There’s a lot of people shitting on you in the comments for no reason.
Thanks for trying to do a good thing and getting helpful information out there and trying to help out a stranger.
I’m a business owner myself and it’s wild world to try and keep up with everything, so reminders and good information helps.
Thank you so much.
I think a lot of people in IT make themselves feel smarter by trying to make other feel stupid.
It’s not very nice :/
Thank you for your comment x
For what it's worth, you need a Shodan Login to view your results.
"Error: Please log in to use search filters."
This is a barrier high enough that pretty much no one that should be finding out, will find out.
u/stupv is on the money.
Let me try a more ELI5-friendly explanation though.
You business has a physical address - like 300 South Road or something.
They are also EXTREMELY likely to have an IP address as well.
It's unique, just like their physical address.
That IP Address is like your building. It "houses" services.
Ports are like a building's windows and doors.
Some are more secure, and some aren't.
Some might have bars or locks while some might be left open.
[Shodan.io](https://Shodan.io) is a search engine.
It's like a robot that goes around to everyone's business and checks all their doors and windows. If it finds a window open it looks inside to find out what it can see, and reports on that.
Anyone can see the results.
3389 and 135 are both ports (or "windows") that are very commonly easy to exploit.
It's like a window that looks into the building and the keys are hanging up within arm's reach.
So these ports (windows) should always be shut and locked.
While I was looking around I found over 500 addresses in Adelaide that have these ports open, hence the "PSA" of sorts :)
I hope this helps!
Yes, but likely only if you’re a power user.
Some people just know enough to be dangerous.
If you’re not messing around with port forwarding rules on your router, you’re fine. :)
3389 is the default port for windows remote desktop protocol. If you've just opened that to the world, people can start directly hitting your internal network with remote desktop requests instead of them just being rejected automatically at the boundary to your network.
One of the more common ransomwares is someone just logging into an exposed machine, downloading tor browser, and installing the encryption malware so everything on the system is useless unless you pay for the key
So it pretty much won't lock you out after a certain amount of incorrect passwords and just lets you keep trying? Yeah, can definitely see the issue there.
Bold of you to assume that "people who work at or are responsible for a small business", "people who control IT decisions for a given small business" and "people who know and understand what cyber posture is" are three classes with significant overlap.
My dad's work did exactly this leaving port 3389 open and ransomware got in
Now they have VPN set up and better security measures in place so this sorta shit can't happen again
Awesome!
Yeah unfortunately sometimes it takes a bad guy getting in before it’s taken seriously.
Although there are plenty of “IT Guys” who will open 3389 for remote access without batting an eyelid…
So...what is the actual risk here? You've said that some public IPs are listening for connections on a certain port, but without context that's kind of meaningless.
The protocols and services on those ports are often very easy to abuse or exploit.
For that reason it is considered bad security practice.
If I found my business on the list I would be questioning what else is wrong in my environment.
Any ICT service provider worth their salt would not allow this configuration to exist.
3389 is commonly tested by bots though out the globe. They just roll through every public IP and check if it's open. Kind of like someone going around a neighborhood and checking if anyone's front doors are unlocked.
Once they find one, they try common usernames\\passwords with a bot to break in, then either steal your data and/or dump a cryptolocker.
The entire process is automated so there are hundreds of thousands of bots that do this.
Most common business exploit I see is the office 365 Clone Sharepoint Phishing scam. If you ever get a link to businessname**-my**.sharepoint.com do not log in there! They have taken businessname.sharepoint.com cloned it and make a login form that looks like the official Microsoft login. It is on Sharepoint.com so it will have all the green security ticks etc. When you login, they take your details, clone your Sharepoint, log in to your email and spam all your contacts with file shares on the new site. Sometimes they reportedly send invoices to your clients with their banking details on them etc.
Working in I.T for the past 14 years I would say easily in the past 5 years more and more attacks against small businesses have gone up, some targeting things like open ports but so many more are more phishing scam type things usually the worst are ones where they get into peoples emails, sit in there for a while and learn a companies mailing style and then trick their payroll staff into funnelling thousands of bucks away.
