly buy an Axie. If you follow the WETH transfers, it leads to: https://explorer.roninchain.com/address/ronin:d6f5ea44c828445487ffc07c622b21ef9f4aa97b which is the first successful buy from this root account.
But also, there are lots of directories of live webcams that the users kept the default settings on. There used to be a couple strings you could type into google and it would link you to hundreds and you can just click through and see what you find. But, I don't remember where to find them anymore.
As an engineer working on a couple of IoT products, this is the price the typical consumer is going to pay:
you have good reason to be wary of this garbage. View lots of internet enabled devices open to the whole world here: https://www.shodan.io/explore personally i love the industrial control systems you can access by clicking one of the links.
Actually, a lot of these systems are increasingly attached via the internet - checking your heating system remotely, not just changing the thermostat from your couch over the home LAN.
Sadly, a catastrophic number of these systems also have zero security built in, as evidenced by sites like Shodan.
This actually a gray area in US law right now. I completely agree that it's unethical, but that has nothing to do with the legality.
I know that several lawsuits have hinged on the definition "unauthorized access." Was the access unauthorized if no authorization was required? I think some cases have argued yes and others no. If anyone more knowledgeable than I am can expand on this, please do.
I get that it's fun to make fun of redditors, but they're really not being idiotic in this case. Lots of white-hat hackers regularly search the internet looking for exposed devices in order to inform the owners of them - should these hackers be arrested for their work? Probably not, which means intent comes into play, which makes the whole situation muddy. Given the existence of sites like shodan.io, most of the activity on /r/controllablewebcams is almost certainly not illegal, at least for now.
Specifically telnet. Which is enabled fucking everywhere. I haven't been keeping up with this whole thing but if the cabinet leak was actually "Huawei has telnet enabled by default on some hardware" then Williamson should have been fired for not even being able to leak competently.
You're OK. Bitbucket is hosted in Atlassian's own data centers:
https://www.shodan.io/host/104.192.143.1
Also see this answer - some parts of the Atlassian services may be running in AWS as there's a direct link.
This could be big. SMB issues are bad enough on Windows but Windows tends to have auto-updates and sysadmins tend to update fileservers. Think of all the little NAS's out there that will never get updates. Home nas's, BYOD, out of support nas's, kiosk machines running samba, ancient samba domain controllers no one dare touches, homelabs, linux embedded, IoT devices, etc. Could be very ugly if weaponized properly.
Typing samba into Shodan brings 500k results, bizarrely with 350k in the UAE alone.
Some people install Pi-Hole on a VPS/AWS/DigitalOcean droplet and will then expose port 53 to the outside world, this allows a user(s) to access it anywhere by setting there DNS to the IP of there VPS/AWS/Droplet.
Take a look at Shodan.io here for all the public Pi-Hole installs in the world, that in theory could be used to amply a DNS attack.
If you're hosting it internally, and not exposing port 53 (you can check here by selecting port 53) then you're not apart of the problem and you're safe :)
EDIT: As far as the control part, some individuals do not have proper control of there networks whether it be an apartment complex or they live in a household with other individuals (tech savvy or not), some individuals may not like there browsing history being logged etc.
Cameras are not the only insecure thing. There's a presentation on YouTube listing a fuckton of stuff that people put on the internet without passwords or other security. There's a specialized search engine for this incompetent shit.
> I’m convinced we’ve had multiple breaches in our infrastructure, such as our electrical grid, and the only reason we’ve not heard about it, is that the hackers, (or the people they work for), haven’t done anything nefarious with their access yet.
As a Cyber Security Specialist (ISSO) for ICS devices, I can assure you that there are an insane amount of breaches not on a monthly, weekly, or daily basis, but hourly. The problem is companies that control infrastructure (private orgs, and gov) want to automate and reduce boots on plant costs (why pay 10 people to man plants when you can hook everything up to the internet and remotely operate the sites with 3 people). The problem is a lot of these devices were built with networking capabilities, but cyber security was not even an afterthought when they were being built. Like a lot of the RTUs and PLCs still being operated today were built 20-30 years ago, or more.
Want to know how fucked our infrastructure is when it comes to cyber security? https://www.shodan.io/
Ok put the IP adres in the Shodan search engine.
Port 22 and port 80 are open to public.
