Internet Census, 2016.

Thursday, 15 December, Year 8 d.Tr. | Author: Mircea Popescu

Back in July, Framedragger port-scanned the entirety of the routable Internet (no, seriously) in order to feed ssh pubkeys to Phuctori (which resulted in thousands of cracked keys, to everyone's "no one's" surprise).

If you're going to scan might as well save the bannersii, which is how weiii ended up with this list of 15`646`188 live serversiv. And since it's here already, might as well do some statistical work on it.v

I. For one thing, the ssh versions encountered are found in an extremely narrow setvi :

  • 14`999`723 (95.868226vii%) report SSH 2.0 ;
  • 645`799 (4.127516%) report SSH 1.99 ;
  • 628 (0.004013%) report "SSH-2. 0"viii.
  • The remainder are "SSH-2.99-Cisco-1.25"ix and
  • "SSH-2.37-OpenSSH_5.7x"

II. For another thing :

  1. 11`648`309 (74.448223%) still advertise OpenSSHxi, which is still way too much considering the lengthy history of deliberate subversion of users' security of that criminal organisation.
  2. 2`162`881 (13.823693%) advertise dropbearxii,
  3. 488`965 (3.125138%) advertise Cisco, which is unseemlyxiii.
  4. 462`750 (2.957589%) advertise ROSSSHxiv.
  5. 83`019 (0.530602%) advertise some version of "xxxx" from four to seven letters in various case admixtures. Can't hurt, I suppose.
  6. 60`921 (0.389366%) advertise RomSShell, some bundled crapola by "Allegro Software" (no relation to the video game library).
  7. 48`470 (0.309787%) advertise nothing at all.
  8. 47`483 (0.303479%) advertise homepl, which seems to be a vanity banner for some "#1 in Poland" web hoster.
  9. 45`296 (0.289501%) advertise "lancom", a German manufacturer of nothing in particular.
  10. 44`405 (0.283807%) advertise "DOPRA", a Huawei "proprietary" (in the sense that they stole Linux and are posturing on top of the codebase) piece of crap (in the sense that their keys are weakxv).
  11. 27`227 (0.174016%) advertise mod_sftpxvi (of which 22`031 0.9.9 and 5`196 0.9.7).
  12. 23`620 (0.150963%) advertise Comware, which is an obscure outfit flattering itself with "industry leading" "elite team of experts" and other such stock in trade of the contemporaneous snake oil salesman. Mostly found embedded in HP crapware.
  13. 18`530 (0.118431%) still advertise NetScreen, notwithstanding it was acquired by Juniper for 4bn in stock 12 years ago and as far as I know retired.
  14. 16`237 (0.103776%) advertise DraySSH_2.0xvii
  15. 15`783 (0.100874%) advertise a generic "SSH_Server". Generic is nice and all, but universally the same peculiar capitalization ?
  16. 15`273 (0.097614%) advertise "VRP", of which 8`147 3.3 and 7`126 3.40. In all probability this is a Huawei item.
  17. 14`250 (0.091076%) advertise Zyxel which is a Taiwanese router manufacturer.
  18. 13`746 (0.087855%) advertise "WeOnlyDo"xviii.
  19. 13`505 (0.08631%) advertise "FlowSsh: Bitvise SSH Server (WinSSHD) " and a version number, generally followed by ": free only for personal non-commercial use". Because someone actually licenses Windows ssh libraries in fucking .net already.
  20. 13`099 (0.083720%) advertise "Compatible Server", which I suppose is good news after all.
  21. 12`873 (0.082275%) advertise "Server-VII-hpn13v1", which is a patchset for OpenSSH (mostly to do multi-thread AES) released by Chris Rapier and Ben Bennettxix back in 2008. Apparently it was high performance.
  22. 9`123 (0.058308%) advertise a generic "SSHD".
  23. 7`094xx advertise Mocana SSH, which looks like a meanwhile defunct USG contractorxxi.
  24. 6`277 (0.040118%) advertise ARRIS_0.50, Arris being one of the crappiest cable modems of all time.
  25. 6`224 (0.039779%) advertise ArrayOS, which is bundled with Xirrus, an outfit specialized in scamming education and health entities.
  26. 6`036 (0.038578%) advertise mpSSH_0.2.1 (mass parallel secure shell by Nikolay Denev).
  27. 5`903 (0.03772%) advertise Version_1.0. It's an Internet of things thing.
  28. 5`129 (0.032781%) advertise "Siemens" and are probably part of an ill fated nuclear programme.
  29. 4`852 (0.03101%) advertise Adtran_4.31, which is a hopefully defunct CLMxxii.
  30. 4`809 (0.030735%) advertise simply 1, which is reasonable.
  31. 4`681 (0.029917%) advertise ZTE_SSH.2.0, a crappy router.
  32. 4`255 (0.027195%) advertise "cryptlib" (Peter Gutmann's thing).