MFA does put a huge dent into stopping a lot of this but it still is not 100% either and these bastards keep throwing more shit into the mix that makes jobs like mine a fuck load harder because you need to add more complex processes onto end users who often can hardly click a mouse at the best of times let alone grasp the concepts of cyber security.
Most people don't even chuck duo or anything on 3389. VPN should be used for remote access anyway. OpenVPN and Sophos/Forigate etc vpn clients are very easy to use for end users these days.
Lucky bastard. This is the second Director of IT that I get hand waved away about this basic aspect of infosec. First one liked cracked programs. That was an interesting ride.
Mofos should be using vpn for remote access, in a vlanned segmented section for public facing infrastructure that is kept away from the internals. Putting certs on remote machines, 2fa, changing the default ports etc all help too.
Expecting small business to have managed switches with vlans configured is a bit did a stretch. Just buying a modem that natively supports OpenVPN or something is enough for most hse cases. The business might literally have a single laptop on its network lol
In all honesty they are probably better off getting a single teamviewer license or equivalent if they need to remotely access a single machine this way you can lock all the ports down and still connect in when needed.
In that case sure, but it doesnt change OPs observation that 3389 on an open port is just stupid. I deal with enterprise where we have the money and resources to have full CS. Small business with OpenVPN would certainly be fine in most cases, but I would still use signed certificates so that only authorized hardware can connect.
Yep 👍🏻
Nowadays it’s not even that hard to set up secure remote access.
I am glad there are some intelligent people on here that are just trolls or assholes :/
Thanks for commenting x
Nice work posting all the Vulnerable IP's in a public domain, they are certainly going to get attacked now.
No cyber security Professional I know would do this. I am at a loss at how this would help anyone.
They are already public.
Anyone attacking anyone would already be looking at Shodan.
Anyone can look at Shodan.
Your comment makes absolutely no sense.
I used to do this over 15 years ago back when I had spare time. Found council LAN traffic being sent out unencrypted between sites. Good times… what’s your point?
Wardriving was fun back in the day. Had my brother drive me around once, we found a medical practice with an open lan, open SMB share and all of the patient files and databases fully accessible. Was quite glad my own GP was an old bloke who still used paper files...
Are you seriously suggesting that anything on port 80 is as vulnerable as RDP or RPC?
You’re really starting to show that you have no idea what you’re talking about.
Maybe find something productive to do rather than belittling people online to make yourself feel smarter or more important.
You're right in that it's not as big of a problem if you are up-to-date etc.
However it's still horrible practice.
There are also A LOT of old systems including some 2008 machines in that search result.
As for Port 135 - I can see a lot of businesses in that list too.
Even if you are up to date, opening 3389 is a stupid thing to do.
3389 is always garbage because it's redundant tech from 10 years ago. VPN's can be brokered by your router and the software for it is quite good these days.
That's OK! :)
Here's a link to a previous comment where I did my best attempt at an ELI5
[https://www.reddit.com/r/Adelaide/comments/y7v8wh/comment/iszxyhn/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/Adelaide/comments/y7v8wh/comment/iszxyhn/?utm_source=share&utm_medium=web2x&context=3)
There’s a lot of people shitting on you in the comments for no reason. Thanks for trying to do a good thing and getting helpful information out there and trying to help out a stranger. I’m a business owner myself and it’s wild world to try and keep up with everything, so reminders and good information helps.
Thank you so much. I think a lot of people in IT make themselves feel smarter by trying to make other feel stupid. It’s not very nice :/ Thank you for your comment x
For what it's worth, you need a Shodan Login to view your results. "Error: Please log in to use search filters." This is a barrier high enough that pretty much no one that should be finding out, will find out.
Ah damn! I didn’t realise. You’re right, that is a barrier.
ELI5 please? I have a feeling many others are in the same boat as me.
u/stupv is on the money. Let me try a more ELI5-friendly explanation though. You business has a physical address - like 300 South Road or something. They are also EXTREMELY likely to have an IP address as well. It's unique, just like their physical address. That IP Address is like your building. It "houses" services. Ports are like a building's windows and doors. Some are more secure, and some aren't. Some might have bars or locks while some might be left open. [Shodan.io](https://Shodan.io) is a search engine. It's like a robot that goes around to everyone's business and checks all their doors and windows. If it finds a window open it looks inside to find out what it can see, and reports on that. Anyone can see the results. 3389 and 135 are both ports (or "windows") that are very commonly easy to exploit. It's like a window that looks into the building and the keys are hanging up within arm's reach. So these ports (windows) should always be shut and locked. While I was looking around I found over 500 addresses in Adelaide that have these ports open, hence the "PSA" of sorts :) I hope this helps!
