drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Rudis <...@rud.is>
Subject FYI: Open Drill instances on the internet
Date Tue, 15 Jan 2019 17:02:49 GMT
Hey Drillers,

There's been a spate of attacker groups looking for (for lack of a better term) "big data-ish"
open servers on the internet.

We've caught quite a few going after Hadoop, Spark and other things but I've also recently
seen some hits to our global sensor network on 8047 (a port I know very, very well).

I decided to inventory that port (it's part of what I/we do at $DAYJOB and for our less-targeted
scans you can see and grab our data at opendata.rapid7.com) and there's a bunch of "garbage"
mixed in on there (folks "hiding" web services and other things on what they may think is
an unused high port) but there are also ~100 open Drill instances (and most requiring no auth)
out there.

Here's the country distribution:

   country_name             n
   <chr>                 <int>
 1 China                    37
 2 United States            31
 3 Germany                   5
 4 Singapore                 5
 5 France                    4
 6 India                     4
 7 Canada                    2
 8 Korea, Republic of        2
 9 Costa Rica                1
10 Japan                     1
11 Lithuania                 1
12 Pakistan                  1

It's highly unlikely anyone here has hung an instance off the internet unawares, but it might
be a good idea to double-check your perimeter networks or cloud setups to make sure you've
got the config you think you do.

For obvious reasons I won't share the IP address list publicly but can check for presence
on said list if anyone wants to submit a direct inquiry.

I'm not having much luck getting the CERTs in countries 2:12 to do much about this (country
#1 never responds to inquiries) as it's not a wild exposure so I'm trying other avenues. I
just don't like seeing others be put in harm's way.


View raw message