I have quite a few servers located in different regions of the world. Historically I have had a small web hosting company and hence I had quite a bit of infrastructure for that.
These days they are mostly used to host my own projects, as private VPN breakouts and routing servers. Having these servers has, over time, made me quite a bit paranoid about who tries to connect to them or simply knocks on any of the ports. I have firewalls running on all of them plus various tools that continuously monitors all activity and warns me about strange things happening.
The other day I had such a warning. An IP had tried to connect to my server via several ports – ssh, smtp, imap and nntp. It caught my attention right away and I had to check the IP.
Mostly when this happens, it just ends up in some dynamic IP pool from an ISP somewhere in the world – usually some random person that got infected with malware on a private PC.
This time, however, the IP were from a range allocated by a relatively big company – not just any company, but one of the biggest raw diamond distributors in the world.
Password foo 101
I got curious and punched in the IP address in my web browser – lo and behold, a remote desktop login prompt showed up. It even had the company name in the title and everything.
Having worked with quite a few crappy windows administrators in my life I thought – what the heck, lets see how secure they are.
So I took the top3 common windows set of stupid user-password combos:
- administrator / administrator
- administrator / password
- guest (no password)
Guess what! they had a guest account without password. I was redirected to some limited remote desktop. It seemed like it was a locked down guest account at first. In the top of the screen there were the usual tool-bar for the remote desktop with access to uploading and downloading files. I pressed one of the buttons expecting them to fail, but they worked. This system was like an open book. Right-click any folder and I could get a new file explorer from that place.
Reported not fixed
I had no interest in hacking the system – they had enough problems already, but from the file browser I could see that this machine were connected to several other machines – including a few named something with NAS. I can see why this system was infected by malware/hackers and from this point on I did 3 things:
- disconnect from the system
- block the system in my firewall script so it will be blocked on all my systems from this point on
- Send an email to the company with info about my finding and a request for them to fix their broken systems.
I doubt that they will even thank me for sending this info to them – they haven’t responded so far – but hopefully they will get the system taken offline at some point (at least now the guest account have been removed).