FYI: Open Drill instances on the internet

[Bob Rudis <bo...@rud.is>]

Hey Drillers,

There's been a spate of attacker groups looking for (for lack of a better term) "big data-ish" open servers on the internet.

We've caught quite a few going after Hadoop, Spark and other things but I've also recently seen some hits to our global sensor network on 8047 (a port I know very, very well).

I decided to inventory that port (it's part of what I/we do at $DAYJOB and for our less-targeted scans you can see and grab our data at opendata.rapid7.com) and there's a bunch of "garbage" mixed in on there (folks "hiding" web services and other things on what they may think is an unused high port) but there are also ~100 open Drill instances (and most requiring no auth) out there.

Here's the country distribution:

   country_name             n
   <chr>                 <int>
 1 China                    37
 2 United States            31
 3 Germany                   5
 4 Singapore                 5
 5 France                    4
 6 India                     4
 7 Canada                    2
 8 Korea, Republic of        2
 9 Costa Rica                1
10 Japan                     1
11 Lithuania                 1
12 Pakistan                  1

It's highly unlikely anyone here has hung an instance off the internet unawares, but it might be a good idea to double-check your perimeter networks or cloud setups to make sure you've got the config you think you do.

For obvious reasons I won't share the IP address list publicly but can check for presence on said list if anyone wants to submit a direct inquiry.

I'm not having much luck getting the CERTs in countries 2:12 to do much about this (country #1 never responds to inquiries) as it's not a wild exposure so I'm trying other avenues. I just don't like seeing others be put in harm's way.

-Bob