September 18, 2016
A recent brute-force scan of FTP servers available online via an IPv4 address revealed that 796,578 boxes can be accessed without the need for any credentials.
The perpetrator of this scan is a security researcher that goes by the name of Minxomat, owner of a cyber-security firm that performs these types of scans on a regular basis, but usually in a much more targeted manner and for the purpose of detecting malicious traffic and its sources.
Minxomat details the process on his blog, where he explains how he wrote a simple script and scanned all IPv4 addresses, attempting to connect via port 21 with the “anonymous” user and no password.
The scan was carried out with a simple Linux VM
In an email exchange with Softpedia, Minxomat detailed the reason. “I wanted to demonstrate how everyone, even on a low-power KVM instance, can perform a meaningful analysis of raw scandata,” the researcher said.
“That meant using no off-the-shelf scanning tools, but the simplest bash scripts imaginable. It worked surprisingly well for such a suboptimal approach, and that’s why I wanted to share my findings and process,” he also added.
If you’re curious, the researcher’s rig was “a single KVM instance, running a single 2GHz vCore with 2GIB of RAM and 10GiB of HDD space. […] The server was connected to a 250Mbps virtual switchport, but traffic never exceeded about 1MB/s.”