39 comments

[ 3.4 ms ] story [ 87.2 ms ] thread
Um, not sure I want to open that link. What does it do?
Huh, press the "Find a Server" button, I can see in Developer Console it tries to connect to random IP addresses over http, returning "address invalid" or "address unreachable", I guess until it hits a valid IP with a live computer.

I wonder if some ISP's heuristics will flag someone's computer as part of a botnet...

Microsoft or AWS may also use telemetry to flag you also.
Never thought of this. I constantly scan the internet using nmap, or similar, for pentest/bug bounty and never had a problem
How are you pentesting without knowing the IPs of your in-scope targets?
If your scope is wide enough, everything is in-scope.
Some times you get a IP Range, or a domain-wide scope
Scary - I get some strange URL that encouraged me to install some CSS plugin. How do you random those names? Are they only some random IPs? BTW. some history would be nice, as I couldn't find this server again :(
Like Chatrubate, but with servers? #sarcasm
IANAL but I would caution accessing these, they may constitute hacking in your local region.

I would doubly caution owning this, particularly given the wording on the site encourages messing with people’s servers…

It found http://127.249.137.9 for me and it totally works! I can even ssh to it, let's try a fork bo^#@~

[connection reset by peer]

I also found that on my end, forgot I was running lighthttpd with some test website.
function randomIP() {

  return int2ip(Math.random()\*4294967296) ;  
}

says it all - better don't "mess" with what you encounter

It doesn't even exclude RFC1918 and multicast addressses. Not really efficient.
This is an extremely bad idea. Your chances of getting some malware are probably more likely than not, after playing around with something like this for 10+ minutes...
How? The odds of hitting a site with a browser 0-day has to be extremely low, certainly not "more likely than not". Sure you might hit sites that try to get you to download malware, but just don't download anything.
Half the struggle in exploiting someone behind NAT/FW is getting them to engage with your infrastructure. Your attack surface is massively increased once you visit a website with your browser for instance.

I see other comments mentioning logging into random IPs over ssh. Now i trust the ssh client implementation more than most software, but it's easy to slip up and enable ssh agent forwarding for instance.

It was not for nothing that I realised in time that stock exchanges and quotations were not for me. I could not make any money on the ups and downs of exchange rates. But I managed to make an online betting application with the help of Nuxgame with their engine https://nuxgame.com/products/sport-engine . I was able to set everything up very quickly and even made my first money.
DO NOT DO THIS.

I have a few servers exposed on IP addresses, but they are not meant for public access. You have no authorization for 'messing' with this site: what you deem playing around, might be hacking.

You may also hit a government or military IP address, known or unknown. If you mess around with them, you may receive some unfriendly visits from men in black.

If its on the public internet with no security, how can someone tell if their access is unauthorised? Its not really that different from connecting to facebook.com or the various publically accessible ssh servers.
You have unprotected servers public facing on the internet? Cool. That's definitely not something you should be concerned about and addressing immediately.
> they are not meant for public access

Then, I think, you need to implement "reasonable measures" to secure them. Otherwise it's like putting your stuff out by the curb.

I mean, your IP is being crawled by random bots dozens of time per day, what's the difference between that website and the traffic your IP gets already?
Seriously, this is a laughable concern – if you have a "public facing server" you're already listed in Google, Shodan, being probed by dozens of IPs across the world...
I found this showing up in my logs recently.

     [21/Jun/2021:19:07:19 +0000] "GET / HTTP/1.1" 301 169 "-" "Expanse, a Palo Alto Networks company, searches across
 the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"
I remember thinking that ads in server logs was a new one to me.
Let me explain, I am not running any services on standard ports. You'd have to do a port scan and find one of the ports running a web service. But they're HTTPs (with unsigned personal certificate keys, mind you) and are password protected.

I still get so. many. random people entering passwords and trying to break in. They don't look like a wordlist or automated bots, they're literally people guessing.

Just because you see a username and password screen after you nmap this public IP, doesn't give you the right to start trying to hack it.

You're making a normative argument; I'm making a positive one.

You ought not try random usernames/passwords on someone's public server, I agree. But if you expose a public server that lets someone type a username/password, you had best be ready for someone to guess values.

The legal argument, is that this is an illegal activity in certain jurisdictions, like the US, with USC 1030
I specifically purchased my internet connection with the intention of browsing the available content of all other connected hosts.

You DO NOT have my authorization to block or restrict my ability to mess with other hosts. Doing so may be a violation of my terms of service, and interference in interstate commerce.

I'm waiting for someone to get our corporate VPN on a blacklist just by clicking the button and hitting a honeypot. Granted, it's what I get for hitting the button without reading the code, so, shame on me?