There's also 72`689 unique strings (ie, strings reported by one single machine in the dataset) : ssh_unique_strings.txt. These were conceivably generated by worms and other malware at least in part.

There's a further 7`368 strings that appear exactly twice, and look quite just as bad. It's a strange question, what exactly would possess a server to indicate 0eYFG_5Iwon6k8, 0Epss, 0EkHw, 0EFLd1r or 0E7zDWXF9BAqAwW. While some of the shorter ones could be, forcing reason, explained as string collision in truly poorly written malware, the odds of "+^"K2j`HAq5C~XeOhH(!`kvm^_$MM2"aV5/1cBzTj^L`8|GB4pF;5{3wIAmu[T).2N<BiDOFBzQD@b8cV.1*$&$BfVl4lt;FCW60tS" occuring in this manner exactly twice (no kidding) seem exceedingly slimxxiii. There's also two hits each of xlightftpd_release_3.8.5.5, xlightftpd_release_3.8.3.5, xlightftpd_release_3.6.1 and finally WRQReflectionforSecureIT_7.0xxiv.

III. As far as Linuxen go,

  1. 2`363`248 (15.104305%) advertise Debian, of which 705`163 (29.8387%) Ubuntuxxv, 632`092 deb7, 410`822 deb8, 230`953 squeeze and even 12`315 sarge!
  2. 208`766 (8.833859%) advertise FreeBSD (and a further 25 OpenBSD plus 3`064 NetBSD).

It can perhaps be safely assumed that the remainder 11`014`378xxvi or ~70% of machines are running either Windows or similar proprietary crap.

IV. For the sake of lulz :xxvii

173.245.197.114,SSH-2.0-Welcome to Intel Secure File Transfer! For issues, send mail to b2b.tech.support@intel.com or call 1-877-811-2574 Options 4, 2. If you are an Intel employee, you must prefix your normal windows idsid with the MAD\ domain (e.g. MAD\jdoe)xxviii

69.43.171.242,SSH-2.0-sftp.tritonmsllc.comxxix

${POM.ARTIFACTID}-${POM.VERSION} is advertised by no less than eightxxx different boxes.

Vertical_IP_Secure_Platform_VSP-4.0-build_2008.07.17 is present 18 times, almost a decade later.

There's no less than 284 servers which advertise "GoodLuck". I must say I appreciate the dry sport of the fronteer.

Yes, OpenSSH version 0.1 is actually advertised by a machine somewhere.

It turns out that the Internet of 2016 consists mostly of obsolete OpenSSH and assorted crapware, a sad testament to an even sadder decade. What can you do ?

———
  1. Note that this links to a large (~4mb at the time of writing) page which may choke your browser. Here's a cached copy if you'd rather. []
  2. Responses sent by the servers contacted. []
  3. Because you ask nicely, that we includes you : all-Internet ssh banners. []
  4. Here's a sample look :

    $ tail all_internet_ssh_banners.txt
    141.95.23.158,SSH-2.0-OpenSSH_5.3
    46.30.210.164,SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
    116.5.56.153,SSH-2.0-ROSSSH
    191.6.81.214,SSH-2.0-dropbear_2014.63
    66.232.106.140,SSH-2.0-OpenSSH_5.3
    13.93.231.229,SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
    173.82.121.34,SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2
    186.227.86.253,SSH-2.0-dropbear_2014.63
    181.60.51.246,SSH-2.0-OpenSSH_4.0

