Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Botnet Security The Internet IT

Botnet Uses Default Passwords To Conduct "Internet Census 2012" 222

Posted by Unknown Lamer from the neat-hack dept.
An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."
This discussion has been archived. No new comments can be posted.

Botnet Uses Default Passwords To Conduct "Internet Census 2012" More

Botnet Uses Default Passwords To Conduct "Internet Census 2012"

Comments Filter:

  • Re:"researcher"? Hardly. (Score:4, Funny)

    by plover ( 150551 ) on Wednesday March 20, 2013 @12:22PM (#43224699) Homepage Journal

    If an unnamed biologist did his research this way (constructed a virus that infects creatures around the world), he wouldn't be called an "anonymous researcher", he'd be called a "mad scientist".

    And how do you know he didn't conduct these scans from his underground lair? For all we know, he may even own a Persian cat!

  • Re:correction (Score:5, Funny)

    by ls671 ( 1122017 ) on Wednesday March 20, 2013 @12:32PM (#43224811) Homepage

    So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

    Mar 19 14:08:29 myhost sshd[15477]: Failed password for root from 58.247.50.59 port 33203 ssh2
    Mar 19 14:08:26 myhost sshd[15475]: Failed password for root from 58.247.50.59 port 60725 ssh2
    Mar 19 14:08:24 myhost sshd[15473]: Failed password for root from 58.247.50.59 port 59984 ssh2
    Mar 19 14:08:22 myhost sshd[15471]: Failed password for root from 58.247.50.59 port 59254 ssh2
    Mar 19 14:08:19 myhost sshd[15469]: Failed password for root from 58.247.50.59 port 58527 ssh2
    Mar 19 14:08:17 myhost sshd[15465]: Failed password for root from 58.247.50.59 port 57790 ssh2
    Mar 19 14:08:16 myhost sshd[15463]: Failed password for root from 58.247.50.59 port 57082 ssh2
    Mar 19 14:08:13 myhost sshd[15461]: Failed password for root from 58.247.50.59 port 56363 ssh2
    Mar 19 14:08:11 myhost sshd[15459]: Failed password for root from 58.247.50.59 port 55647 ssh2
    Mar 19 14:08:09 myhost sshd[15457]: Failed password for root from 58.247.50.59 port 54922 ssh2
    Mar 19 14:08:06 myhost sshd[15455]: Failed password for root from 58.247.50.59 port 54195 ssh2
    Mar 19 14:08:04 myhost sshd[15453]: Failed password for root from 58.247.50.59 port 53487 ssh2
    Mar 19 14:08:01 myhost sshd[15449]: Failed password for root from 58.247.50.59 port 52734 ssh2
    Mar 19 14:07:59 myhost sshd[15447]: Failed password for root from 58.247.50.59 port 52018 ssh2
    Mar 19 14:07:57 myhost sshd[15445]: Failed password for root from 58.247.50.59 port 49218 ssh2
    Mar 19 14:08:38 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12700 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Mar 19 14:08:32 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12699 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Mar 19 14:08:29 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12698 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

  • Re:enitre (Score:2, Funny)

    by Anonymous Coward on Wednesday March 20, 2013 @12:39PM (#43224887)

    Yeah, but what about the all the people who actually *chose* those passwords?

  • Which is why (Score:5, Funny)

    by Overzeetop ( 214511 ) on Wednesday March 20, 2013 @12:49PM (#43224987) Journal

    Which is why I always use admin/root for username and password on my systems. You'd think these people would learn not to be so careless. :-)

  • Re:I can see where this is going (Score:4, Funny)

    by ThatsNotPudding ( 1045640 ) on Wednesday March 20, 2013 @01:42PM (#43225565)

    Honestly, my first thought was, "What research ethics committee gave him the go-ahead?"

    The Google Street View ethics commitee?

  • Re:I can see where this is going (Score:4, Funny)

    by Flea of Pain ( 1577213 ) on Wednesday March 20, 2013 @02:22PM (#43225943)

    Oh ya? My router drops ALL requests...

    It may be time for a new router.

  • Re:correction (Score:5, Funny)

    by viperidaenz ( 2515578 ) on Wednesday March 20, 2013 @04:13PM (#43227107)

    Just take a root login attempt from slashdots hosts. Then we won't have to hear from him for 90 days.

Slashdot Top Deals

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh

Close