Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Uses Default Passwords To Conduct "Internet Census 2012"

Posted by Unknown on from the neat-hack dept.

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

2 of 222 comments (clear)

  1. Re:correction by butalearner · · Score: 3, Informative

    Why no fail2ban or DenyHosts? I suppose my sshd doesn't allow root login so stuff like that showing up on my logs is not a big concern anyway.

  2. Re:Door by malakai · · Score: 4, Informative

    This wasn't a simple port scan. I RTFA, so let me help you out.

    He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).

    For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.

    Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.

    This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.

    --
    -Malakai
    A Dragon Lives in my Garage