    []

  5. You know, other than pointing out that more than one in three thousand are weak. []
  6. That 16 million boxes can do with a grand total of 5 different options is not supportive of the sweeping theories behind the proposed value or practical utility of open source software. This is an important datapoint which you are not at liberty to handwave. Please address it adequately. []
  7. Yes, that's right, six significant digits. They are accurate, because our dataset is that large. How often do you see this ? No, I pointedly do not mean spuriously lengthy decimal trains obtained by idiots through long division. I mean lengthy relevant decimal trains.

    Think long and hard about this, because all that faux "science" (on either side of the retard isle) based on tiny samples is how you ended up with the global warming religion ; and with the anti-smoking religion ; and with the women-can-do-it religion ; and with all the rest of the crap. Pretty much all the nonsense curently floating around in your head can be traced to poor sampling habits - yours, and everyone you know's.

    How often have you seen proper sample sizes before ? []

  8. Extra space. All without exception are "SSH-2. 0-OpenSSH_3.8p1", which pinpoints a bug in OpenSSH 3.8p1 and perhaps also offers some insight into just how distribution works in practice. Immunologists kill for this sort of marker. []
  9. Seen on IPs 85.95.132.193, 168.238.242.49, 212.42.105.248, 181.15.246.242, 12.181.13.89, 67.136.141.98, 38.104.129.202, 64.206.31.161, 12.249.229.150, 190.220.152.130, 212.92.154.46, 87.241.208.22, 94.143.199.141, 94.143.199.249, 94.143.199.134, 144.139.179.200, 193.189.186.162, 194.165.105.89, 209.161.114.41, 94.143.199.161, 94.143.199.145, 168.238.243.49, 115.249.90.246, 94.143.199.238, 194.165.105.93, 200.77.237.138, 203.39.148.89, 194.165.105.88, 94.143.199.97, 50.202.178.198, 178.250.182.1, 40.131.242.18, 38.99.12.129, 115.249.88.177, 94.143.199.193, 50.202.178.217, 201.218.59.185. []
  10. Seen on 122.49.1.202 only. []
  11. Here's a complete version listing :
    Server count OpenSSH Version
    3`334`603 5.3 (8 different vulnerabilities, of which CVE-2014-1692 AND CVE-2010-4478 are particularly dangerous.)
    1`912`733 6.6.1p1
    771`814 6.6.1
    734`156 4.3 (The list of known vulnerabilities is indeed long.)
    707`100 6.0p1
    605`606 6.7p1
    553`358 5.9p1
    262`184 5.5p1
    235`331 6.2