I am kinda a noob whith SSH + public keys here's a info dump:
The server uses OpenSSH on Debian V7.4p1
The key uses ssh-rsa and according to shodan is:
~~AAAAB3NzaC1yc2EAAAADAQABAAABAQDJF7r6GOy5cePESx6M4TcqXnLFOAmFRw8W0Xqtrmy0Ea/C
ouqMnK+PoLsZFCkNqqiM6st0DQTKD4yGIVVP8cnK9KpLOk9nuGoJgud15u0rioGpAq/hgm4RP4FF
CPzNdaPvHHtbhOuEGw0icDHdB1j7YbHc81Ziw5c8CwqYzh9YOC0o/XlG8YbtGoHlxWeWieuzVBdb
DN2rj5dyKlC/RNzDfFW3swfTFJbQo407Z5QkIY8T/Durxu21pGMHJPIbSusjclMPw2G0l4huG1ha
KjXpGYWhXfCNW2JIZl9JfHrUU493d1KQbhyM+IIUXJOUc7Yi1j+bn/LHK3bQOM2sH9Kv~~
~~Not sure how to use the key yet.~~
It's probably the public key, which is known by everyone.
Metasploit doesn't have any info on any vulnerabilities on this version of openSSH.
Nearly 45,000 ADB ports are open on the Internet:
https://www.shodan.io/report/Bagns32R
Most of them are located in South Korea and Taiwan - probably smart devices that were shipped w/ debug builds where the ADB port is still enabled.
Seriously, what year is this?!?! And holy fuck are there really 4.8 MILLION telnet things exposed to the Internet: https://www.shodan.io/search?query=port%3A23&language=en#
For those without an account: http://imgur.com/D6pgsRj.jpg
> Really making sure you change the default user/pass and updating firmware will save you
Lol no. Tons of IoT crap ships with backdoor accounts that the user cannot remove or change the password of (At least not easily). Hell here's a shodan search that brings up a ton of camera DVRs that have an irremovable unauthenticated webshell running as root
>Soon, police and other officials will be able to monitor people's activities in their own homes, wherever there is an internet-connected camera.
Curious how many of these would be accessible from something like shodan.io. Seems like a ripe target for hackers. Does the Great Firewall only target outgoing traffic, or is there some kind of inbound filter as well that could prevent exploitation?
Here's a Shodan search query to find more of those web interfaces:
https://www.shodan.io/search?query=http.html%3AStrikeREAD
You can also find the real IP behind some of these websites by searching for unique strings in their websites. For example w/ ddos.blue (appears to have moved away from this IP now):
https://www.shodan.io/search?query=http.html%3Ainstabooter.com https://www.shodan.io/host/42.51.39.127
I know a bit about this as I used to mess with people (usually in shops or public places) this way. Here's what probably happened.
123456
or admin
as the password, which makes them incredibly easy to "hack".Someone with a bit of patience and technical knowledge could easily do this to you. Your first port of call needs to be changing the password on your camera to something secure. This should keep out anyone looking for a cheap laugh at your expense. Do the same to any other devices you have.
You shouldn't be too worried about this, as it's almost certainly not an attack targeted at you personally. If you still get people doing this to you after changing your password, you probably have a camera vulnerable to an issue where your passwords could be disclosed, at which point you should consider buying a different camera from a reputable manufacturer.
That Vodafone story is extremely misleading.
It's about a decade old incident where a piece of networking hardware still had its telnet interface open. Vodafone pointed it out, and Huawei fixed it.
Nothing was reported back then because it's a complete non-story as open telnet ports are an extremely common network admin issue, particularly since the IoT craze started.
Here is an introduction to the query syntax:
https://help.shodan.io/the-basics/search-query-fundamentals
To give you a general idea of the type of data that's available I would recommend to look at the raw information via the website:
https://www.shodan.io/host/104.145.227.85/raw
And for a list of search filters that are available check out the /shodan/host/search method in the developer documentation:
https://developer.shodan.io/api
That page is actually due for an update as it's missing a lot of the protocol-specific filters that we've added but it should give you a solid starting point.
>On mahdollista murtautua valvontakamerajärjestelmiin, ja selvittää niistä, missä henkilö liikkuu?
>Supo: Todennäköisesti ei.
https://www.shodan.io/search?query=camera
Tuossa on päälle 200.000 nettiin kytkettyä kameraa, siitä vaan murtautumaan.
Have you set port forwarding for Plex/plexpy (normally port 32400). If not, this the following shouldn't work.
Find your external IP address while inside your network (google "what is my ip" or go to ipchicken.com). Then try to access that ip from outside the network (phone, neighbors house, etc). this would normally be https://<external IP>:32400/web . If it loads up without asking for a username and password, then you need to get that fixed.
