You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@drill.apache.org by Bob Rudis <bo...@rud.is> on 2019/01/15 17:02:49 UTC
FYI: Open Drill instances on the internet
Hey Drillers,
There's been a spate of attacker groups looking for (for lack of a better term) "big data-ish" open servers on the internet.
We've caught quite a few going after Hadoop, Spark and other things but I've also recently seen some hits to our global sensor network on 8047 (a port I know very, very well).
I decided to inventory that port (it's part of what I/we do at $DAYJOB and for our less-targeted scans you can see and grab our data at opendata.rapid7.com) and there's a bunch of "garbage" mixed in on there (folks "hiding" web services and other things on what they may think is an unused high port) but there are also ~100 open Drill instances (and most requiring no auth) out there.
Here's the country distribution:
country_name n
<chr> <int>
1 China 37
2 United States 31
3 Germany 5
4 Singapore 5
5 France 4
6 India 4
7 Canada 2
8 Korea, Republic of 2
9 Costa Rica 1
10 Japan 1
11 Lithuania 1
12 Pakistan 1
It's highly unlikely anyone here has hung an instance off the internet unawares, but it might be a good idea to double-check your perimeter networks or cloud setups to make sure you've got the config you think you do.
For obvious reasons I won't share the IP address list publicly but can check for presence on said list if anyone wants to submit a direct inquiry.
I'm not having much luck getting the CERTs in countries 2:12 to do much about this (country #1 never responds to inquiries) as it's not a wild exposure so I'm trying other avenues. I just don't like seeing others be put in harm's way.
-Bob