February 11, 2014 at 21:311% of all Runet sites keep their memcached open to the world. Some statistics
- How do I authenticate?
- You don't!
This is a quote from the memcached FAQ .
Yes, memcached does not provide an authentication system by default, and the administrator himself must take a small step to close his server from free access. For example, run it at 127.0.0.1, or use a firewall. How many runet sites did this?
Of the slightly more than 3.5 million .ru zone sites that responded to my script via http, 39 thousand are running and open to the worldmemcached server on the standard port 11211. This number is so monstrous that I even thought about creating a service in the Memcached As A Service format, which would store client data on a random set of, for example, one hundred open memcached servers. Of course, the speed of working with such a virtual memekesh would be much lower, but what kind of reliability)
It turned out to be a surprise for me that open memcached can be found even on completely static sites, abandoned sites in the style of the 90s, on sites with traffic near zero — that is, where it is clearly not needed and it is difficult to imagine where it comes from in such a hole memcached came about. But popular sites also did not stand aside. Sad statistics include, for example
I sent notifications to all these sites that they became the heroes of the article. On Rostelecom, access was closed right when I connected and made requests, the commendable speed of the admins.
Very often these are pieces of layout, or html of whole pages, arrays of numbers, small texts. Sometimes sql queries are the keys, so the database structure is also visible. There are password recovery tokens and registration confirmations. Yes, user sessions often lie in memcached. In 99% of cases, this session starts automatically for all visitors, is empty and is not used in any way) but it is carefully stored in RAM, apparently, to speed up the site.
On most hosts, memcached takes up the default memory size (64 Mb). There are almost 18 thousand such installations. Interestingly, in a solid second place the value is 256 megabytes, but 128 megabytes are installed on less than two thousand servers. More than two thousand administrators allocated two gigabytes for memcached. When plotting, I threw out exotic non-standard values, of which there were less than a hundred.
It is immediately clear that most of the open memcached servers are simply empty. I often observed completely empty hosts, with zero occupied bytes. Almost 25 thousand servers hold less than a megabyte in the cache. Less than five hundred servers have more than two hundred megabytes in the cache, no one has more than two gigabytes.
Horizontally the percentage of hits in the cache, vertically the number of servers having such a percentage of hits. It turned out that there are memcached servers, in which the percentage of hits in the cache is strictly 0%! Most likely, in this case, the tool is used for other purposes. The web interface memcachedAdmin gives a warning if the hit-rate is less than 90%. Such servers turned out to be 73% of the total.
For completeness, it would be nice to scan other areas as well, and soon it will happen.
- You don't!
This is a quote from the memcached FAQ .
Yes, memcached does not provide an authentication system by default, and the administrator himself must take a small step to close his server from free access. For example, run it at 127.0.0.1, or use a firewall. How many runet sites did this?
Of the slightly more than 3.5 million .ru zone sites that responded to my script via http, 39 thousand are running and open to the worldmemcached server on the standard port 11211. This number is so monstrous that I even thought about creating a service in the Memcached As A Service format, which would store client data on a random set of, for example, one hundred open memcached servers. Of course, the speed of working with such a virtual memekesh would be much lower, but what kind of reliability)
Popular sites where a vulnerability is discovered
It turned out to be a surprise for me that open memcached can be found even on completely static sites, abandoned sites in the style of the 90s, on sites with traffic near zero — that is, where it is clearly not needed and it is difficult to imagine where it comes from in such a hole memcached came about. But popular sites also did not stand aside. Sad statistics include, for example
- mtsbank.ru MTS Bank stores the results of its sql queries in open memkesh
- befree.ru chain of clothing stores befree
- kfc.ru famous restaurant chain
- ng.ru independent newspaper
- rt.ru official site of Rostelecom
- zyxel.ru famous manufacturer of network equipment
I sent notifications to all these sites that they became the heroes of the article. On Rostelecom, access was closed right when I connected and made requests, the commendable speed of the admins.
What is usually stored on “public” memcached servers?
Very often these are pieces of layout, or html of whole pages, arrays of numbers, small texts. Sometimes sql queries are the keys, so the database structure is also visible. There are password recovery tokens and registration confirmations. Yes, user sessions often lie in memcached. In 99% of cases, this session starts automatically for all visitors, is empty and is not used in any way) but it is carefully stored in RAM, apparently, to speed up the site.
Some interesting statistics
memory allocated for memcached
On most hosts, memcached takes up the default memory size (64 Mb). There are almost 18 thousand such installations. Interestingly, in a solid second place the value is 256 megabytes, but 128 megabytes are installed on less than two thousand servers. More than two thousand administrators allocated two gigabytes for memcached. When plotting, I threw out exotic non-standard values, of which there were less than a hundred.
amount of data in cache
It is immediately clear that most of the open memcached servers are simply empty. I often observed completely empty hosts, with zero occupied bytes. Almost 25 thousand servers hold less than a megabyte in the cache. Less than five hundred servers have more than two hundred megabytes in the cache, no one has more than two gigabytes.
hit-rate (cache hit rate)
Horizontally the percentage of hits in the cache, vertically the number of servers having such a percentage of hits. It turned out that there are memcached servers, in which the percentage of hits in the cache is strictly 0%! Most likely, in this case, the tool is used for other purposes. The web interface memcachedAdmin gives a warning if the hit-rate is less than 90%. Such servers turned out to be 73% of the total.
Future plans
For completeness, it would be nice to scan other areas as well, and soon it will happen.