Categories
Uncategorized

Public-Facing ESXi Hosts 🔥

I was browsing some “recently shared” search queries on Shodan this morning and stumbled upon one for Zoom, which yielded some very interesting results.

No surprise, Zoom has a sizeable public-facing infrastructure presence on the Internet.

One great feature that Shodan offers to analyze search results is the ability to drill down by country and even city. In this case, I took a closer look at the “top cities” for this particular search query.

Potential geographic indicators of where Zoom clusters most of its infrastructure?

The entry for “Dulles” stood out to me as Dulles, Virginia is known for having numerous and substantially-sized data centers due to its proximity to Washington, DC and much of the Federal government’s operations. Standing out in the crowd nearly right away is an endpoint showing indicators of some sort of VMware application.

The SSL certificate metadata for this host lists “VMware” for the organization, warranting a closer look

Drilling down further into this host shows that it was, indeed, a VMware ESXi virtual machine hypervisor that Shodan detected. This IP address also maps back to an entity named “Zoom Proxies,” where a quick search found that there is not an association with the Zoom Communications video conferencing company.

Self-signed certificate for a VMware ESXi installation

A second host with the same indicators was found under a neighboring IP address (216.115.185.163).

Having found the assignee for these addresses and taking a look at the owner’s provided services, it is presumed that the suspect VMware systems are installed on dedicated server instances leased from Greybeard. Taking a closer look at the organization listed on Shodan leads us to the Zoom Proxies site page.

Proxies not in the sense of regular network traffic, but perhaps for automated purchasing of product from commerce sites

After looking through a few of the pages, it’s my guess that these folks provide purchasing automation for the buying of items from commerce sites (like Shopify, Supreme, etc., as listed on their site). Perhaps these solutions allow an individual to spawn multiple instances of “proxy purchasers” (okay, let’s just call them what they are: bots) to quickly capture limited edition items (see YeezySupply, Adidas, and Supreme), or in this case, a possible focus on limited edition shoes. Other indicators of this are things like “10 GBPS PORT SPEED,” “100% CLEAN IP[s],” and of course the direct references to the ability to work with Shopify, Supreme, and so on. Oh, and it was worth seeing where their main home page/storefront was being served from:

Looks like they’re keeping their storefront separate from their production systems, a sound choice.

Anyway, just a friendly reminder to make sure you’re not making yourself *too* available on the Internet.