I would also suggest going to https://www.shodan.io and doing a search on your external IP to see what comes back.
Hacking as a threat to power plants and utilities is a very real scenario, but it has been for a long time now. You can typically find industrial control systems on the internet pretty easily.
Hell, you can download full IPv4 internet scans of devices using modbus, an old but still very used protocol in industrial systems:
https://scans.io/series/502-modbus-mei_device_id-full_ipv4
You can also use shodan to look for SCADA systems:
https://www.shodan.io/search?query=scada
Security for industrial control systems is probably a bit better now than it used to be, but there are still a lot of devices open on the internet, without any sort of authentication at all.
I'd be worried it would all happen at once in world war scenario. Another superpower could have all the vulnerable systems logged, and just screw with them en masse the second SHTF.
If there's any cyber threat I'm worried about, it's that. I wouldn't necessarily worry about nuclear power plants. Those have ridiculous number of fail safes, and I'm sure they have plans for a scenario like that. Though, I wouldn't be surprised if a number of coal/oil power plants aren't as thorough. The US still relies mostly on coal and oil power plants, and if all the vulnerable ones open to the internet got hit, I can imagine enough blackouts throughout the country to cause some panic. Add war, and you got a SHTF scenario.
Services like Shodan look for just such servers:
https://www.shodan.io/search?query=octoprint
Obviously it's not a comprehensive list, but it's 500-some-odd exposed Octoprint servers, many of which aren't secured by a password. It would be easy to dump those addresses to a list and attack them en masse if a vulnerability were discovered. In all likelihood nothing will come of having your Octoprint server exposed to the web, but it seems like a needless risk.
Looks like there are ~3,000 of these dashboards exposed on the Internet:
https://www.shodan.io/report/waW9qNoX
If you have a Shodan account then you can use this search query:
Neat. Any guesses as to why your scan would find 1 million fewer telnet hosts than Shodan?
Also, a minor point but 2,570,080 / 5,601,277 ~= 0.46, or 46% of open ports had banners.
It varies and actually pales in comparison to how much memory is available for free on the Internet:
https://blog.shodan.io/memory-as-a-service/
Btw there's plenty of Splunk online as well:
Tu as aussi https://www.shodan.io: tu crées un compte gratuit, et tu lances la requête "Calibre -401". Tu peux filtrer la recherche sur la France ou les pays francophones...
Edit: Sinon, si tu es porté sur la philo ou les sciences sociales, ce site est une mine d'or: http://classiques.uqac.ca/
Brand new to this realm, but I'm trying to change careers out of commercial real estate and into cyber security, so I figured I should brush up on some skills.
I think the best way to describe my abilities when I began would be to say that in my mother's eyes, I am a computer genius -- she, on the other hand, is the most computer-fucking-illiterate human in the world so yea - total n00b.
In the last couple months though, I've managed to learn (and feel moderately comfortable in working with):
Command line prompts
Building (and usually fucking up) a home network
Basic web design (HTML / CSS / Java)
SQL and Database Mgmt
I'm by no means up to the level of probably 90% of subscribers here when it comes to this kinda stuff, but tonight I finally got Linux Mint installed and running on a MBP partition as well as Kali on a desktop PC so I'm feeling like a pretty big deal right now because getting that shit to install properly was fucking frustrating...
Once my VPNs were up and running, I discovered the most interesting and frightening site on the internet (Shodan)... Haven't you ever wanted to remote hack into a refrigerator? Anyway, apologies for all the words, and for probably not contributing much to the thread haha!
Cheers!
TL;DR Not capable of much at all (...yet) | Still learning Linux | Shodan is way interesting and also very very creepy/frightening/concerning.
Looks like there's about 28k hosts using Redis on the default port [1]. I don't know enough about it to say how many of those are using auth or not.
I pen-test for a living, it's a common fear giving up your sensitive information to some random company. Anything you give us from an external point of view is already out there. Just type your ip range into https://www.shodan.io/ and you will find probably more then you expected.
Most all pen-testing companies, even the small boutique shops, are extremely trustworthy. We are the good guys and we are only trying to make the internet a safer place. A lot of us started hacking as a hobby and it ended up becoming our jobs.
