| Shodan has existed for years and does practically the same thing (enumerates services, etc), but to a far greater extent. This year at Defcon there was a great talk about masscan and scanning the entire internet (they enumerated a lot of open VNC's right onstage during the talk). > Attempt to notify the operator. How? If it's just some IP address, there's little you can do other than login and leave a text file open telling them they have an open VNC (that would surely get my attention). The argument that a site like this should not exist because someone may exploit it just doesn't hold up. It's like saying we shouldn't post the IP addresses online of open mail relays, or open dns resolvers... which we (the "white-hat" community) did not... until it was discovered they were already posted online. Someone will do it... If a vendor is so incompetent as-to put an important PLC on the internet, let alone with a completely open VNC, that vendor should be shamed. If we build a list like this site has done, perhaps we can strongly encourage folks to not do this anymore. Heck, I'd love a search feature to be implemented on the site so I can double check I have no open VNC's on any of my IP's... |
Good point. But it's not laser-focused on a single thing and making that thing as easy as possible (I can just click on an image and be connected to the server!)
> How?
For some hosts it will be impossible. For others, it may be obvious or at least feasible; the company's name may be in the FQDN, the server may give a name in the VNC response that could be used, and if you're feeling grey-hat you could poke around and see what it does and who may own it.
> The argument that a site like this should not exist because someone may exploit it just doesn't hold up
I didn't say it shouldn't exist - just that some minimum form of self-censorship is the ethical course of action.
> Someone will do it...
Of course. But not everyone will make it this easy and accessible.
And I can appreciate the spirit in which this is done, if the "Hail Eris!" text on the page didn't make it obvious :) Being able to flag stuff is the concession, assuming it really does remove it from rotation.