Very few have write access enabled, though

Sep 18, 2016 21:55 GMT  ·  By

A recent brute-force scan of FTP servers available online via an IPv4 address revealed that 796,578 boxes can be accessed without the need for any credentials.

The perpetrator of this scan is a security researcher that goes by the name of Minxomat, owner of a cyber-security firm that performs these types of scans on a regular basis, but usually in a much more targeted manner and for the purpose of detecting malicious traffic and its sources.

Minxomat details the process on his blog, where he explains how he wrote a simple script and scanned all IPv4 addresses, attempting to connect via port 21 with the "anonymous" user and no password.

The scan was carried out with a simple Linux VM

In an email exchange with Softpedia, Minxomat detailed the reason. "I wanted to demonstrate how everyone, even on a low-power KVM instance, can perform a meaningful analysis of raw scandata," the researcher said.

"That meant using no off-the-shelf scanning tools, but the simplest bash scripts imaginable. It worked surprisingly well for such a suboptimal approach, and that's why I wanted to share my findings and process," he also added.

If you're curious, the researcher's rig was "a single KVM instance, running a single 2GHz vCore with 2GIB of RAM and 10GiB of HDD space. [...] The server was connected to a 250Mbps virtual switchport, but traffic never exceeded about 1MB/s."

There are better approaches to scanning the entire Internet

Minxomat, who in the past scanned for other types of open ports, such as MongoDB, CouchDB, and Redis, has scanned for open FTP ports in the past.

"Today, commercially, we do mostly reverse-DNS crawling," he said. "This is a better approach for our application than the brute-force IP scan that I demonstrated in my [blog] post."

His research shows how simple and how few resources a determined attacker would need to scan and compile a list of potential targets.

List of exposed FTP servers available on GitHub

Minxomat, who released the full list of IP addresses on GitHub, says that this is not such a big issue as you'd expect.

"FTP servers that allow anonymous write access are quite rare," Minxomat told Softpedia. "Those are extreme cases though."

Nevertheless, server owners should take no risks and use Minxomat research as an opportunity to secure their servers. Infosec experts have been constantly scanning the Internet for open server services and warning companies through their research.