That being said, research any company you are interested in before pulling the trigger. I would also recommend talking to others in your field that you trust for recommendations.
don't be these guys: https://www.shodan.io/search?query=HP-iLO-Server
Hewlett Packard Enterprise
iLO 4 ProLiant
Firmware Version 2.40 uroot-ARTMO-qualitygroup-backup
> I still don't know how $Friend2 got hold of that address and I don't think I'll ever know.
Shodan? Looks to be fairly common for universities to put Lexmark printers on public addresses.
I really hope they are all honeypots.
Also as an added bonus it appears the ip that got access to your account has http(just iis7 setup page) Remote Desktop Protocol service running and SMB so that could be fun for anyone wanting to recover the lost funds....
Here is a quick answer for you: https://www.shodan.io/search?query=SMB+Version+1
242k hosts found, hit all of those as entry points and you are in for a good time. The virus itself contacts random addresses once it is running on the internet also
You say air-gapped, but if you take a look on Shodan you can find all manner of plc systems with an exposed web interface.
Crappy news video because I can't find the in-depth talk from Defcon
If the passwords are cleartext, it suggests that they don't have a proper DBA - the dev is a full stack engineer.
Given that, it probably suggests that their db credentials are 'sa' with no password. And that db is directly connected to the Internet and searchable on shodan.io.
Scripts that constantly scan all of the address space.
https://www.shodan.io/ will give you an idea of the scary amount of data already available to anyone who wants it.
When ports are found, scripts analyze the services that opened those sockets and try out a few exploits to gain remote execution and, ideally, permission elevation. An unpatched XP box will be owned almost immediately without any human involvement from either side. Seriously, you can spin up a VM and open RDP/RPC/SMB to it to see how fast weird things will start to happen. Or plug in anything that listens to ssh and has root/root credentials, same thing.
It's very easy to be a script kiddy these days. Start Metasploit, type in a couple commands (select target, pick exploit out of a huge library) and there you go. The same stuff is easily automated.
https://www.shodan.io/search?query=jetdirect
https://www.shodan.io/search?query=print
https://www.shodan.io/search?query=lpd
Just for starters. You really don't want to know how many UPnP implementations are broken and how many printers will punch a UPnP hole into domestic routers.
Shodan is a service that pops up in the news for their internet scans every once in a while, usually related to idiots who keep putting electric grid gear on the internet. This report shows people running the bitcoin core (tcp port 8333) at the end of June.
The dedication to security really shines bright here! Also the forecast for comedy gold is bullish if they ever do change the blocksize, 0.9.1 still has a pretty big userbase and is over a year old, perhaps there's some kind of altcoin noise distorting these numbers but an equally likely possibility is just human sloth.
> How do people with malicious intent even know my NAS is there? MyQnap cloud?
Possibly - or port scanning if it is exposed to the internet. Check your IP address in Shodan to see if it is visible.
For security reasons I highly suggest you don't have a QNAP exposed to the internet or MyQNAP cloud. If you need remote access to the device - setup a VPN on your network and access it that way.
> SSH is standardized,
well tell that to fucking networking hardware vendors, each of them seems special rules to even talk to them because why would someone want actually working crypto on switches/routers... Juniper/Junos is an exception but they just have openssh
funnily enough if they actually used dropbear it would be way less annoying and more compatible, especially considering permissive licensing it have
> and going by sheer number of installations, dropbear is probably the most widely used implementation (in every single embedded device).
actually openssh is almost 3x as popular "from the internet side"
you need a free account to view it, but it is a nice tool, for example it found about 14 mil open SSH servers, mostly in USA and about 15 mil open telnet ports ,but most of them in china.
"every single embedded device" is overstatement, almost no android have it by default and a ton of home routers just have web ui, tftp and telnet
It's a fair point, but there are way better examples than webcams. It's possible to find and access the login screens for the admin panels of various things installed on/running Nuclear Reactors right now, as several are exposed to the world in exactly the same way.
There's tons of stuff more fun than webcams you can have a look at. See what you can find: https://www.shodan.io/
Imagine the shit people put up with on office computers was common with flight control computers from Boeing and Airbus.
It's not malware that's a problem but people's lax attitude towards shitty software and procedures in critical systems.
There's literally a search engine for insecure devices including wifi enabled cameras and microphones.
The sooner people get educated and demand better from their products and services the better.
You can't blame bitcoin here unless it's about usability faults.
That's another one that's similar to MongoDB and is also crawled by Shodan:
https://www.shodan.io/search?query=port%3A9200+json
Note how the majority of the affected organizations are once again cloud providers and many run old versions.