    157`421 7.2 (This is the first ~somewhat~ modern deployment. If their website weren't down I could tell you exactly, but from memory the current version is 7.7 or thereabouts, and each single minor version in between comes with a host of holes.)
    152`419 5.1
    148`102
    124`543 7.2p2
    116`504 6.4
    107`731 5.8
    89`263 5.3p1
    88`002 5.1p1
    80`173 4.3-HipServ
    77`550 4.7
    71`067 6.6.1_hpn13v11
    68`973 6.9p1
    64`989 5.9
    62`309 5.2
    60`684 4.0
    56`226 3.9p1
    54`448 6.6
    47`780 6.8p1-hpn14v6
    43`553 5.6
    42`375 6.9
    38`183 7.1
    33`325 6.6p1-hpn14v4
    32`421 6.6p1
    32`051 6.7
    31`426 5.8p2_hpn13v11
    30`602 5.4p1
    28`851 6.1
    26`005 4.3p2
    25`651 5.4
    25`301 7.0
    25`228 6.0
    21`429 6.3
    21`402 3.8.1p1
    21`307 5.5
    20`828 5.8p1
    20`467 6.2p2
    20`209 4.4
    19`302 4.5p1
    15`727 3.5p1
    15`645 2.3.0_Mikrotik_v2.9
    15`612 4.7p1
    15`522 6.2_hpn13v11
    15`430 5.0
    15`186 4.2
    14`266 5.9p1-hpn13v11
    13`456 4.5
    13`144 6.8
    13`034 5.4p1_hpn13v11
    12`928 3.6.1p2
    12`762 3.7.1p2
    12`606 6.6p2-hpn14v4
    11`167 6.1p1
    9`458 6.5
    9`180 4.6
    8`570 5.8p2
    7`437 6.1_hpn13v11
    7`353 3.4p1
    6`847 6.4_hpn13v11
    6`822 3.6p1
    6`671 5.8p1-hpn13v11
    5`517 7.1p2-hpn14v10
    4`784 6.7p1-hpn14v5
    4`323 3.1p1
    4`105 4.1
    4`056 4.2p1
    3`522 3.8p1
    3`281 3.9
    2`754 5.2p1
    2`601 7.2-hpn14v5
    2`226 7.1p2
    2`074 5.8p1-hpn13v10
    1`938 6.4p1-hpn14v2
    1`840 5.9p1.RL
    1`611 6.9p1-hpn14v5
    1`603 3.0.2p1
    1`532 v2
    1`525 11.1
    1`510 4.6p1
    1`324 7.1p1-hpn14v9
    1`206 LeadSec
    1`100 3.4p1.RL
    1`059 6.6.1p1-hpn14v4
    1`030 7.1p1
    1`012 3.7.1p1
    923 4.7p1-hpn12v20
    913 with no banner
    903 2.3.1p1
    877 6.4p1
    871 7.1-hpn14v5
    866 6.8p1-hpn14v4
    837 12.1
    832 2.9p2
    763 6.1-FIPS_hpn13v11
    725 6.5p1
    693 5.7
    653 2.9p1
    628 0-
    588 3.8.1p1.1.tms.1
    562 3.8
    529 4.9
    517 6.8-hpn14v5
    513 x.x
    509 6.2p2-hpn13v14
    492 6.6.1p1-hpn14v5
    435 6.2p2-hpn14v1
    417 3.0p1
    416 Leadsec
    410 7.2p2-hpn14v4
    327 5.9p1-hpn13v11lpk
    319 6.6.1p1-hpn14v2
    315 3.7p1
    278 3.6.1p1
    261 4.8
    260 5.0p1
    253 6.2p2+sftpfilecontrol-v1.3-hpn13v12
    250 2.5.2p2
    238 6.0-FIPS(capable)
    230 5.3p1-hpn13v7
    208 3.4
    198 5.1p1-hpn13v5
    192 6.7p2
    192 6.4p1-hpn14v1
    190 3.6.1
    188 OA
    184 nsfocus_1.0.0
    181 6.1p1-hpn13v11
    171 5.8p1-hpn13v10lpk
    160 6.8p1-hpn14v5
