Intel Reports
Accessible RDP
This report identifies hosts that have Remote Desktop (RDP) Service running and accessible to the world on the Internet. Misconfigured RDP can allow miscreants access to the desktop of a vulnerable host and can also allow for information gathering on a target host as the SSL certificate used by RDP often contains the system’s trivial hostname.
Remedy: Disable RDP from being world accessible by applying firewall rules either at the border or at the server itself
Accessible Telnet
This report identifies hosts that have a Telnet instance running on port 23/TCP that accessible on the Internet. Telnet provides no encryption and may expose sensitive information or system credentials.
Remedy: Disable Telnet service and use more secure protocols such as SSH or firewall the telnet services
SSL Scan
This report identifies hosts that allow the use of SSL v3.0 with cipher-block chaining (CBC) mode ciphers which are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. See US-CERT alert TA14-290A at: https://www.us-cert.gov/ncas/alerts/TA14-290A for more information on this vulnerability and exploit.
Statistics for these servers can be found here.
Remedy: Use TLS, patch OpenSSL or disable SSLv3
Compromised Websites
This report is a list of all the websites we – or our collaboration partners – have been able to identify and verify to be compromised. These websites might be used for sending spam, participating in DDoS attacks, redirecting users to exploit kits etc.
A large subset of these compromises are caused by outdated versions of CMSes such as Joomla/Drupal/Wordpress (or plugins for these) and weak or keylogged FTP credentials.
As always, there is no guarantee that there are no additional infections/compromises on any IP we report on. We have seen several different criminal groups abusing the same compromised system for different purposes. The same IP/domain that is hosting a spambot may also be used for infecting unsuspecting users. We recommend investigating systems with the assumption that there are more compromises on the systems than what is reported.
Remedy: Upgrade the CMS
Open IPMI
This report identifies hosts that have the Intelligent Platform Management Interface (IPMI) service open (port 623/UDP) and accessible from the Internet.
IPMI is the base of most of the Out Of Band / Lights Out management suites and is implemented by the server’s Baseboard Management Controller (BMC). The BMC has near complete access and control of the server’s resources, including, but not limited to, memory, power, and storage. Anyone that can control your BMC (via IPMI), can control your server.
IPMI instances in general are known to contain a variety of vulnerabilities, some more serious than other. In short; you really do not want to expose IPMI to the Internet. If you are not convinced yet, please take a look at the excellent work by Dan Farmer on IPMI security issues at http://fish2.com/ipmi/ and US-CERT alert TA13-207A at https://www.us-cert.gov/ncas/alerts/TA13-207A
Statistics for these servers can be found here.
Remedy:
- Restrict IPMI to Internal Networks
- Utilize strong passwords
- Encrypt the traffic
- Require authentication and disable anonymous logins
Open Memcached
This report identifies hosts that have the Memcached key-value store (see memcached.org for more information) running and accessible on the Internet. Since this service does not support authentication, any entity that can access the MemCached instance can have complete control over the key-value store.
In addition, instances of MemCacheD that are accessible via UDP may be abused in amplification-style denial of service attacks.
Remedy:
- Bind Memcached to a local interface
- Disable this UDP service if not required
- Protect your server with conventional network security best practices such as restricting access to MemCacheD
- Install available security updates
SSL Freak Scan
This report identifies hosts that allow the use of SSL/TLS with RSA_EXPORT ciphers (aka “export-grade” encryption). Hosts using these weakened ciphers can be used in a man-in-the-middle attack which forces a browser to use a weak export key, which is easily crackable. This is called a FREAK (Factoring RSA Export Keys) attack. More information on the FREAK attack can be found at https://www.smacktls.com and https://www.digicert.com/blog/freak-attack-need-know/
Remedy
- Disable support for all export-grade cipher suites on your servers.
- Patch OpenSSL
- On the client side, patch the browsers
Open Portmapper
This report identifies hosts that have the Portmapper service (see Wikipedia for general information on this service) running and accessible on the public Internet. This service has the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks (see US-CERT Alert TA14-017A) and Level3’s Blog for more information).
In addition to being used in denial of service attacks, portmapper can be used to obtain a large amount of information about the target, including the NFS exports that are hosted by that device, if the mountd program is also accessible.
The analogous shell command to mimic our portmapper scan is:
rpcinfo -T udp -p [IP]
And the analogous shell command that mimics our probe of the mountd program is:
showmount -e [IP]
Remedy
- Disable portmapper
Open mDNS
This report identifies hosts that have the mDNS service (see https://en.wikipedia.org/wiki/Multicast_DNS for more information) running and accessible from the Internet. mDNS can be probed in a unicast fashion and can respond in methods similar to a standard dns server.
Our initial probe tests to see if mDNS is accessible on the Internet and collects the information that it discloses, including a list of services that may be accessible via further mDNS probes. If a host is found to have the services “_workstation._tcp.local” or “_http._tcp.local” running, secondary probes are performed to collect whatever system information is returned. Some of the information that may be returned includes: trivial name of the device, IPv4 and IPv6 address(es) of the device (this may include RFC1918 addresses that are not meant to be leaked), MAC address information of the device, and potentially other information.
Remedy
- Disable the mDNS service unless required
- Restrict access to trusted clients, for example by blocking incoming connections to port 5353/UDP on the firewall.
- On Ubuntu, apt-get remove avahi-daemon
Open LDAP
This report identifies hosts that have an LDAP instance running on port 389/UDP and accessible on the Internet. These hosts are often Active Directory servers. In addition to allowing for an ~60x amplification vector, the data that is disclosed by the server could reveal large amounts of information about the network that the server resides on.
