Several thousand misconfigured ftp servers or how we decided to help

Phillip A White
Jul 10, 2017 · 5 min read

Kind time of the day, dear reader.

After a month of sleepless nights, we prepared an alpha version of the product and decided to start with good deeds. The idea came by itself. Recently, consulting with colleagues, we came to the conclusion that the ability to work in a public field is extremely important for a modern company. I decided to refrain from describing the detailed methodology, so as not to provide a ready-made instruction for script kiddies. I will only say that this work was done according to the OSINT methodology.

The essence of the idea:

  • сreate a list of ftp servers that allow anonymous login
  • сheck for a write access on each host that was detected
  • report the problem to those hosts where write permissions are present
  • get feedback from them
  • get feedback from the community

The first three points are made in the moment.

The reader may have questions: “Why is this important?”, “Why did we spend time on this?”, etc.

First, the owners host might incorrectly set up the permissions caused by underestimation of risks. Here is a list of some of them:

  • the risk of leakage of your confidential information
  • host can be used to distribute warez (pirated software)
  • host can be used to store stolen credit card dumps
  • host can be used to distribute a child pornography
  • host can be used to distribute malware and other unwanted content
  • someone can permanently delete your files

Why do we think that such work is important for those who do not have such problems?

Internet is our home. Our common home. We are interested in the safety of this house. It’s a terrible mistake to believe that you are not interesting to anyone and nobody will find you. You are seen, you are being hunted. If you do not care about safety, then I will ask you: “Haven’t Been Hacked Yet?” — “It’s Only a Matter of Time.” . You say that you have a small business and you don’t have such enemies, but you forget about the risk of becoming a victim of an un-targeted attack. You are a springboard and resources for intruders at least. The game is currently in progress. Good guys compete with the bad, blue teams oppose the reds. Which of them will be the first to tell you about their existence is a matter of time and your luck.

How is this information collected and why is it publicly available?

Well … the Internet is functioning in this way. At the very foundation of the Internet based the principles of openness and trust. The Internet has no borders.

I will try to explain by analogy. Imagine, something walks the streets around the world and examines doors and locks in detail, recording details in own notebook. Something does not crack locks and does not try to open the doors. This activity is legal. Then something analyzes and sells the records made earlier. Let’s say that an attacker A knows how to crack a lock of a particular brand and version. He buys from this the address of those who have suitable locks (for example, in Houston). Then A goes and opens the doors that he can. Do not forget that something is only an instrument. The tool should not be morally responsible. With the same information, Citizen B can notify the owners about the insecurity (or lack thereof) of their locks. It all depends on whose hands would this tool. In rare cases, there are situations when an interested person stands too long in front of the door and records a model of the lock. He can prevent those who really want to go through the door (the hosts, the welcome guests). This situation may be beyond the legality. I will not go into the monologue about the legality of port scanning, so as not to drag your time. If you are interested in this topic, I can advise you to familiarize yourself with the following sources:

From my own experience I can add that the line between port scanning and stress testing is quite thin. I will explain by example. When scanning all tcp ports (syn scan) for cheap vps, the situation is possible when the vps are disconnected. While the tenant vps is angry, the owners explain to him that he exceeded the conntrack limit (the default value of 65535, 65535 tcp ports is scanned at once), so he was disconnected until the circumstances became clear. The tenant did not conduct scans, but he was awarded downtime from several hours to a couple of days. He was told colorfully that he allegedly became a victim of the dos attack, and they heroically saved him. In fact, this DOS was organized by the owners. The tenant from this is not easier. The money was not compensated. This is stupidity and an inappropriate example, you say? This is a real-life event.

Many explicitly prohibit port scanning activities in their ToS.

You can find and read about incidents related to improperly configuring ftp servers without my participation. You will just need to ask Google something like “open anonymous ftp crime year:2015–2017”.

So, we found ~ 850k ftp that allow anonymous login. We found ~9.7 thousand of them that allow you to write and delete at an anonymous logon. We notified all of them, told in detail about the risks and attached a typical correction instruction. In the picture below you can see the distribution by country.

Distribution of host by country

And here is the map itself

The location of dangerously configured ftp servers

Images quite expected, is not it?

If you have similar stories, we will read them with curiosity. If we receive interesting reviews privately and we are allowed to publish them, we will publish them here. Stay in touch. We are interested in your opinion, be free to debate. I ask you to inform me about the misspellings in private messages.

P.S.
Now a few words about us. Since you have read up to this point you are not indifferent to the InfoSec questions.

We are 5KYN37. And we just rolled out our alpha release. We specialize in the provision of services for port scanning.

Our key features:
* Scanning all TCP, UDP ports
* All payments only in btc
* No registrations
* All work is only on prepayment
* Our prices are shorter than Shodan by an average of 10%
* We do not store data about you and do not present them to anyone
* We do not require proof of ownership of the hosts that you order
* We do not take money for consultations
* All we need to work with you is prepayment and your contact email
* If we took the order and could not fulfill it we will refund your money

Hello, Brave New World!

Phillip A White

Written by

InfoSec Researcher, big data, ml, python, linux, the one who cares, geek, hacker, loving father, communicative.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade