A security researcher going by Minxomat scanned IPv4 addresses and then released a list of nearly 800,000 open FTP servers, meaning no authentication is required to access them. His scan revealed that 4.32 percent of all FTP servers in the IPv4 address space allowed “anonymous” users to log in with no password.
“This is a list of all (796,578) FTP servers directly connected to port 21 in the IPv4 address space that allow anonymous logins,” Minxomat wrote on GitHub. “The login must be completed in less than five seconds to qualify for this list.”
If an FTP server was meant to be public, he did not include it in the list. In his post describing “mass-analyzing a chunk of the internet,” Minxomat said he set up filters to exclude other results such as “POS system firmware update servers and printers (firmware|printer).”
Unless a person really enjoys being threatened with legal action, those results can also be excluded. Minxomat wrote, “There are some really aggressive servers that threaten you with criminal prosecution (which is not enforceable in most countries) if you so much as even access the server. Ironically these are mostly .gov servers that have no access restriction at all.”
Later, he decided the five-second response time was “not long enough to catch the really interesting stuff,” so he is currently rescanning with a 15 second response time.
Teenage hacker claims to have accessed all FTPs on .us domains—including .gov
Although the two incidents may not be related, shortly after Minxomat released the list of open FTP servers, a teenage hacker going by “Fear” claimed to have gained access to and downloaded massive amounts of data from every state with a domain on .us, as well as some .gov domains.
“I gained access to an FTP server that listed access to all the FTPs on .us domains, and those .us domains were hosted along with .gov, so I was able to access everything they hosted, such as public data, private data, source codes etc.,” Fear told DataBreaches.net. It was “very simple,” he said, “to gain access to the first box that listed all the .us domains and their FTP server logins.”
He made off with tons of highly sensitive data, such as social security numbers, credit card numbers, contact information (including email addresses, snail mail addresses and phone numbers), and even some web-banking transactions. Fear claims there was no encryption to protect the data and that he could “read all of it in plain text form.”
Although Fear did provide some screenshots as proof, Dissent at DataBreaches did not see any of the pharmacy prescription monitoring program in Florida. However, Fear claimed he accessed the program designed for law enforcement to keep tabs on prescription use. “They had monthly reports on every citizen in Florida, and it included phone, address, name, SSN,” he said.
He intends to dump “small portions of private data.” His message to those responsible for securing state and government FTP servers is: “5 char passwords won’t save your boxes.”
On Sunday, someone in Florida attempted to secure the data, taking down the FTP server before password-protecting it and bringing it back up, but Fear said, “Too bad they don’t know its backdoored LOL…. they legit suck at security.”
Florida was allegedly the only state that Fear backdoored before he removed it, but as DataBreaches.net pointed out, “A lot of damage can be done with 13 hours of access to a lot of states, though.”