Edit: This article is heavy on MongoDB but the issues can be found across the board. I expect there are also issues with MySQL instances - basically these are services that aren't as easy to see as a website and therefore get mostly ignored.
> Who in the name of all that is holy exposes their vCenter Server to the interwebs?!?!
Yeah this is still out there...TONS of people setup cams, let them be connected to the internet...and then don't change their default security settings.
The current "big dog" is Shodan.io.
Named after the main bad guy in the cyberpunk System Shock series of games.
You can find other things on Shodan besides webcams too.
You can locate file listings by searching for websites where the title contains "index of /". And then you can search the HTML of those files for "mkv" if you only want to see servers that list them. Here's those 2 concepts combined:
https://www.shodan.io/search?query=http.title%3A%22index+of+%2F%22+http.html%3Amkv
Disclaimer: we look at this sort of information to help flag those servers as high-risk and potentially compromised.
Shodan is a search-engine for IoT devices, as well as things that should probably not be directly connected to the internet (power grids, etc.)
He just searched for a debug string on Shodan, which is just a variant of Google Hacking. Basically, if Shodan's crawler encountered a Debug page, it's now indexed.
I'm saying if that underwater boat is in any way ever connected to the internet, then unless you want your boat's control mechanism showing up here, then yeah, you should use SSH.
And did you know that SSH is completely implementable without paying any licensing fees? Check out OpenSSH.
And what's shitty, exactly? You seem to imagine there's a huge performance penalty to implementing TLS (or SSH for that matter), but this just isn't true any more.
Pretty much. Your fraud protection / whatever under the PCI certification might fall through.
But no attacker (in fact probably no one at all) ever went to login to a system and went "Oh. A banner. Well they've clearly got their legal shit together, I better not hax them"
Edit: https://www.shodan.io/search?query=telnet+authorized :D :D :D
Actually, there are more than 40,000 publicly accessible Redis instances:
https://www.shodan.io/search?query=product%3A%22Redis+key-value+store%22
Sidenote: If you want to search by port you should use the "port" filter ala:
https://www.shodan.io/search?query=port%3A6379
But there are also webservers, SSH etc. running on port 6379 so it's more accurate to filter by the product identification.
This is how to find them on Shodan using the favicon of their website:
Changing ports won't do much to hide your webserver. It may deter some automated bots but places like shodan will likely end up having your ip and ports/services listed regardless of what port it's on
https://www.shodan.io/host/45.155.205.165
Looks like a pivot or a honeypot, with ssh and ntp wan facing reported by shodan.
Block it and forget it.
Change around any port forwards you have or remove them all together and create vpn to get into your devices remotely. Avoid any tor or p2p unless u vpn first. Secure ur DNS through a secure provider.
Outside of that it’s fairly normal traffic, lots of these sources scan/snif/recon’ing opportunistically. I just block em, when there in the North America you can email the sysadmin but the ruskies don’t give a shit.
Most of these cameras aren't your average webcam, they're IP addressable (network connected) cameras that folks have mistakenly exposed to the internet. Sites like Shodan
Can and do find these in a matter of time when they're exposed, and then most of them still have the default credentials (so you just google for "whatevermodelofcamera default credentials") and try to login.
It's really pretty simple and frankly scary how many people do this and don't realize they're letting their camera be viewed by the world (some probably don't care).
Region block it to the locations of your intended visitors and give them each unique login credentials. That should be sufficient for most scraping / crawling tools. Also do not use word press, since there are dedicated tools for brute forcing your way into the admin panel.
There are services such as https://www.shodan.io/ which will scour the entire internet, these will be mostly blocked by the actions I stated above.
Remember that unless you have valuable information you are trying to protect, and you are somewhat vigilant you should be fine.
If someone was willing to go to that length to access your camera, it wouldn't make much sense to immediately draw your attention to it. It's much more likely they'd want to use it for more nefarious purposes, rather than just messing with you.
If your boyfriend is unsure. I'd try searching for your IP address (you can Google it) on https://www.shodan.io/ which will show you any public services (such as your camera) on your home network. If something like "network camera" or "ip camera" shows up when you search, it means your home network is configured to allow access to the camera from the internet.
You can also check your WiFi router settings to see if any ports are forwarded. This depends on your router, but for me it looks like this. If you're feeling technical, this Wikipedia article goes into more detail about how it works.
The Internet of things is shit, do not give Internet access to these devices and problems will be less.
Use strong passwords, not stupid shit like that
Your favorite services are also not perfect and your data is stolen from them, check your login here and do not use the same passwords for all services.
