1% of all sites of the RuNet keeps its memcached open to the world. Some statistics
- How do I authenticate?
- You don't!
This is a quote from the memcached FAQ .
Yes, memcached does not provide an authentication system by default, and the administrator himself must take a small step to close his server from free access. For example, run it on 127.0.0.1, or use the firewall. How many sites of the RuNet have done this?
')
Out of a little over 3.5 million .ru sites that answered my http script, 39 thousand have a memcached server running and open to the world on the standard port 11211. This number is so monstrous that I even thought about creating a service in the Memcached As A format Service, which would store customer data on a random set of, for example, one hundred open memcached servers. Of course, the speed of working with such a virtual memo card would be much lower, but what kind of reliability)
For me it was a surprise that open memcached can be found even on completely static sites, abandoned sites in the style of the 90s, on sites with attendance near zero - that is, where it is clearly not needed and difficult to imagine where it comes from arose memcached. But popular sites also did not stand aside. The sad statistics include, for example
I sent notifications to all these sites that they became heroes of the article. At Rostelecom, access was closed right when I connected and made requests, the commendable speed of the admins.
Very often these are pieces of layout, or html of whole pages, arrays of numbers, small texts. Sometimes the keys are sql queries, so that the base structure is also visible. Password recovery and registration confirmation tokens come across. Yes, user sessions are often in memcached. In 99% of cases, this session starts for all visitors automatically, empty and not used at all), but it is carefully stored in the RAM, apparently to speed up the site.
On most hosts, memcached occupies the default amount of memory (64 Mb). There are almost 18 thousand such installations. Interestingly, the solid second place is 256 megabytes, but 128 megabytes is installed on less than two thousand servers. More than two thousand administrators allocated two gigabytes for memcached. When plotting, I threw out exotic non-standard values, which were less than a hundred.
It is immediately obvious that most of the open memcached servers are just empty. I often watched completely empty hosts, with zero bytes occupied. Nearly 25 thousand servers hold less megabytes in the cache. More than two hundred megabytes in cache have less than five hundred servers, no one has more than two gigabytes.
Horizontally, the percentage of hits in the cache, the vertical number of servers that have such a percentage of hit. It turned out that there are memcached servers in which the percentage of hits in the cache is strictly 0%! Most likely, in this case, the tool is used for other purposes. The web interface memcachedAdmin issues a warning if the hit-rate is less than 90%. Such servers turned out to be 73% of the total.
For completeness, it would be nice to scan other areas, and soon it will happen.
- You don't!
This is a quote from the memcached FAQ .
Yes, memcached does not provide an authentication system by default, and the administrator himself must take a small step to close his server from free access. For example, run it on 127.0.0.1, or use the firewall. How many sites of the RuNet have done this?
')
Out of a little over 3.5 million .ru sites that answered my http script, 39 thousand have a memcached server running and open to the world on the standard port 11211. This number is so monstrous that I even thought about creating a service in the Memcached As A format Service, which would store customer data on a random set of, for example, one hundred open memcached servers. Of course, the speed of working with such a virtual memo card would be much lower, but what kind of reliability)
Popular sites where vulnerabilities are found
For me it was a surprise that open memcached can be found even on completely static sites, abandoned sites in the style of the 90s, on sites with attendance near zero - that is, where it is clearly not needed and difficult to imagine where it comes from arose memcached. But popular sites also did not stand aside. The sad statistics include, for example
- mtsbank.ru MTS Bank stores the results of its sql queries in an open memokshe
- befree.ru chain of clothing stores befree
- kfc.ru famous restaurant chain
- ng.ru independent newspaper
- rt.ru official site of Rostelecom
- zyxel.ru known manufacturer of network equipment
I sent notifications to all these sites that they became heroes of the article. At Rostelecom, access was closed right when I connected and made requests, the commendable speed of the admins.
What is usually stored on "public" memcached servers?
Very often these are pieces of layout, or html of whole pages, arrays of numbers, small texts. Sometimes the keys are sql queries, so that the base structure is also visible. Password recovery and registration confirmation tokens come across. Yes, user sessions are often in memcached. In 99% of cases, this session starts for all visitors automatically, empty and not used at all), but it is carefully stored in the RAM, apparently to speed up the site.
Some curious statistics
the amount of memory given by memcached
On most hosts, memcached occupies the default amount of memory (64 Mb). There are almost 18 thousand such installations. Interestingly, the solid second place is 256 megabytes, but 128 megabytes is installed on less than two thousand servers. More than two thousand administrators allocated two gigabytes for memcached. When plotting, I threw out exotic non-standard values, which were less than a hundred.
amount of data in the cache
It is immediately obvious that most of the open memcached servers are just empty. I often watched completely empty hosts, with zero bytes occupied. Nearly 25 thousand servers hold less megabytes in the cache. More than two hundred megabytes in cache have less than five hundred servers, no one has more than two gigabytes.
hit-rate (cache hit rate)
Horizontally, the percentage of hits in the cache, the vertical number of servers that have such a percentage of hit. It turned out that there are memcached servers in which the percentage of hits in the cache is strictly 0%! Most likely, in this case, the tool is used for other purposes. The web interface memcachedAdmin issues a warning if the hit-rate is less than 90%. Such servers turned out to be 73% of the total.
Future plans
For completeness, it would be nice to scan other areas, and soon it will happen.
Source: https://habr.com/ru/post/212265/
All Articles