    158 7.1p1-hpn14v5
    152 5.2p1-hpn13v6
    150 5.0p1-hpn13v1
    146 6.5p1-hpn14v2
    138 5.6p1-hpn13v10
    130 2.3.0p1
    129 4.1p1
    129 3.9.0p1
    128 2.0
    124 5.8p2-hpn13v11
    123 Yxlink
    119 6.0p1-FIPS(capable)
    102 7.1p2-hpn14v4
    90 6.6_hpn13v11
    86 6.3p1-hpn14v2
    86 3.2.3p1
    82 5.5p1-hpn13v9
    82 4.4p1
    79 2.9.9p2
    78 10.1
    75 6.7p1_hpn14v5
    73 3.7.1
    72 7.2p2a
    72 6.5_hpn13v11
    71 6.1p1-hpn13v14
    71 4.3p2+sftplogging-v1.5
    69 5.9p1+sftpfilecontrol-v1.3-hpn13v12
    67 x.ypn
    67 4.2-chrootssh
    65 4.7p1-hpn13v1
    59 X.X
    59 3.5
    57 6.0p1lpk
    56 ZDNS
    56 6.6p1-hpn14v5
    56 6.0p1-hpn13v11
    56 5.5p1lpk
    56 2.3.0
    55 2.1.1
    54 ADS_1.0
    54 7.2-OVH-rescue
    53 9.9
    51 6.4.fe.2
    50 4.3p2-6.cern-hpn-CERN-4.3p2-6.cern
    49 4.3p2-FC-4.3p2-82.el5
    48 6.2p1+sftpfilecontrol-v1.3-hpn13v12
    46 99.99p99
    46 3.4p1+CAN-2004-0175
    46 2.9
    45 6.5p2-hpn14v4
    45 4.3p1
    45 3.0.1p1
    44 7.1_AMM
    44 5.3p1+sftpfilecontrol-v1.3-hpn13v5
    44 2.2.0p1
    42 5.6p1
    40 3.7.1p3
    39 5.8p1+sftpfilecontrol-v1.3-hpn13v7
    37 3.6.1p1+CAN-2004-0175
    36 7.0p1
    36 4.5p1+sftpfilecontrol-v1.1-hpn12v14
    35 5.8-CC
    33 6.0p2
    31 4.3p2-hpn
    30 CT_4.1
    30 6.9p1a
    30 5.3p1-FC-0.9.3-112.el6_7
    30 3.8.1
    29 5.3p1-FC-0.9.3-104.el6_6.1
    27 5.3p1-FC-0.9.3-118.1.el6_8
    27 4.4p1-hpn12v11
    25 5.5.4.2
    25 2.2.0
    24 Derived_From_OpenSSH-200701010
    24 6.9-hpn14v5
    23 5.9p1-hpn13v12
    23 4.3p2p1
    22 6.7p1lpk
    22 5.8p2-DAM_1.2
    22 5.0p1+sftpfilecontrol-v1.2-hpn13v1
    22 100.0
    21 7.3
    21 6.7p1-hpn14v4
    21 6.3p1
    21 6.2p1
    20 7.2p2-hpn14v11
    20 6.8.tms.1
    20 5.9p1+sftpfilecontrol-v1.3+LdapPublicKeys-v0.3.20
    20 5.8p2p2
    20 4.0p1
    20 3.5p1-sa1
    19 7.2p1
    19 4.5p1p2
    19 3.7
    18 ssh:
    18 7.1p1-hpn14v4
    18 6.3_hpn13v11
    18 4.3p2-4.cern-hpn-CERN-4.3p2-4.cern
    17 XXX
    17 7.1p1a
    17 5.3p1+sftpfilecontrol-v1.3
    17 3.1
    16 6.6.1p1-RHEL7-6.6.1p1-25
    16 5.9p1_hpn13v11
    16 5.6p1+sftpfilecontrol-v1.3-hpn13v7
    16 5.2p1+sftpfilecontrol-v1.3
    16 5.1p1+sftpfilecontrol-v1.2-hpn13v5
    16 4.3p2-5
    15 7.1p2-hpn14v9
    15 6.6p1-hpn14v2
    15 4.7p1+sftpfilecontrol-v1.2-hpn12v17
    14 6.7_AMM
    14 5.3p2
    14 5.3p1p1
    14 5.2p1-hpn13v5
    14 3.4-j2
    14 33.33
    13 5.8p2NMOD_3.08-hpn13v11
    13 5.7p1
    13 2.9p2-pw-patched
