Huh, anybody know why DrugSupervise is in the top table names? Googling didn't give me any results and it sounds like some kind of webapp for drugs or something.

I found some mentions of "DrugSupervise" on a bunch of Chinese language sites, which lead me to find drugadmin.com. A google translate of the title tag tells me it's a "Home _ Chinese Drug electronic monitoring network." I found another website with troubleshooting instructions that claim .NET as a dependency and show a Windows XP task manager with a process named DrugSupervise.exe. That support website lists the owner as "CITIC Technology Group", which may or may not be connected to the state-owned investment group "China International Trust and Investment Corporation", which offers a bunch of cloud services through their various subsidiaries.

I also found a github repo with some C# code: https://github.com/katway/DrugSupervision

That's all I've got.

Good find.

Since it is not a Web App and hence not publicly available to exploit:

Use of String.Format instead Parameterized queries is how Sql injection issues sneak in. (Line 63, https://github.com/katway/DrugSupervision/blob/GuiDesign/Dru...)

Shodan itself shows that all instances of this database are located in China, and there are 390 instances of it. Top organizations are:

China Telecom Yunnan 83 China Telecom xinjiang 80 China Telecom 60 China Unicom Shandong 11 China Telecom Chongqing 10

Connecting to one instance in particular, 183.221.158.220:

> show dbs; DrugSupervise 0.125GB local 0.03125GB > use DrugSupervise switched to db DrugSupervise > show collections DrugSupervise.Entity.Models.DictList.DictCodeList DrugSupervise.Entity.Models.DictList.DictCodeTypeList DrugSupervise.Entity.Models.DictRegion.DictRegionList DrugSupervise.Entity.Models.EntPartner.EntPartnerList DrugSupervise.Entity.Models.PhysicsName.PhysicNameList DrugSupervise.Entity.Models.RIOS.InOutStoreD`1[DrugSupervise.Entity.Models.PI.PurchaseInStore] DrugSupervise.Entity.Models.RIOS.InOutStoreD`1[DrugSupervise.Entity.Models.RG.GetDrugOutStore] system.indexes

Looking at the DrugSupervise.Entity.Models.PhysicsName.PhysicNameList collection, see a bunch of stuff like this:

{ "_id" : BinData(3,"s6CfpmQtDkG5Nh3lqDGOQQ=="), "physicName" : "磷酸可待因注射液", "physicInfo" : "磷酸可待因注射液 注射剂 15mg" } { "_id" : BinData(3,"3Aa7ZwXzy0ax2KRCFRhsSg=="), "physicName" : "硫酸吗啡口服溶液", "physicInfo" : "硫酸吗啡口服溶液 口服液 10ml：30mg" } { "_id" : BinData(3,"t9+GHfNq10eqqi2EaqhQKA=="), "physicName" : "枸橼酸舒芬太尼注射液", "physicInfo" : "枸橼酸舒芬太尼注射液 注射剂 2ml:100vg(以舒芬太尼计)" } { "_id" : BinData(3,"bFLxr6tN0kO8vso+BTjB5w=="), "physicName" : "硫酸吗啡片", "physicInfo" : "硫酸吗啡片 片剂 20mg" } { "_id" : BinData(3,"5FGsZIWsPE6L+UQSTEfVag=="), "physicName" : "盐酸吗啡片", "physicInfo" : "盐酸吗啡片 片剂 30mg" }

I have no idea what this is, but it looks like some kind of registry of prescriptions.

The article misses another huge and overlooked issue: there are databases that are not accessed via a public Internet address because they are filtered by a firewall BUT are accessed via the local network because in many VPS services you can connect to all the VMs inside the same region internally. Look at this thread: https://www.reddit.com/r/AskNetsec/comments/3mqufn/how_do_yo...

This is a bit click-bait-y. Mongo gets a lot of flack, but this really applies to any database.

Author here: I completely agree that it applies to any database and I tried to mention it in the article. The reason I wrote about MongoDB is:

- I wrote about it before and could compare results from my previous post

- It's popular and there are a lot of public instances of it

- MacKeeper exposed 13 million user accounts through their public MongoDB instance

And I actually wrote a follow-up post on Memcached to highlight the same issue: https://blog.shodan.io/memory-as-a-service/

Unfortunately that's not how your article has been interpreted, especially not in the reddit thread which has (predictably) divulged into an incoherent MongoDB hate-fest.

The author doesn't owe mongoDB a PR whitewash.

I'm not talking about what the author wrote, I'm talking about the 500 posts which entire take away was 'mongo is retarded'. Reread what I wrote.

I don't understand how this is "click-bait-y." The link title says it just like it is. It is an article about Mongo databases publicly exposed on the internet.

Also, the author stresses that this problem is not unique to mongo.

Believe it or not but this is one of the top reason people who tried postgresql got a bad first experience and skipped to mysql, granted they probably were not highly skilled in databases or in basic networking and security or just couldn't bother to look up how to fix that weird "connection refused from non localhost ips" error.

The post is a little bit shallow, but the author does recognize exactly this point at the end of the post.

That 684.8 TB of data would be 1200TB if Mongo had better data integrity :p

I discovered shodan.io recently when I was tailing the logs of a vpn server and saw a connection attempt from an IP I did not recognize. The IP was registered to shodan.io and tried to connect without authentication credentials. I looked up the IP of my box on Shodan and sure enough, there it was, right on the wall of sheep.

Of course I blame myself for not whitelisting IP addresses, but I did not appreciate the connection attempt. Passive port scanning is one thing, but actively trying to establish a VPN session is another.

I was under the impression that port scanning IP addresses on the open internet without prior authorization was illegal under the CFAA. Obviously that's a provision commonly ignored by researchers, but at least they disclose any port scanning activity with some discretion and acknowledgement of its potential illegality. I'm surprised how blatantly upfront Shodan is about its operation.

Does anyone know the deal with this company/website? Why are they not worried about prosecution for their mass port scanning?

You have the wrong impression. No United States law criminalizes port scanning. This is a legal and useful service.

See for yourself: https://nmap.org/book/legal-issues.html

Even if it was illegal wouldn't the answer simply be to rent servers in a country where it isn't illegal (or even condoned by the government) and scan away? I'd imagine most government responses to this would be IDGAF.

> Why are they not worried about prosecution for their mass port scanning?

In his talks the founder says he provides law enforcement with all the crawled data for free and that he has regular contact with the US CERT. So there doesn't seem to be any legal problem.

My opinion: shodan doesn't try to exploit any known backdoors or common user/password combinations. Testing for anonymous/guest logins is fine in my view.

It's not necessarily a good thing, but it's a good indicator that it isn't obviously illegal (because otherwise law enforcement would try to hide that connection better)

I mean this in the nicest possible way, but...

You are bizarrely off base as to US law, ethical norms, and general customs. Shodan is doing nothing illegal or immoral; the fact that you think they might be suggests that you should step back and rethink your mental model of the internet, because that may not be the only mistake you've made.

(A couple of prosecutions have been attempted under the CFAA; they were thrown out as being completely groundless. On the other hand, other countries have other laws.)

Seems like a net positive to notice some attempt that likely has little/less/no malice, that may aid you in preparing to increase your security to be more prepared for when someone that actually has malice does the same thing.