

The Country of Vietnam Resolves to Localhost - sunilkumarc
https://blog.shodan.io/the-country-of-vietnam-resolves-to-localhost/

======
nailer
I don't quite understand what this means: "out of the nearly 5 million banners
in Shodan for Vietnam 1.5 million of them resolve to localhost." "there are a
total of 1,528,188 banners in Shodan that resolve to localhost".

I can gather that this is the company Shodan, and that they make reports
regarding internet connected devices, but what is a 'banner' is this instance?

~~~
voltagex_
I had to look this up:
[http://en.wikipedia.org/wiki/Banner_grabbing](http://en.wikipedia.org/wiki/Banner_grabbing)

In the context of SSH, a banner might be

root@localhost's password:

or more accurately SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 which is the first
thing a particular SSH daemon will send on receiving a connection from a
client

~~~
nailer
Ah I've heard these referred to as 'login banners' or '<service name> banners'
before. Thanks!

One wouldn't normally 'resolve a banner' though, since it might contains the
version of a service used, and other information other than what a Unix
`hostname` command would return. You'd resolve the hostname mentioned in the
banner.

------
hasenj
> every customer's IP resolves back to localhost

What does this even mean?

First of all, what does it mean than an IP resolves to a hostname? I thought
it's the otherway around: hostnames resolve to IPs.

Second, isn't this .. normal? localhost is always your local machine.

Please help me understand

~~~
blfr
DNS works both ways. It has pointer (PTR) records which allow you to
assosciate an IP address you control with a domain name. Those are the
opposite of an address record (A) with which you assosciate a domain name you
control with an IP address.

For Google.com, I can get an A record (IP address)

    
    
        $ dig +short google.com a
        216.58.208.238
    

but I can also get a domain name for that IP

    
    
        $ dig -x 216.58.208.238 +short
        par10s22-in-f14.1e100.net.
        par10s22-in-f14.1e100.net.
    

Google uses a service domain 1e100.net for their machines.

Although maybe OP only means the hostname in the banner message. I grepped my
mail logs for hostnames from Vietnam and couldn't find any IPs that would
resolve back to localhost.

EDIT: 'nanofortnight
[https://news.ycombinator.com/item?id=9068054](https://news.ycombinator.com/item?id=9068054)
found a range of addresses that do.

    
    
        $ dig +short -x 123.26.2.1 
        localhost.

~~~
Tiksi
To be a bit pedantic, you don't actually resolve the ip address itself.

A reverse dns lookup actually just does a lookup of {the ip address with
octets reversed}.in-addr.arpa:

    
    
            > host 216.58.208.238 
            238.208.58.216.in-addr.arpa domain name pointer par10s22-in-f14.1e100.net.
    

You can actually look that up directly too:

    
    
            > dig +short ptr 238.208.58.216.in-addr.arpa 
            par10s22-in-f14.1e100.net.
    

When an isp gets a ip allocation, they specify the nameservers to use, and are
responsible for that "subdomain" of the in-addr.arpa domain. If you trace the
full resolve, it first goes to the root .in-addr.arpa servers, then arin.net
nameserver, then finally you end up at:

    
    
            ;; AUTHORITY SECTION:
            208.58.216.in-addr.arpa. 86400	IN	NS	ns3.google.com.
    

which will return the actual ptr record.

------
iamds
Can someone explain how this link has made it to number one on the front page,
when it seems from the comments that no one understands what the page is
saying?

~~~
chaghalibaghali
Maybe people are upvoting in the hope that somebody will be able to explain
it.

~~~
huydotnet
i'm trying to understand the problem too :v

------
packetized
Based on some very rough sampling, a significant majority of the addresses
allocated to VDC in the 123.16/16 network reverse resolve to localhost. This
appears to be intended behavior, and accounts for ~70% of the numbers in the
Shodan report.

    
    
        $ dig @8.8.8.8 -x 123.16.0.0
    
        ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 -x 123.16.0.0
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29897
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
        ;; QUESTION SECTION:
        ;0.0.16.123.in-addr.arpa.   IN  PTR
    
        ;; ANSWER SECTION:
        0.0.16.123.in-addr.arpa. 21265  IN  PTR localhost.
    
