I don't quite understand what this means: "out of the nearly 5 million banners in Shodan for Vietnam 1.5 million of them resolve to localhost." "there are a total of 1,528,188 banners in Shodan that resolve to localhost".
I can gather that this is the company Shodan, and that they make reports regarding internet connected devices, but what is a 'banner' is this instance?
or more accurately SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 which is the first thing a particular SSH daemon will send on receiving a connection from a client
Ah I've heard these referred to as 'login banners' or '<service name> banners' before. Thanks!
One wouldn't normally 'resolve a banner' though, since it might contains the version of a service used, and other information other than what a Unix `hostname` command would return. You'd resolve the hostname mentioned in the banner.
Shodan is a search engine for internet-connected devices. "Banners" in this context are "service banners", the metadata servers send about themselves to clients.
A banner is the result of Shodan crawling a service/ port on an IP. For example, a HTTP banner would be the HTTP Header that gets returned from a website ala:
HTTP/1.1 200 OK
Server: Apache
...
The banner includes metadata about the service/ software that is running on the device.
I don't know what they are referring to. I noticed that Vietnam Posts and Telecommunications Group owns 123.30.128.0/18 and 203.162.0.0/23 and a lot of IPs from those subnets have a PTR record of static.vdc.vn.
However, static.vdc.vn resolves to 203.162.0.78, not 127.0.0.1
There is another large network, 113.160.0.0/113.191.255.255 that seems to have PTR records of static.vnpt-hanoi.com.vn for all IPs, however that hostname has no A/AAAA record.
Pretty sloppy.
Looks like this has nothing to do with DNS, instead it's the hostname the machine displays in its banners for services like FTP or SSH.
The OP article probably means rDNS lookup, where IP is resolved to DNS name. For consumer IP's it would look something like 12-23-45-234.gw123.vietnamtelecom.net.
Edit: which usually gives a better idea of the host's origin than raw IP.
DNS works both ways. It has pointer (PTR) records which allow you to assosciate an IP address you control with a domain name. Those are the opposite of an address record (A) with which you assosciate a domain name you control with an IP address.
For Google.com, I can get an A record (IP address)
Google uses a service domain 1e100.net for their machines.
Although maybe OP only means the hostname in the banner message. I grepped my mail logs for hostnames from Vietnam and couldn't find any IPs that would resolve back to localhost.
When an isp gets a ip allocation, they specify the nameservers to use, and are responsible for that "subdomain" of the in-addr.arpa domain. If you trace the full resolve, it first goes to the root .in-addr.arpa servers, then arin.net nameserver, then finally you end up at:
;; AUTHORITY SECTION:
208.58.216.in-addr.arpa. 86400 IN NS ns3.google.com.
Can someone explain how this link has made it to number one on the front page, when it seems from the comments that no one understands what the page is saying?
Banner is whatever information a remote connection gives you when you connect.
For ssh that will be some information about the server, version of ssh, hostname, and (hopefully) a prompt to login, or a request for a key.
For http, it will be a handful of headers about the server.
Tools like Shodan scan the internet looking for active connections, and try to banner-grab on common ports, looking for details like server versions, operating system versions, etc for a long list of protocols like telnet, http, ssh, smtp, vnc, remote desktop (often with screenshots of the remote system, disturbing often unauthenticated straight to the desktop or running program), etc.
If you're of a malicious mindset, when a new vulnerability is discovered, or an old one, you can look up a list of vulnerable systems from the database, searching by service and version, rather than scanning the internet yourself.
I don't know who the target audience is but I think the author should include a small parenthesis explaining "banner". I thought it was referring to their software crawling ad banners online or something.
How do “banners in Shodan [...] resolve to localhost”??? WTF??? This is quite cryptic. Luckily, I live not on Shodan, but on planet Earth where `localhost` resolves to 127.0.0.1.
Based on some very rough sampling, a significant majority of the addresses allocated to VDC in the 123.16/16 network reverse resolve to localhost. This appears to be intended behavior, and accounts for ~70% of the numbers in the Shodan report.
