Dangers of Public Facing “Private” ftp servers

In today’s age of the internet, nothing is truly private on the internet. Crawlers search the internet and catalog everything. And oh boy do I mean everything.

Out of curiosity one day, I decided to use google search engine to amuse myself. My initial though was thinking about bitcoins, as I am gung-ho for it, and I mine litecoins and dogecoins myself.

Here is my below query:

Wallet filetype:dat site:dropbox.com

Results:

Wow, look at those people who weren't very bright. So after some magic conversions, I managed to open just one of those bitcoins wallets and here is what I saw:

Now I am getting excited and I want to see how far this rabbit hole goes. I starting thinking about what would be the great place to store my backups and I started thinking ftp servers would be great.

Googling ftp search engines lead me to http://filemare.com which appeared to be a great search engine.

Searching for the same file context as with google I was able to find a few wallets of various coins, however, this time people had file permissions set on them of 0600, so nice dice in downloading them. Good on them.

But where else does this rabbit hole go? I noticed that there was various other files came up that matched the string of “wallet”. What did I find? Something called “eWallet” that links to software http://www.iliumsoft.com/ewallet

I found hundreds of these from a good ten to twenty people who have backed their password storage for websites and credit cards. I was shocked that people would do this. I downloaded one of these files and proceeded to open it up with the software. Password encrypted, good on the company. Resarch into the software reveled that versions older that 7.1 used MD5 and with a simple hexdump command you can pull out the hash. I attempted to do it but was unsuccessful, more than likely because I am on my Windows laptop and my hexdump tool is poor at best. Either that or I just suck. However, I was able to see catagories inside these dumps, for example:

So where else does this go? Outlook pst files are publicly available. A quick download and opened with a read-only PST viewer:

Or how about this? A private Keypass key

How about shipping orders for flowers?

Paypal transaction histories?

Are you kidding me???? This guy has his social security number, address, income and more listed in just one public facing tax document?

T-mobile account, phone number(s) and payment information:

Bank account info:

I even found a website, they backed up their entire sql database as their website is currently down:

How about an entire phones CWM backup?

This is crazy! I cannot believe what I found. Why would people allow this type of information to be posted?

The answer: lack of education.  Total for the day: 12 people’s lives could have been ruined by me. I’m not even sure if I should contact these people. Embarrassment can cause people to lash out. I've blurred the screenshots as best as possible, and all my research files are being deleted. My favorite find today? 

ftp://xxxxxx.xxxxx.xxxx/Username/Backup/Dropbox/Private

Don't care for your boss

Completed RIT1 last week which is one of the leadership classes, official title is "Leadership Concepts and Application". I spent the entire week and a half sobbing and crying as I worked my way through it. Why do you ask? Because it was dry, boring, and uninteresting to me. I do not particularly care for HR stuff so forcing myself through that course was painstaking. I quickly read the chapters and did my Taskstream essays. There was four of them and each got sent back to me two to three times to get re-written. It was very frustrating.
What was particularly frustrating was the TurnItIn plagiarism check software they had builtin. This scans your paper and compares to others and decides if you stole others ideas. Great in theory but bad in practice. While I completely understand the need for this software but the problem was that WGU would not accept the paper if it exceeded 30% originality report. Well....we use quotes in our papers and so those "count" against you. I would submit my paper, wait for the report to come back and see if it was above that mark and if it was, I would cancel the paper and resubmit after rewording stuff. Because of the rewording, I wasn't always pleased with the way I had to write it or paraphrase things. It became quite frustrating but heh....got the dang class passed.


So whats next since I am technically done with my first semester at WGU? Why, onto the next class, do not stop! Now doing the CQV1 which is the CCNA class. Awesome! My student-mentor let me move into this class so that the knowledge from my CCENT would still be in my head. So far I'm listening/watching the first four videos which are review videos, hence my not paying to much attention and writing this blog.

In other news, still trying to set up my litecoin mining rigs. I bought yet another video card but the x4 PCI-E slot on my mobo is busted. I have plenty of money coming in on paypal but it won't be available till the 22nd of January. Then I'll buy a riser cable to use my x1 slot for that new card. Currently hashing at 430KH/s, which isn't that great. Generating about point one five coins a day, which is not enough. If I can get this new card in, it will boost me to 750-800KH/s which should put me to point two five coins a day. Try to convince the wife to let me use some of our savings to build a dedicated machine, but she said no. Dang.