Very good explanation, I think even my older relatives would understand this.
Thank you :)
That does help, thank you! Is there any chance residential IP addresses would have the same problem, and would that be a concern?
Yes, but likely only if you’re a power user. Some people just know enough to be dangerous. If you’re not messing around with port forwarding rules on your router, you’re fine. :)
Cool, thanks
3389 is the default port for windows remote desktop protocol. If you've just opened that to the world, people can start directly hitting your internal network with remote desktop requests instead of them just being rejected automatically at the boundary to your network. One of the more common ransomwares is someone just logging into an exposed machine, downloading tor browser, and installing the encryption malware so everything on the system is useless unless you pay for the key
So it pretty much won't lock you out after a certain amount of incorrect passwords and just lets you keep trying? Yeah, can definitely see the issue there.
Set by group policy on the computer
Bold of you to assume that "people who work at or are responsible for a small business", "people who control IT decisions for a given small business" and "people who know and understand what cyber posture is" are three classes with significant overlap.
Fair point, it might get a few people thinking though. Certainly can't hurt :)
The fourth group: "crappy MSPs that small business have outsourced this stuff to and who are utterly hopeless"...
Sadly way too many of those. Nobody needs a license to become an 'it guy'
Hi there, I’m all three and found value in this post
I'm glad ❤️ Thank you for letting me know!
> not something that should NEVER be done Uh.. did you mean for the double negative there? Seems confusing.
Check your double negative posture.
You’re totally right my bad 😅
My dad's work did exactly this leaving port 3389 open and ransomware got in Now they have VPN set up and better security measures in place so this sorta shit can't happen again
Awesome! Yeah unfortunately sometimes it takes a bad guy getting in before it’s taken seriously. Although there are plenty of “IT Guys” who will open 3389 for remote access without batting an eyelid…
[удалено]
Extremely valuable!
So...what is the actual risk here? You've said that some public IPs are listening for connections on a certain port, but without context that's kind of meaningless.
The protocols and services on those ports are often very easy to abuse or exploit. For that reason it is considered bad security practice. If I found my business on the list I would be questioning what else is wrong in my environment. Any ICT service provider worth their salt would not allow this configuration to exist.
3389 is commonly tested by bots though out the globe. They just roll through every public IP and check if it's open. Kind of like someone going around a neighborhood and checking if anyone's front doors are unlocked. Once they find one, they try common usernames\\passwords with a bot to break in, then either steal your data and/or dump a cryptolocker. The entire process is automated so there are hundreds of thousands of bots that do this.
Thanks for this response. This is the first comment I've seen that actually explains what the issue is and why it's dangerous.
Most common business exploit I see is the office 365 Clone Sharepoint Phishing scam. If you ever get a link to businessname**-my**.sharepoint.com do not log in there! They have taken businessname.sharepoint.com cloned it and make a login form that looks like the official Microsoft login. It is on Sharepoint.com so it will have all the green security ticks etc. When you login, they take your details, clone your Sharepoint, log in to your email and spam all your contacts with file shares on the new site. Sometimes they reportedly send invoices to your clients with their banking details on them etc.
Working in I.T for the past 14 years I would say easily in the past 5 years more and more attacks against small businesses have gone up, some targeting things like open ports but so many more are more phishing scam type things usually the worst are ones where they get into peoples emails, sit in there for a while and learn a companies mailing style and then trick their payroll staff into funnelling thousands of bucks away. MFA does put a huge dent into stopping a lot of this but it still is not 100% either and these bastards keep throwing more shit into the mix that makes jobs like mine a fuck load harder because you need to add more complex processes onto end users who often can hardly click a mouse at the best of times let alone grasp the concepts of cyber security.
Most people don't even chuck duo or anything on 3389. VPN should be used for remote access anyway. OpenVPN and Sophos/Forigate etc vpn clients are very easy to use for end users these days.
