Is your Supervisor web interface is open?

At Project 25499, one of our core missions is to identify vulnerabilities that may be found on publicly accessible hosts and assess their potential scope. During a recent upgrade, we came across a great blog post about some advanced features of Supervisord.

Screenshot from supervisor blog post

The above screenshot from the blog post details a configuration option for enabling an HTTP frontend. This feature is enabled by adding the following to the /etc/supervisor/supervisord.conf :

[inet_http_server]
port = 9001

The blog posts by default includes a username and password option, however, if this is omitted, supervisor will still start the frontend and allow for access without authorization. From this interface, an administrator can do some basic process management (stop / start / restart) and view the associated logs.

On the 22nd of August 2016, we began a HTTP scan of the IPv4 space for port 9001. The results from the scan were outstanding; the following screenshot was from the processing of the data [First two octets of the IPs have been redacted]:

Screenshot of search results

In total, 854 unique hosts were identified that were showing the “Supervisor Status” title, with a total of 3233 services collectively. Geo-mapping of the hosts produces the following image:

Geo location of vulnerable hosts

Following is a list of the most common services observed:

# ServiceName
308 sendmail
36 datadog-agent:jmxfetch
36 datadog-agent:forwarder
36 datadog-agent:dogstatsd
36 datadog-agent:collector
30 nginx
22 datadog-agent:go-metro
19 relaysvr
13 storm-supervisor
13 sshd

With the most common service, at 9.5 %, being sendmail, it suggests that there is either a guide or shared configuration being propagated. Initial searching shows this configuration may be either within a Docker image or a GitHub project, however, a specific source has not been identified.

As a good rule to live by, always ensure you read / verify the configuration files you deploy and always audit your hosts before you deploy them to the open IPv4 internet.

Advertisements

Project Overview

Project 25499 is a researcher focused Internet Scanning service to identify and scope vulnerabilities on the public Internet.

We currently operate five scanners that are listed below:


Scanners:
98.143.148.107 (scanner01.project25499.com)
155.94.254.133 (scanner02.project25499.com)
155.94.254.143 (scanner03.project25499.com)
155.94.222.12 (scanner04.project25499.com)
98.143.148.135 (scanner05.project25499.com)


This project is scanning only publicly facing systems. In no ways does this project attempt to bypass technical safeguards or perimeter controls in an attempt to access non-publicly facing systems. Following the model used in previous Internet Scanning projects, our project attempts to adhere to the best practices described in the following two publications: Rapid7: Legal Considerations for Widespread Scanning and ZMAP: Scanning Best Practices