        ;; Query time: 64 msec
        ;; SERVER: 8.8.8.8#53(8.8.8.8)
        ;; WHEN: Wed Feb 18 08:14:37 2015
        ;; MSG SIZE  rcvd: 64
    
        $
    
    

In fact, if you go through the list of networks advertised by AS45899 [1], I
imagine that you'd find this is the case for quite a few of them. A quick look
indicates this to be true.

[1]:
[http://bgp.he.net/AS45899#_prefixes](http://bgp.he.net/AS45899#_prefixes)

------
Tepix
I don't know what they are referring to. I noticed that Vietnam Posts and
Telecommunications Group owns 123.30.128.0/18 and 203.162.0.0/23 and a lot of
IPs from those subnets have a PTR record of static.vdc.vn.

However, static.vdc.vn resolves to 203.162.0.78, not 127.0.0.1

There is another large network, 113.160.0.0/113.191.255.255 that seems to have
PTR records of static.vnpt-hanoi.com.vn for all IPs, however that hostname has
no A/AAAA record.

Pretty sloppy.

Looks like this has nothing to do with DNS, instead it's the hostname the
machine displays in its banners for services like FTP or SSH.

~~~
achillean
No, those are the reverse DNS entries for their IPs. For example, try looking
up:

113.169.170.93

You can get a list of affected IPs by searching as follows:

[https://www.shodan.io/search?query=hostname%3Alocalhost](https://www.shodan.io/search?query=hostname%3Alocalhost)

------
anhtran
VN here. It's hostname of DNS server. I traced route to any domain and got the
server IP.

[http://www.ip-tracker.org/locator/ip-
lookup.php?ip=113.165.1...](http://www.ip-tracker.org/locator/ip-
lookup.php?ip=113.165.176.1)

BTW, I don't know why they did that.

------
Smushman
Banner here seems to refer to the 'banner' output of ssh, or telnet, or some
other service (those are the most likely however imho).

When you connect over services, the banner (the first information presented to
the client, before authentication) can be configured to include the 'hostname'
setting of the server you have connected to.

If I am right about that, this means that the hostname setting of the server
is still set to localhost, as it is default out of the box until configured.

------
orfix
It's an old-known vulnerability (2009) used to bypass spam-filters:
[http://www.mounirorfi.com/blog/2015/02/18/why-vietnam-
resolv...](http://www.mounirorfi.com/blog/2015/02/18/why-vietnam-resolves-to-
localhost/)

------
Kiro
I don't know who the target audience is but I think the author should include
a small parenthesis explaining "banner". I thought it was referring to their
software crawling ad banners online or something.

~~~
achillean
I will try to explain those terms in the future, sorry! I'm used to speaking
in security circles where that term is widely understood.

------
elktea
Do you mean reverse DNS? Can you provide an example?

~~~
nanofortnight
Not poster, but: [http://www.ahbl.org/content/ahbl-policy-blocking-hosts-
rdns-...](http://www.ahbl.org/content/ahbl-policy-blocking-hosts-rdns-
localhost)

------
huydotnet
May be there are some bugs in shodan's tracking system that always return
"localhost"

------
jrochkind1
Is "banner" an unusual translation of... hostname, i guess? I don't get it.

~~~
NickNameNick
Banner is whatever information a remote connection gives you when you connect.

For ssh that will be some information about the server, version of ssh,
hostname, and (hopefully) a prompt to login, or a request for a key.

For http, it will be a handful of headers about the server.

Tools like Shodan scan the internet looking for active connections, and try to
banner-grab on common ports, looking for details like server versions,
operating system versions, etc for a long list of protocols like telnet, http,
ssh, smtp, vnc, remote desktop (often with screenshots of the remote system,
disturbing often unauthenticated straight to the desktop or running program),
etc.

If you're of a malicious mindset, when a new vulnerability is discovered, or
an old one, you can look up a list of vulnerable systems from the database,
searching by service and version, rather than scanning the internet yourself.

------
tempodox
How do “ _banners in Shodan [...] resolve to localhost_ ”??? WTF??? This is
quite cryptic. Luckily, I live not on Shodan, but on planet Earth where
`localhost` resolves to 127.0.0.1.

------
ThiTH
can anyone explain is that significant or funny?

------
bigbugbag
Can someone explain me what I have just read ?