In fact, if you go through the list of networks advertised by AS45899 [1], I imagine that you'd find this is the case for quite a few of them. A quick look indicates this to be true.
Banner here seems to refer to the 'banner' output of ssh, or telnet, or some other service (those are the most likely however imho).
When you connect over services, the banner (the first information presented to the client, before authentication) can be configured to include the 'hostname' setting of the server you have connected to.
If I am right about that, this means that the hostname setting of the server is still set to localhost, as it is default out of the box until configured.
36 comments
[ 5.5 ms ] story [ 107 ms ] threadI can gather that this is the company Shodan, and that they make reports regarding internet connected devices, but what is a 'banner' is this instance?
In the context of SSH, a banner might be
root@localhost's password:
or more accurately SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1 which is the first thing a particular SSH daemon will send on receiving a connection from a client
One wouldn't normally 'resolve a banner' though, since it might contains the version of a service used, and other information other than what a Unix `hostname` command would return. You'd resolve the hostname mentioned in the banner.
HTTP/1.1 200 OK Server: Apache ...
The banner includes metadata about the service/ software that is running on the device.
However, static.vdc.vn resolves to 203.162.0.78, not 127.0.0.1
There is another large network, 113.160.0.0/113.191.255.255 that seems to have PTR records of static.vnpt-hanoi.com.vn for all IPs, however that hostname has no A/AAAA record.
Pretty sloppy.
Looks like this has nothing to do with DNS, instead it's the hostname the machine displays in its banners for services like FTP or SSH.
113.169.170.93
You can get a list of affected IPs by searching as follows:
https://www.shodan.io/search?query=hostname%3Alocalhost
http://www.ip-tracker.org/locator/ip-lookup.php?ip=113.165.1...
BTW, I don't know why they did that.
What does this even mean?
First of all, what does it mean than an IP resolves to a hostname? I thought it's the otherway around: hostnames resolve to IPs.
Second, isn't this .. normal? localhost is always your local machine.
Please help me understand
Edit: which usually gives a better idea of the host's origin than raw IP.
You can do a reverse DNS lookup, which uses PTR records. See:
https://tools.ietf.org/html/rfc1033
For Google.com, I can get an A record (IP address)
but I can also get a domain name for that IP Google uses a service domain 1e100.net for their machines.Although maybe OP only means the hostname in the banner message. I grepped my mail logs for hostnames from Vietnam and couldn't find any IPs that would resolve back to localhost.
EDIT: 'nanofortnight https://news.ycombinator.com/item?id=9068054 found a range of addresses that do.
A reverse dns lookup actually just does a lookup of {the ip address with octets reversed}.in-addr.arpa:
You can actually look that up directly too: When an isp gets a ip allocation, they specify the nameservers to use, and are responsible for that "subdomain" of the in-addr.arpa domain. If you trace the full resolve, it first goes to the root .in-addr.arpa servers, then arin.net nameserver, then finally you end up at: which will return the actual ptr record.https://www.shodan.io/search?query=hostname%3Alocalhost
That gives you a list of IPs that you can check for yourself are affected by the issue.
[1]: https://news.ycombinator.com/item?id=9065375
For ssh that will be some information about the server, version of ssh, hostname, and (hopefully) a prompt to login, or a request for a key.
For http, it will be a handful of headers about the server.
Tools like Shodan scan the internet looking for active connections, and try to banner-grab on common ports, looking for details like server versions, operating system versions, etc for a long list of protocols like telnet, http, ssh, smtp, vnc, remote desktop (often with screenshots of the remote system, disturbing often unauthenticated straight to the desktop or running program), etc.
If you're of a malicious mindset, when a new vulnerability is discovered, or an old one, you can look up a list of vulnerable systems from the database, searching by service and version, rather than scanning the internet yourself.
[1]: http://bgp.he.net/AS45899#_prefixes
When you connect over services, the banner (the first information presented to the client, before authentication) can be configured to include the 'hostname' setting of the server you have connected to.
If I am right about that, this means that the hostname setting of the server is still set to localhost, as it is default out of the box until configured.