RSync the old is still new…

RSync the old is still new...

This is a special blogpost for us.

We usually work on our research by ourselves and present it in the same way, but this time, this research was partially done in collaboration with the amazing team at Rapid7.

You should also check out their counterpart report here: https://blog.rapid7.com/2018/12/21/rsunk-your-battleship-an-ocean-of-data-exposed-through-rsync/

What is RSync ?

RSync is an utility initially released in 1996 to transfer files across systems. It was initially widely used in Unix systems to backup files and folders automatically.

In typical implementations you see rsync using SSH along with SSH authentication, which is a safe way to use it.

But, like everything else we have seen on the internet, some people use alternative ways that expose folders with no authentication whatsoever, and therefore exposing entire folders of backups, photos, videos and documents to be completely open on the internet.

But why is it, that after so many years of RSync being released, we are still looking at it ?

Because tis' the season of gifts!

Picture the following scenario, you have a huge quantity of family photos and videos, documents from work and a couple more things you would like to preserve for the future. So, for Christmas you decide to buy yourself a brand new NAS (Network Access Storage) so that you can keep all of those files while freeing up your laptop or computer hard drive.

This is where we find some issues; users bring their brand new NAS home, plug it into the network and then try to make it accessible from outside, and the NAS trying to focus on usability ends up often allowing the user to expose these with no authentication, to much of our dismay.

We also see this happening a lot with SME's that try to automate their backup process and in trying to copy them offsite endup with an insecure configuration.

Modules

Modules are the equivalent of folders in RSYNC.
One event in our scans looks as follows:

> {
"origin": {
	"type": "rsync",
	"job_id": "0418a2bc-bb79-4f55-8a55-dddb33282ceb",
	"client_id": "binaryedge",
	"module": "grabber",
	"country": "uk",
	"ts": 1545356724931,
	"ip": "XXX.XXX.XXX.XXX"
},
"target": "ip": "XXX.XXX.XXX.XXX",
"port": 873,
"protocol": "tcp"
}, "result": {
    "data": {
        "version": "31.0",
        "status": "public",
        "banner": "",
        "modules": [{
            "module": "release",
            "status": "@RSYNCD: AUTHREQD"
        }, {
            "module": "sandbox",
            "status": "@RSYNCD:OK"
        }, {
            "module": "sandbox_public",
            "status": "@RSYNCD:OK"
        }, {
            "module": "alpha",
            "status": "@RSYNCD: OK"
        }, {
            "module": "XXX_demo",
            "status": "@RSYNCD: OK"
        }, {
            "module": "XXX_prod",
            "status": "@RSYNCD: OK"
        }]
    }
}
}

In this case it belongs to a startup, which happen to have their demo and prod environments folders (or modules) open with RSYNC being able to connect without any authentication (unlike, for example the module "release).

If we look at the top module names, accessible without any authentication, we have found it looks as follows:

Hits Found - Module name

Name Count
f1man 2,012
chap 1,750
pptp 1,750
etc 863
debian 694
backup 665
rpki 658
ubuntu 611
centos 588
root 562

Some of module names are easily to directly identify with Linux releases, the reason for this is because many distributions still make rsync servers available for people that want to use this utility to get distribution files.

Others are typical unix folders such as etc or root, some present a more worrying picture, such as surveillance and backup, these are the ones companies should be worried about.

The numbers

Worldwide we found 3.308,612 IP addresses exposing some service on port 873, out of these 231,708 had rsync running.

This doesn't mean all 231,708 were exposing open modules. For that as we mentioned before we need to check which IP addresses are at a minimum giving back 1 OK.

And worldwide we found 18,471 IP addresses giving back at least 1 OK.

Some stats obtained via app.binaryedge.io:

RSync the old is still new...

As typical with most of our scans (we do make exceptions like our .ENV scan from our previous post) we have injected these into https://app.binaryedge.io and you can use the host search to check if you or your company is exposing any of your rsync services to the internet and explore the dataset.