    12 5.2p1+sftpfilecontrol-v1.3-hpn13v5
    12 3.6
    11 5.3p1-FC-0.9.3-84.1.el6
    11 5.0p1-hpn13v4
    11 4.7p1-hpn12v19
    11 3.9p1-hpn
    11 3.3
    11 2.9.9p2.2
    10 7.1p2-hpn14v10NMOD_3.19
    10 7.1p1-hpn14v5NMOD_3.17
    10 6.7p1a
    10 5.8p1_hpn13v10
    10 5.3p1-hpn13v6
    10 5.1p1+sftpfilecontrol-v1.3
    10 5.1.1p1
    10 4.5-sshjail
    9 ./inst:
    9 6.2p5
    9 6.0-FIPS(enabled)
    9 6.0_CASPUR
    9 4.6p1-hpn12v16
    9 3.6.1p1+CAN-2003-0693
    9 3.1p1_zlib_ASL
    8 6.0-beta
    8 5.4p1p2
    8 4.3p2+TAC
    8 3.4+p1+gssapi+OpenSSH_3.7.1buf_fix+2006100301
    8 2.5.1p1
    7 6.9p1-hpn14v7
    7 6.6.1p1-RHEL7-6.6.1p1-23
    7 6.2p2NMOD_3.12-hpn13v14
    7 6.2p1-hpn13v14
    7 6.22
    7 6.0p1-hpn13v12
    7 5.4p1-hpn13v8
    7 5.3pl
    7 5.3p1-FC-0.9.3-94.el6
    7 5.1p1+sftpfilecontrol-v1.2
    7 4.7p1-hpn12v18
    7 4.7_agp1
    7 4.3p2-6.cern-hpn
    7 3.9p1c
    7 3.2.3
    7 2.3'
    6 6.6p2+Yare_sftpfilecontrol-v1.5
    6 6.0p1-hpn13v13
    6 5.8p2-hpn13v11lpk
    6 5.4p1+sftpfilecontrol-v1.3
    6 5.3p1-FC-0.9.3-114.el6_7
    6 4.5p1-hpn12v14
    6 4.3p2-4.cern-hpn
    6 3.9p1-FC-3.9p1-11.el4_8.1
    6 3.7.1p1_ASL
    5 SSH
    5 7.1p2NMOD_3.19-hpn14v10
    5 7.1p2a
    5 6.2p1a
    5 6
    5 5.5p1+sftpfilecontrol-v1.3-hpn13v7
    5 _4.5p1
    5 4.4.3-i
    5 3.7.1p2-pwexp26
    5 3.6.1p2-pwexp22
    5 2.5.1p2
    4 WiseGrid_2.0
    4 based Ericsson SSH Server for OSE
    4 8.9.4
    4 7.2p2-hpn14v10
    4 7.2p1-hpn14v4
    4 6.9p1+Yare_sftpfilecontrol-v1.5-lpi1
    4 6.7p1lpk-hpn14v5
    4 6.6.1p1-RHEL7-6.6.1p1-22
    4 6.6.1p1-hpn14v4-lpk
    4 6.2p1-hpn13v11
    4 5.8p2+sftpfilecontrol-v1.3
    4 5.6p1+sftpfilecontrol-v1.3
    4 5.1p1p2
    4 4.5p1+sftpfilecontrol-v1.2
    4 3.7p1-pwexp24
    4 3.7.1p2+TAC
    4 3.6.1p2-CERN20030917
    4 3.4p1-RCN2003091801
    4 3.4p1+CAN-2003-0693
    3 Unknown
    3 SSH-6.4.5.90
    3 ASL_3.0.2p1
    3 AIP SSH Server for Windows. Based on OpenSSH
    3 7.2p2+GF_sftpfilecontrol-v1.5-hpn14v10
    3 7.2.1
    3 6.9.9_hpn13
    3 6.6.1p2
    3 5.9.CASPUR
    3 5.6_CASPUR
    3 5.2-sshjail
    3 5.2p1DataMan.hpn
    3 4.6-sshjail
    3 4.3-sshjailp2+sftplogging-v1.5
    3 4.3p2p1p1
    3 4.3p2-FC-4.3p2-72.el5_7.5
    3 4.3p2-FC-4.3p2-41.el5_5.1
    3 4.3p2-FC-4.3p2-4.12.fc5
    3 3.9p1+sftplogging-v1.2
    3 3.7.1p2-pwexp26_krb5
    3 3.2.2p1
    3 2.5.1
    2 ${VERSION}. (Isn't this adorkable ?)
    2 SSHp1
    2 KosOS
    2 jijwilhosting
    2 inst:
    2 7.5
    2 7.0p1-hpn14v5
    2 6.9p1-hpn14v4