Remedy
- Restrict LDAP access to only services that require it – most times these are local services. Can be implemented by use of a firewall
Accessible SMB
This report identifies hosts that have an SMB instance running on port 445/TCP and accessible on the Internet. This service should not be exposed to the Internet
Remedy
- Do not expose the SMB service to the Internet but rather restrict it to where it is used
Accessible CiscoSmartInstall
This report identifies hosts that have the Cisco Smart Install feature running and accessible to the Internet at large. This feature can be used to read or potentially modify a switch’s configuration.
More details can be found on Cisco’s PSIRT blog.
Remedy
- Cisco strongly recommends disabling the Smart Install feature with the no vstack configuration command.
DNS Scan (Open Resolver)
The Shadowserver Foundation is currently undertaking a project to search for publicly available recursive DNS servers. The goal of this project is to identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.
These servers have the potential to be used in DNS amplification attacks and if at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.
Remedy
- Ensure that the authoritative DNS servers can only service requests for known domains
- Recursive DNS servers should only do recursion for known networks such as institutional ones
NTP Version
This report identifies NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The NTP version command is a Mode 6 query for READVAR. While not as bad as the Mode 7 query for MONLIST, the queries for READVAR will normally provide around 30x amplification.
To manually test if a system is vulnerable to this, you can use the command: ntpq -c rv [ip]
Statistics for these servers can be found here.
Instructions for restricting READVAR can be found here.
Remedy
- Disable inbound traffic on port 123/UDP
Open SNMP
This report identifies hosts with SNMPv2 publicly accessible and responding to the community “public” that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.
The OID being probed for is 1.3.6.1.2.1.1.1.0 (sysDescr) and if the host responds to that probe, the host is then probed for OID 1.3.6.1.2.1.1.5.0 (sysName). The analogous shell commands would be:
snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.1.0
snmpget -c public -v 2c [ip] 1.3.6.1.2.1.1.5.0
Remedy
- Use a strong community string other than “public”
Open NetBios
This report identifies hosts that have the NetBIOS service running and accessible on the Internet. These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.
The analogous shell command (from a windows box) to identify these hosts would be:
nbtstat -A [ip]
Remedy
- Do not expose the NetBIOS service to the Internet but rather restrict it to where it is used on port 137/UDP
Open SSDP
This report identifies hosts that have the Simple Service Discovery Protocol (SSDP) running and accessible on the Internet. These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. Statistics for these hosts can be found here.
Remedy
- Do not expose the SSDP service to the Internet but rather restrict it to where it is used on port 1900/UDP
Open TFTP
This report identifies hosts that have the TFTP service running and accessible on the Internet. Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. We are not testing to see if file upload is enabled.
Please note that unlike other UDP services that we test for, the response from TFTP is often received on a port that is different than what was queried! Probes sent to a host on port 69/UDP may generate responses that source from ephemeral high ports.
Remedy
- Do not expose the TFTP service to the Internet but rather restrict it to where it is used on port 69/UDP unless it is required
Open HTTP
This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) running on some port and accessible on the Internet.
Remedy
- This report is just informational but where it is not required, disable the HTTP service
Open NATPMP
This report identifies hosts that have the NAT Port Mapping Protocol (NAT-PMP) running and accessible on the Internet. These services have the potential to expose information about a clients network on which this service is accessible. Information on this vulnerability can be found here.
Remedy
- Deploy firewall rules to block untrusted hosts from being able to access port 5351/UDP.
- Consider disabling NAT-PMP on the device if it is not absolutely necessary.
Open MSSQL
This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet. These services have the potential to expose information about a clients network on which this service is accessible and the service itself can be used in UDP amplification attacks.
Remedy
- Deploy firewall rules to block untrusted hosts from being able to access MS-SQL Server
Vulnerable ISAKMP
This report identifies hosts that have a vulnerable IKE service accessible on the Internet. For more information please see the Cisco Security Advisory
Remedy
- Implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
- You are advised to monitor affected systems.
Botnet
This report contains a list of IPs that may have been compromised and now part of a bigger bot network
Remedy
- Monitor the affected systems for any suspect traffic flowing to and fro the system
- Apply security patches to applications running on the affected systems
Sinkhole HTTP Drone
These IP addresses are all the devices that joined the Shadowserver Sinkhole server that did not arrive through the usage of an HTTP referrer. Since the Sinkhole server is only accessed through previously malicious domain names, only infected system, or security researchers should be seen in this list.
Remedy
- Monitor the affected systems for any suspect traffic flowing to and fro the system
- Apply firewall filters on the server to allow only required traffic.
Drone Bruteforce
This report identifies hosts that have been observed performing brute force attacks.
Remedy
- Monitor the affected systems for any suspect traffic flowing to and fro the system
- Apply firewall filters on the server to allow only required traffic.
Blacklist
This report is the aggregation of a variety of different Blacklist providers. The purpose in sharing this information is to alert the end-users that specific IP addresses of theirs have been flagged by providers as possibly malicious and different services might be impacted because of this blacklisting. The option to remove any system from a blacklist will vary by the provider. Some will have a well documented process and some will demand payment for removal.
Remedy
- Identify the blacklisted host and use blacklist provider steps to delist its IP address. Identification can also help in determining the real cause of the blacklist
Darknet
A darknet is a portion of network, a certain routed space of IP Addresses in which there are no active servers or services. I.e., externally no packet should be directed to that address space.These systems are most likely sending or generating suspicious traffic hence signs of compromise.
Remedy
- Monitor the affected systems for any suspect traffic flowing to and fro the system – if there are any applications generating this traffic, apply patches or disable where unnecessary.
