Botnet Uses Default Passwords To Conduct "Internet Census 2012"

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

Re:correction

[butalearner]

Why no fail2ban or DenyHosts? I suppose my sshd doesn't allow root login so stuff like that showing up on my logs is not a big concern anyway.

Re:I can see where this is going

[DarkOx]

I would be willing to entrain the argument if your device is set the the manufacturers default published password with no banner making it clear the service is supposed to be publicly accessible; its not very analogue to breaking and entering.

Its much more like you have locks on your house but don't use them; and someone lets themselves in, has a look around does no harm and does not remove anything. No its still not allowed, you can't just march around someones private property with no expectation you would reasonably be permitted and wanted there. That said its not a serious crime either, its simple trespassing.

That is really all this amounted to here. Everyone here getting so bent about it needs to get a sense of proportion.

Re:Door

[malakai]

This wasn't a simple port scan. I RTFA, so let me help you out.

He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).

For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.

Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.

This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.