    2 6.6.tms.1
    2 6.6p1a
    2 6.6.1p1lpk
    2 6.3.CASPUR
    2 5.9p2
    2 5.9p1ghs
    2 5.8p2+patch5
    2 5.6p1b
    2 5.5p1-hpn13v7
    2 5.4p1lpk-hpn13v8
    2 5.3p1p1p1
    2 5.1-TELES_mod_4-
    2 5.0p1+sftpfilecontrol-v1.3
    2 5.
    2 4.3_r4.21
    2 4.2p2
    2 4.2p1-hpn
    2 4.2.1p1
    2 4.1p1-hpn
    2 3.0.2
    2 2.9.9
    2 2.5.2
    2 2
    2 0.0p0
    2 *.*
    2 ...
    2 :
    1 You
    1 X.Y
    1 :wget
    1 ${VERSION}p1${EDITION}
    1 usm-0.6.3
    1 Standard
    1 ssh: ssh: ssh:
    1 scr
    1 rm
    1 OpenSSL
    1 nju
    1 MEDISTAR.SEC.Stick.Server_1.7
    1 MEDISTAR.SEC.Stick.Server_1.1
    1 lexus_digiocean
    1 jhfg4fn44nbv42
    1 Huawei_Customization
    1 Gitshell_6.0
    1 digiocean
    1 Derived_From_OpenSSH-20070101
    1 custom_6.8-based
    1 ./conf:
    1 99.99
    1 9.9.9
    1 8.0
    1 7.7
    1 7.2p2-FC-7.2p2-3
    1 7.0p1-hpn14
    1 7.0-hpn14v5
    1 6.9.9
    1 6.8p1
    1 6.8g0
    1 6.7p1 Debian 5
    1 6.7p1+DBB-v1.1
    1 6.7-FIPS
    1 6.7.1
    1 6.6p1+patch1
    1 6.6p1lpk
    1 6.6.ip1
    1 6.6.1p1Ubuntu-2ubuntu2.4
    1 6.6.1p1-RHEL7-6.6.1p1-12
    1 6.61p1
    1 6.6.122
    1 6.5-hpn14v4
    1 6.4p1-FC-0.9.3-8.8.el7
    1 6.2p2NMOD_3.12-hpn13v11
    1 6.1_CASPUR
    1 6.1.1
    1 6.0p1a
    1 5.9p1-5ubuntu1
    1 5.91
    1 5.8_CASPUR
    1 5.7_CASPUR
    1 5.7.1p1
    1 5.6-OS4690
    1 5.6.1
    1 5.5p2
    1 5.5p1p1
    1 5.4p2a
    1 5.4p1_Debian-5\n'
    1 5.3p1-FC-0.9-81.el6_3
    1 5.3p1-FC-0.9-81.el6
    1 5.3p
    1 5.3-HipServ
    1 532.1
    1 5.2p1_q17.gM-hpn13v6
    1 5.2p1p2
    1 5.2p1p1p1
    1 5.2p1DataMan
    1 5.1p1p1
    1 5.1_CASPUR
    1 5.1_agp1
    1 5.0-sshjail
    1 5.0p2
    1 4.7p1-8ubuntu3
    1 4.6p1-hpn12v17
    1 4.4_Sonic
    1 4.4p1+sftplogging-v1.5
    1 4.3p2p1p1p1
    1 4.3p2-hpn13v1
    1 4.3p2-hpn12v8
    1 4.3p2-FC-4.3p2-41.el5
    1 4.3p2-36
    1 4.3p2-1.9_test4.cern-hpn-CERN-4.3p2-1.9_test4.cern
    1 4.3p1+sftplogging-v1.5
    1 4.3p1_glue
    1 4.3p
    1 4.2-chrootsshp1+sftplogging-v1.4
    1 4.1p1-3.hpn_cern_test7
    1 4.0_chzg
    1 4.0_CASPUR-K5/AFS-1
    1 3.9p1_agp1
    1 3.8-based
    1 3.8.1p1p2
    1 3.8.1p1p1
    1 3.8.1p1-AuthSelect-SecurID-log
    1 3.7.1p2+sftplogging-v1.2
    1 3.7.1p2-pwexp24
    1 3.7.1p2-BLAuth-010523-1
    1 3.6.1p2-CERT-patched
    1 3.5p1-CASPUR
    1 3.5p1_agp1
    1 3.4p1_bu2
    1 3.2
    1 300.3
    1 .2.9.1
    1 2.5.2p1
    1 2.3.0-1
    1 2.3
    1 22
    1 2.0p166
    1 1.2
    1 1.0p0
    1 1.0
    1 0.1
    1 01