Do not enter your login password anywhere, it's a simple rule of hygiene.
And stop blaming hackers for your stupidity, you create your own problems)
The membership page is only viewable once you're logged-in. Here is a breakdown of what's included:
https://www.shodan.io/store/member
Not listed but also included is a digital copy of the Shodan book and a few other things.
Una vez nos pusimos a lesear aqui en el trabajo revisando esta pagina, pero ahi tienes que probar combinaciones de contraseñas, como admin admin, admin 1234, etc. Y justo pillamos una nana que estaba afilando con un obrero en la cama principal XD
https://www.shodan.io/search?query=Home+Assistant
Oddly enough it's incomplete. As mentioned above mine has be on the Internet for over a year. However it doesn't appear in that search.
I know that doesn't directly answer the question, but there are quite a few out there and I have yet to hear of a breach.
Of course, no info doesn't mean it hasn't happened.
One way is to use hacked IOT devices. A quick search on shodan shows ~6000 devices that have a hardcoded backdoor and that anyone can get a root shell on
Fair enough. One really easy thing you could do to help though is change the port you forward for RDP on your router. Anything but 3389 would help. Just change it on the router, it can still be 3389 on your server. There's nothing saying 3389 on the router is locked to 3389 on the server. Make it anything between 1024 to 65535 (I'd stick to 10000-65000, and avoid clashing with anything else standard like 443, or that's popular like 8443).
There are sites like Shodan that continuously scan the IPv4 Internet for open ports, and keeps a database on them. If one day a bug in RDP is discovered a bad guy could go there any say "show me all hosts with port 3389 open", throw them in a list and attack them pretty much simultaneously. Just by moving to a different port you can escape this kind of automated attack. Or there doesn't even have to be a bug, some bored hacker could just get a list of all open ports 3389 and start throwing user/pass dictionary lists at them to see if any have really obvious/default passwords. One day you might slip up and they're in.
None of this would help you if I decided "today I'm going to attack /u/notausernamee" because then I'd just full scan everything and being on a different port wouldn't matter, but when there are tens of thousands of open servers to choose from already, the average hacker isn't going to bother deep scanning individuals.
So, your question is fairly vague, given even with privacy in mind we require context.
First of all, and the biggest issue is, most infosec solutions are still being updated for IPv6, and as a result, there are holes we are still learning about. IPv6 makes it easier to uniquely identify a machine without necessarily needing a MAC address (not that it would be hard to get) and you don't need NAT for an IPv6 identified machine. So you'd need to properly configure a stateful firewall to accommodate this direct mapping, which can mean more work and therefore more mistakes. This means that if IP filtering isn't implemented properly then the machine can be targeted directly.
This can also be an issue for tunneling protocols used for VPNs. However, many VPNs offer some form of IPv6 leak protection. That appear to be working sufficiently for now.
Alternatively, IPv4 can (depending on your network, configuration, and usage terms) provide a level of pseudo anonimity. An example would be, ISPs recycle IPv4 addresses for customers based on who is using them, and reassigning the addresses as customers join and leave the network. This is due to the size of the network and the number of public IPv4 addresses they can use. So without something more granular than an IPv4 address, it would be hard for that alone to be used to consistently identify you.
Then you need to think about, what machine are we identifying? And do we need that address to never change? As IoT becomes more implemented, the increase in IP addresses for IPv6 will likely become a necessity. And sites like shodan show up how these unsecured devices can be easily accessed for (in this case) spying.
Try good ol' shodan
https://www.shodan.io/search?query=australia
searches can be narrowed down quite well, but the site is quite easy to use..
Also have a look at https://www.reddit.com/r/controllablewebcams/
Save yourself some time and use Shodan
It's the "Google" of nmap scans.
Plus you don't want to keep data like that for any length of time. Especially if you are doing anything that is less than legit, or don't want to be confused for someone not performing legitimate infosec research. In court port scans can be viewed as intent.
Yes, I've looked at that! Here is an overview of the obvious honeypots on Shodan:
https://www.shodan.io/report/Io0DSimv
I also wrote a tool for honeypot admins to check whether our algorithm detects their ICS honeypot as such:
I would recommend trying out search queries that other users have shared via the website:
To be clear though: Shodan is a technical search engine meant for people with an understanding of what they're trying to find. I.e. if you're trying to find power plants you won't get very far just by entering "power plant". But if you come from the energy industry and have first-hand experience working with those sorts of devices then you'll probably be able to find them with Shodan.
That also brings me to an important point that might've been lost in the Viceland interview: there is a big difference between knowing a device is connected to the Internet and having the ability to compromise it in a meaningful way. Just because you can connect to a factory doesn't mean you know how to make any changes to it that would affect the production. There's a giant amount of proprietary knowledge required usually to cause any damage. To that point, Shodan helps to provide a better, empirical view of the Internet and what's connected to it so hopefully more people become aware of the security issues that an increasingly-connected world brings with it.
Btw the most common usage of Shodan is exactly what /u/Balthanos described: checking whether anything on your own network is unexpectedly exposed on the Internet.
Source: I'm the guy being interviewed.
PS: If you're looking for a simpler interface maybe check out https://simple.shodan.io
Check out this link: https://www.shodan.io/search?query=IP+webcam+server+0.3
Might want to secure that webcam you have if it's carrying any sort of private or sensitive information. Total strangers can find your camera on the list and possibly abuse whatever is being shown (such as someone's address, and their "at home" hours to rob their house. Trust me. It's been done before. Please be cautious.
Ah yeah, that makes sense. If seeing the results themselves without logging in isn't that important, you can also generate a report for free that summarizes the findings ala: https://www.shodan.io/report/RNkjbBzw
There are lots of useful and interesting research purposes actually that don't involve trying to login, see: https://blog.shodan.io/duplicate-ssh-keys-everywhere/
Edit: And you might want to find out who's using which SSH software, which version they're on and more: https://www.shodan.io/report/11ODLLGl
According to Shodan, that IP is running a well out of date Apache server with a ton of vulnerabilities... and a publicly exposed MySQL database port.
That's like pretty bad stuff, and while it isn't much worse than millions of other similarly misconfigured systems, if I were you I'd want to stay as far away from any legal repercussions as possible, because that's just a bunch of shit waiting to hit the fan.
It’s funny, because the site you linked shows over a million of security issues with MySQL.
ACID (Atomicity, Consistency, Isolation and Durability) has its place. It comes from the world of relational databases and is focused around efficient updates and cascades - if you update something somewhere, it has to update everywhere (think of a customer moving from one address to another). It deals with normalization and data structure so that relationships are preserved and are correct / optimized... but notice the key idea here? Relationships. There are ways to build Business Intelligence systems that include MongoDB on the applications layer, but I agree that in that realm, relational databases reign supreme.
The article you provide about ACID and the mongo comparisons highlights the maturity and progress mongo had over the last 15 years and that it is not “just a key value storage”. It is also from a competitor that is much less mature (been around for about 5 years?) highlighting specific scenarios for which mongo has been used for years at that point.
I am not saying there aren’t cases where you should use a relational database. But NoSQL databases ARE a thing. They are a different paradigm altogether and are a mature choice that fits a vast area of applications.
Personally, I find them a great fit for small to medium applications that are in the early stage of discovery / market adaptation. Part of it is that they are less plagued by gatekeepers like yourself, free to innovate and offer quicker journey to a persistence layer in an application and better tooling that don’t require a team of DBAs just to keep it running.
Yes, QNAP used bad coding in the programs.
The Internet is continually being scanned and scan results being updated all the time.
Just look at: https://www.shodan.io/search?query=qnap
Ah, yes, that's fine. However, if you have not made the NAS accessible from the Internet, then there is no need to change the ports.
Most people change the defaults ports to something else because that mistakenly believe that doing so is a security measure - it is not, and therefore can keep the NAS accessible from the Internet.
If you want to see just how ineffective Security by Obscurity is, just run a search on Shodan.
I'd like to say I'm surprised but that would be a lie...
https://nakedsecurity.sophos.com/2018/09/06/thousands-of-unsecured-3d-printers-discovered-online/
Run your WAN IP against this site. I’d make sure you don’t have any other applications on your media server tied to Plex that are not locked down with a username and password. I.e.. Sonarr, Radarr, SabNZBD, etc. If someone gets into one of these applications it’s fairly easy to take over a Plex server. https://www.shodan.io
Shodan Is also a great resource to see what port are open to the internet. Keep in mind that it can take a while for the results to show up as they scan IPs periodically.
You can check what you public IP is by using any public IP tool. I typically go for Amazon Check IP because it only shows the Public IP.
I think you can take the tinfoil hat off.
