
MongoDB instances publicly exposed on the Internet - lladnar
https://blog.shodan.io/its-still-the-data-stupid/
======
gh02t
Huh, anybody know why DrugSupervise is in the top table names? Googling didn't
give me any results and it sounds like some kind of webapp for drugs or
something.

~~~
cjhveal
I found some mentions of "DrugSupervise" on a bunch of Chinese language sites,
which lead me to find drugadmin.com. A google translate of the title tag tells
me it's a "Home _ Chinese Drug electronic monitoring network." I found another
website with troubleshooting instructions that claim .NET as a dependency and
show a Windows XP task manager with a process named DrugSupervise.exe. That
support website lists the owner as "CITIC Technology Group", which may or may
not be connected to the state-owned investment group "China International
Trust and Investment Corporation", which offers a bunch of cloud services
through their various subsidiaries.

I also found a github repo with some C# code:
[https://github.com/katway/DrugSupervision](https://github.com/katway/DrugSupervision)

That's all I've got.

~~~
jeswin
Good find.

Since it is not a Web App and hence not publicly available to exploit:

Use of String.Format instead Parameterized queries is how Sql injection issues
sneak in. (Line 63,
[https://github.com/katway/DrugSupervision/blob/GuiDesign/Dru...](https://github.com/katway/DrugSupervision/blob/GuiDesign/DrugSupervise/ScannerForm.cs))

------
wslh
The article misses another huge and overlooked issue: there are databases that
are not accessed via a public Internet address because they are filtered by a
firewall BUT are accessed via the local network because in many VPS services
you can connect to all the VMs inside the same region internally. Look at this
thread:
[https://www.reddit.com/r/AskNetsec/comments/3mqufn/how_do_yo...](https://www.reddit.com/r/AskNetsec/comments/3mqufn/how_do_you_secure_your_internal_network_in_a_vps/)

------
seabrookmx
This is a bit click-bait-y. Mongo gets a lot of flack, but this really applies
to any database.

~~~
achillean
Author here: I completely agree that it applies to any database and I tried to
mention it in the article. The reason I wrote about MongoDB is:

\- I wrote about it before and could compare results from my previous post

\- It's popular and there are a lot of public instances of it

\- MacKeeper exposed 13 million user accounts through their public MongoDB
instance

And I actually wrote a follow-up post on Memcached to highlight the same
issue: [https://blog.shodan.io/memory-as-a-
service/](https://blog.shodan.io/memory-as-a-service/)

~~~
muzmath
Unfortunately that's not how your article has been interpreted, especially not
in the reddit thread which has (predictably) divulged into an incoherent
MongoDB hate-fest.

~~~
throwaway2048
The author doesn't owe mongoDB a PR whitewash.

~~~
muzmath
I'm not talking about what the author wrote, I'm talking about the 500 posts
which entire take away was 'mongo is retarded'. Reread what I wrote.

------
JustinAiken
That 684.8 TB of data would be 1200TB if Mongo had better data integrity :p

------
chatmasta
I discovered shodan.io recently when I was tailing the logs of a vpn server
and saw a connection attempt from an IP I did not recognize. The IP was
registered to shodan.io and tried to connect without authentication
credentials. I looked up the IP of my box on Shodan and sure enough, there it
was, right on the wall of sheep.

Of course I blame myself for not whitelisting IP addresses, but I did not
appreciate the connection attempt. Passive port scanning is one thing, but
actively trying to establish a VPN session is another.

I was under the impression that port scanning IP addresses on the open
internet without prior authorization was illegal under the CFAA. Obviously
that's a provision commonly ignored by researchers, but at least they disclose
any port scanning activity with some discretion and acknowledgement of its
potential illegality. I'm surprised how blatantly upfront Shodan is about its
operation.

Does anyone know the deal with this company/website? Why are they not worried
about prosecution for their mass port scanning?

~~~
Phil_Latio
> Why are they not worried about prosecution for their mass port scanning?

In his talks the founder says he provides law enforcement with all the crawled
data for free and that he has regular contact with the US CERT. So there
doesn't seem to be any legal problem.

My opinion: shodan doesn't try to exploit any known backdoors or common
user/password combinations. Testing for anonymous/guest logins is fine in my
view.

~~~
TheOtherHobbes
>In his talks the founder says he provides law enforcement with all the
crawled data for free

Why is this a good thing?

Isn't it like trying every door in a neighbourhood and handing the FBI a list
of all the properties that have been left unlocked?

Oh - and there's that very useful exploit dictionary too.

I ban all the shodan IPs I can find as a matter of policy.

~~~
detaro
It's not necessarily a good thing, but it's a good indicator that it isn't
obviously illegal (because otherwise law enforcement would try to hide that
connection better)