    How do you like that! []

  12. A smaller, better server by Matt Johnston. []
  13. USG spying outfit has no business on the Internet. []
  14. Mikrotik Router OS sshd. Famous for a remote unauthenticated heap corruption hole in 2013. []
  15. By the way Stan, how does it feel to rank in top 5 google searches for random piece of shit Huawei's pushing ? []
  16. ProFTPd module, by TJ Saunders. The idea for what it's worth is to make a ftp server like Apache. []
  17. Do you have any idea what this is ?! []
  18. To quote them,

    WeOnlyDo Software: Internet Security Components. Available as ActiveX, OCX, DLL and NET Assembly.

    []

  19. "Both researchers at Pittsburgh Supercomputing Center", they say. []
  20. 0.045340% []
  21. To quote the lulziest parts,
    100,000,000 people use Mocana-secured devices to date. That is more than the population of Germany and the Netherlands, combined.

    Vocality Picks Mocana to Protect New Portable Satellite Communications Gear for Soldiers
    Posted by JDavis on 9/7/10 2:48 PM

    Vocality, a company that builds ultra-portable network routers and secure voice over IP devices for tactical and defense applications, announced that it has standardized on Mocana's Device Security Framework™ technology to provide security services for its miniature BASICS IP router designed for military backpacks, also known as "manpacks" and first responder communications platforms.

    The list of IPs advertising this is, for your convenience, here : mocana.txt. []

  22. Negustor de Piei de Closca in Romanian, approximately "Chicken Leather Merchant", which is to say seller of a notional product of no practical value. []
  23. The thought that at least some of these could actually be passwords the inept user is ineptly advertising bothers me. []
  24. More pretentiously named hen leather. []
  25. Ubuntu self-advertises, without reference to Debian, for a total of 2`761`870 apparitions. A typical string with debian is

    SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7

    and without

    SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7

    []

  26. 15`646`188 - 2`363`248 - 2`761`870 + 705`163 - 208`766 - 25 - 3064 = 11`014`378. []
  27. All these are genuine banners. []
  28. Multiple instances of this, for the record! []
  29. Triton Systems makes ATMs. []
  30. 169.54.197.238, 169.54.197.240, 169.54.197.241, 169.54.197.243, 169.54.197.244, 169.54.197.246, 207.91.13.65, 207.91.13.162. []
Category: Meta psihoza
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

5 Responses

  1. Current version is 7.4, released in December, 4 days after publishing this article. Before that 7.3 was the newest, not 7.7.

  2. Mircea Popescu`s avatar
    2
    Mircea Popescu 
    Thursday, 5 January 2017

    Ah, thanks for the clarification.

    Of course, this was published December 15th, so do you mean days before ?

  3. Ahaha lolwut, 7.3 present on 21 machines out of 15 million?

  4. OpenSSH 7.4 was released 2016-12-19, so yes 4 days after this article was published.

    OpenSSH 7.3 was released 2016-08-01. From what I understand the data this study is based on was collected June-July, which makes the presence of 7.3 SSH servers very strange (maybe you connected to some test servers run by the OpenSSH devs or something like that?)

    OpenSSH 7.2p2 was released 2016-03-10 and so should be considered current here. It apparently ran at the time on less than 1% of machines.

    The security updates from 7.2p2 to 7.4 are important : timing attack weaknesses, CVE-2015-8325, various DoS avenues etc.

  5. Mircea Popescu`s avatar
    5
    Mircea Popescu 
    Thursday, 5 January 2017

    Good to know, thanks.

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.