Hey Drillers, There's been a spate of attacker groups looking for (for lack of a better term) "big data-ish" open servers on the internet.
We've caught quite a few going after Hadoop, Spark and other things but I've also recently seen some hits to our global sensor network on 8047 (a port I know very, very well). I decided to inventory that port (it's part of what I/we do at $DAYJOB and for our less-targeted scans you can see and grab our data at opendata.rapid7.com) and there's a bunch of "garbage" mixed in on there (folks "hiding" web services and other things on what they may think is an unused high port) but there are also ~100 open Drill instances (and most requiring no auth) out there. Here's the country distribution: country_name n <chr> <int> 1 China 37 2 United States 31 3 Germany 5 4 Singapore 5 5 France 4 6 India 4 7 Canada 2 8 Korea, Republic of 2 9 Costa Rica 1 10 Japan 1 11 Lithuania 1 12 Pakistan 1 It's highly unlikely anyone here has hung an instance off the internet unawares, but it might be a good idea to double-check your perimeter networks or cloud setups to make sure you've got the config you think you do. For obvious reasons I won't share the IP address list publicly but can check for presence on said list if anyone wants to submit a direct inquiry. I'm not having much luck getting the CERTs in countries 2:12 to do much about this (country #1 never responds to inquiries) as it's not a wild exposure so I'm trying other avenues. I just don't like seeing others be put in harm's way. -Bob
signature.asc
Description: Message signed with OpenPGP