I believe the underlying threat management software is suricata on the UDM Pro, typically what happens in the beginning is you get a lot of false positives. When I used suricata on pfsense I would get these all the time, I just say if you get an IP outside of your network on the alert got to https://www.shodan.io/ and paste the external ip in and see where it is coming from.
> If it's so "old news", why is it still happening?
Because unpatched systems are easy to exploit. This is not a complicated concept.
> Quit boasting that you already knew like a know it all.
You might want to check out Shodan[https://www.shodan.io/], they have been providing an easy way to find unpatched systems on the internet for like 10 years now.
> Quit telling me that I have nothing to worry about.
Nobody is saying that, the point they are trying to make is that if you keep your devices up to date, use anti virus/malware software, and pay a reasonable amount of attention to what you are doing on the internet you are actually pretty secure.
> And fucking go do something about it. Fix it! Fix it! Fix it!
Overall security is getting better, the introduction of bug bounty programs has driven the cost of developing zero days, organizations are moving to secure their applications with enchained techniques like 2FA, and the internet has made patching vulnerable software much easier and more convenient. The security industry drives platforms to increase their security it cannot magically make every system un-exploitable, this is an arms race and always will be.
> Didn't ever do any damage but had a serious chance to do some.
Sign up for a free account on Shodan and you'll be shocked what people connect to the internet and then just leave the default password.
If you have some decent Googlefu, you'll find some easy queries you can use to scare the bejeezus out of you. Pro tip, make sure you're using proxies and a VPN at a minimum when you're using it. ISP's get really nervous when they see you poking around stuff.
Happy hunting!
If you are running a service on the internet assume you are going to be port scanned. Hackers can get a list of IPV4 address ranges belonging to the major ISPs and run a port scan on all of them. China and Russian IPs go knocking on the door of my SSH and web servers multiple times every hour. If someone wants a ready made list of homeassistant installations to try, they can simply get it from Shodan.
Going IPV6 only can mitigate it, but security through obscurity isn't a good policy.
There are a bunch of smart kettles connected to the Internet: https://www.shodan.io/search?query=ikettle
We started crawling for them a few years ago and for the longest time we only had a single result from England. Now it looks like there are a lot more of them on the Internet.
Proggit discussion here:
https://old.reddit.com/r/programming/comments/a0kxmw/i_dont_know_what_to_say_backdoor_in_popular/
tl;dr:
If you don't know about it already, check out https://www.shodan.io
They scan all open ports and provide the same information, and even make it searchable. So for you can search all ips exposing the banner for a certain version of SSH for example
Poor security of routers is another way in. https://www.shodan.io/ look up your isp.
Read the info in this sub's wiki too https://www.reddit.com/r/privacy/wiki/index I know it's a lot of info and a portion won't apply to you but you can't protect your privacy if you don't know how.
First let me just point out that IP address does not = identity, its possible to spoof IP addresses but chances are if someone wanted to do bad things they would use a proxy or VPN.
But on to what you want, what you want to do is called geolocate you can use this to find a rough location (this doesnt always work for example my IP address says im in a town near to where I live).
You can use: https://www.iplocation.net/ I would also suggest https://www.shodan.io it also can locate an IP (roughly) but will also tell you if that IP has ports open and if it has services open.
Dont worry up to right now you have not broken any laws.
After that you need to just sift through the data and I guess compare it with the known address of potential bad person.
Another method is I assume you have Google Analytics? that will have a record of the IP address and will say what "User-Agent" was used. You can then google that user agent and work out what type of device they used (Also I think GA will state if its Desktop or Phone).
I think its very unlikely that you can get the exact location in mostly you will get the local location of the Internet exchange used.
Another method is to go legal and get a lawyer to try to obtain the name of the person tied the the IP address, thats they only method of getting the exact person.
It especially makes things worse if the bad person has a dynamic IP and not static as it will change probably almost everyday.
I recommend if you think they are in your system and you cant get them out, you should hire someone to look into your system and secure it properly and then report it to local LE who can help with contacting the ISP who owns the IP address.
Best of luck.
Probably because
My AV had no problem with it, and Shodan doesn't think it's a problem either.
Interestingly, My university connection routes it through Internet2, touching McGill in the process.
Yes. Everyone thinks "oh I'm too small to be targeted". Yes, that's true, but the majority of attacks are not targeted. It's trivial to find insecure devices out there. Attacks can be completely automated and your info harvested within seconds.
Remember when you could set up a Windows XP machine and have it compromised by worms before you could get it patched? Yeah, it's like that.