Alden’s ITP Home

Shodan Stories Day 1

A note up front:

Generally I’ve been struggling with an ethical question of this project, should I be publishing the IP addresses and personal identification of individual people I find? I can’t imagine that anyone reading this would take that info and do anything untoward with it, but it’s an odd stance on surveillance culture to dox strangers meaninglessly, even if the ability to reach out and randomly touching a stranger is the reality of networked existence. Currently I’m erring on the side of publishing IPs, since they are an important part of my process and should be documented, and then including anything from WhoIs records as is valid to the project, since WhoIs is meant to be public record. Things like hacker tags and defacements that I find I definitely will publish though. Happy to get input on this.

An Open VNC Server on

Day 1 I’m starting with some low hanging fruit: looking for people who’ve left VNC servers running without passwords. VNC (standing for Virtual Network Computing) is a framework for remotely logging into a computer using a GUI, and is a common alternative to ssh for people who don’t know how to use the command line or need GUI functionality on their remote machine. To do this on Shodan I searched for IPs with port 5900 open, since VNC typically runs on 5900, and then just started trying to connect using VNC Viewer as a client. Well the second result I found on Shodan didn’t have a password and had already been totally overrun with trolls leaving each other notes and tearing apart the server. When I first logged in someone had drawn a bunch of swastikas in MS Paint and made it the background of the desktop, which I quickly changed, and someone else was playing solitaire. The server was running Microsoft Windows Server 2000 as its operating system, so it had a bunch of the classic 1999 features of Windows like MS Paint and grey boxes UI. It was a little nostalgic.

Looking around I got kind of nervous because I could tell other people were also in this machine. It’s uncomfortable to be in a computer with a bunch of other people, at least one of whom is a nazi. Whoever was playing solitaire was clearly very engaged because they kept pulling the window back to the front. Some hacker going by yellows111 had left a tag. It looks like they use that tag a lot and I found their twitter, github, soundcloud, steam account, youtube, etc. They have a bot of them that you can add to your discord server so if you want you can have yellows111 in your life at all times. Judging from their Youtube they like to go around trashing old Windows servers and might have been the one playing solitaire.

The man who owns this server lives in Missouri and purchased the server space from Wholesale Internet. I think he’s getting ripped off, at minimum $10/month for a server running an almost 20 year old operating system is pretty bad.

There were some more mysteries though that are up to the reader to interpret. Here is a traceroute result from me to the IP. What’s It doesn’t resolve to anything in a browser.

traceroute to (, 64 hops max, 52 byte packets
 1 (  2.529 ms  1.650 ms  1.168 ms
 2  * * *
 3 (  15.107 ms  11.720 ms  15.173 ms
 4 (  16.422 ms  18.154 ms  19.666 ms
 5 (  18.197 ms (  20.730 ms  16.201 ms
 6 (  12.508 ms (  18.092 ms (  18.306 ms
 7 (  17.945 ms  17.067 ms  22.374 ms
 8 (  43.236 ms (  21.576 ms  19.348 ms
 9 (  46.955 ms (  48.351 ms (  48.822 ms
10 (  51.545 ms  47.022 ms  47.746 ms
11 (  43.115 ms  49.859 ms  41.052 ms
12 (  43.440 ms  42.648 ms  41.724 ms
13 (  46.359 ms  49.177 ms  60.840 ms