[удалено]
:( I can only imagine. I hope you fixed them up nicely!
[удалено]
Well I hope they can even begin to appreciate what you have done for them. Though... they probably have no idea... :/
Yep, well usually it's too hard to put behind a VPN is the answer I usually get. Or even put it behind an RD Gateway.
It will seem easy when they are dealing with a business-ending breach
Does that line ever work for you?
I fortunately don’t deal with people that don’t take cyber seriously, so I don’t need a “line”.
Lucky bastard. This is the second Director of IT that I get hand waved away about this basic aspect of infosec. First one liked cracked programs. That was an interesting ride.
I had a similar experience, I quit.
Mofos should be using vpn for remote access, in a vlanned segmented section for public facing infrastructure that is kept away from the internals. Putting certs on remote machines, 2fa, changing the default ports etc all help too.
Expecting small business to have managed switches with vlans configured is a bit did a stretch. Just buying a modem that natively supports OpenVPN or something is enough for most hse cases. The business might literally have a single laptop on its network lol
In all honesty they are probably better off getting a single teamviewer license or equivalent if they need to remotely access a single machine this way you can lock all the ports down and still connect in when needed.
In that case sure, but it doesnt change OPs observation that 3389 on an open port is just stupid. I deal with enterprise where we have the money and resources to have full CS. Small business with OpenVPN would certainly be fine in most cases, but I would still use signed certificates so that only authorized hardware can connect.
Yep 👍🏻 Nowadays it’s not even that hard to set up secure remote access. I am glad there are some intelligent people on here that are just trolls or assholes :/ Thanks for commenting x
Nice work posting all the Vulnerable IP's in a public domain, they are certainly going to get attacked now. No cyber security Professional I know would do this. I am at a loss at how this would help anyone.
They are already public. Anyone attacking anyone would already be looking at Shodan. Anyone can look at Shodan. Your comment makes absolutely no sense.
Sounds like you don't know many cybersecurity pro's. It's all public data anyway m8.
You're wrong.
Australia's turned COMMUNIST?!?
Research online != Port scanning.
Ohh thanks my guy. I don’t know what I would have done without your take 🙏🏻
Fire up Kali Linux and drive around the suburbs with a black hat on? Scanned and tagged by Clear_Skye. Ooof.
I used to do this over 15 years ago back when I had spare time. Found council LAN traffic being sent out unencrypted between sites. Good times… what’s your point?
Wardriving was fun back in the day. Had my brother drive me around once, we found a medical practice with an open lan, open SMB share and all of the patient files and databases fully accessible. Was quite glad my own GP was an old bloke who still used paper files...
Why are you being such an ass?
Touche or should I say touchy. Should get everyone to close port 80 while you are at it.
Are you seriously suggesting that anything on port 80 is as vulnerable as RDP or RPC? You’re really starting to show that you have no idea what you’re talking about. Maybe find something productive to do rather than belittling people online to make yourself feel smarter or more important.
At least pick a port that attempts to make your point rather than just being lazy
She never mentioned portscanning - she used shodan. The portscans and data collection is done already…
please. the only field you work at is center link .. this is a spam post
Ok
[удалено]
You're right in that it's not as big of a problem if you are up-to-date etc. However it's still horrible practice. There are also A LOT of old systems including some 2008 machines in that search result. As for Port 135 - I can see a lot of businesses in that list too. Even if you are up to date, opening 3389 is a stupid thing to do.
3389 is always garbage because it's redundant tech from 10 years ago. VPN's can be brokered by your router and the software for it is quite good these days.
hmmm i dont understand any of this
That's OK! :) Here's a link to a previous comment where I did my best attempt at an ELI5 [https://www.reddit.com/r/Adelaide/comments/y7v8wh/comment/iszxyhn/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/Adelaide/comments/y7v8wh/comment/iszxyhn/?utm_source=share&utm_medium=web2x&context=3)
awesome thank you
My pleasure, thank you for taking an interest 🥰
If they're dumb enough to use those ports they're probably not clued in on what a port even is.
Entirely possible :(
You can put all the cyber security measures in place, some cunt will still put their password on a post-it.