EvilZone
Hacking and Security => Hacking and Security => : vezzy February 13, 2014, 06:02:57 PM
-
http://blog.steve.org.uk/secure_your_rsync_shares__please_.html (http://blog.steve.org.uk/secure_your_rsync_shares__please_.html)
Recently I started doing a internet-wide scan for rsync servers, thinking it might be fun to write a toy search-engine/indexer.
Even the basics such as searching against the names of exported shares would be interesting, I thought.
Today I abandoned that after exploring some of the results, (created with zmap), because there's just too much private data out there, wide open
IP redacted for obvious reason:
shelob ~ $ rsync rsync://xx.xx.xx.xx/
ginevra Ginevra backup
krsna Alberto Laptop Backup
franziska Franz Laptop Backup
genoveffa Franz Laptop Backup 2
Some nice shares there. Lets see if they're as open as they appear to be:
shelob ~ $ rsync rsync://xx.xx.xx.xx/ginevra/home/
drwxrwsr-x 4096 2013/10/30 13:42:29 .
drwxr-sr-x 4096 2009/02/03 10:32:27 abl
drwxr-s--- 12288 2014/02/12 20:05:22 alberto
drwxr-xr-x 4096 2011/12/13 17:12:46 alessandra
drwxr-sr-x 20480 2014/02/12 22:55:01 backup
drwxr-xr-x 4096 2008/10/03 14:51:29 bertacci
..
Yup. Backups of /home, /etc/, and more.
I found numerous examples of this, along with a significant number of hosts that exported "www" + "sql", as a pair, and a large number of hosts that just exported "squid/". I assume they must be some cpanel-like system, because I can't understand why thousands of people would export the same shares with the same comments otherwise.
I still would like to run the indexer, but with so much easy content to steal, well I think the liability would kill me.
I considered not posting this, but I suspect "bad people" already know..,