Shodan Stories Day 5: Organic Chemistry in Poland, Ecotoxicology, and the Dangers of Static Electricity
Today I decided to go looking for MySQL databases. I’ve always loved SQL, it was one of the first “programming languages” I learned and was a big part of one of my first jobs.
Institute of Industrial Organic Chemistry on 188.8.131.52
Checking with MySQL documents I found that MySQL databases typically run off of port 3306. So I went on Shodan to look for things with port 3306. One of the first results I saw was from Poland, and being Polish I couldn’t resist poking around a bit in the homeland.
I started off looking at it with
👻🌵✨$ nmap 184.108.40.206 Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-08 13:51 EST Nmap scan report for cloudserver060808.home.pl (220.127.116.11) Host is up (0.12s latency). Not shown: 915 filtered ports, 68 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 990/tcp open ftps 993/tcp open imaps 995/tcp open pop3s 1433/tcp open ms-sql-s 1443/tcp open ies-lm 3306/tcp open mysql 3690/tcp open svn 5432/tcp open postgresql
Lots of ports open, it looks like this IP has a bunch of functions, including email (25, 110, 143, 465, 587, 993, 995), a webpage (80 and 443), and databases (all those ports with sql). Just based on the ports this looks like a corporate server for sure. Going to the IP in a browser confirms this… The Institute of Industrial Organic Chemistry (IPO)! No I’ve never heard of it before but their website is a delight of early 00s web design. They were formed in 1947 and have 50-100 employees, and act as a industry research institute to the chemical industry, providing independent studies on the efficacy and toxicology of newly developed chemical compounds. I assume that regulation prevents chemical development companies from doing their own reports on the safety of their newly developed products, so they hire companies like IPO to do the testing for them. IPO has an entry on Crunchbase:
The Institute of Industrial Organic Chemistry (IPO), Branch Pszczyna is a leading research and development centre with more than 65 years of tradition which performs a wide variety of toxicological and ecotoxicological studies. The IPO conducts studies for companies worldwide, cooperates with both domestic and foreign research units as well as actively participates in the international EU and OECD research projects. The aim of the studies mentioned above is to evaluate possible harmful effects of various chemical substances on human health, animals and the natural environment. During the last 65 years the Institute has developed and established its position as one of the best-known research centers at home and abroad.
According to IPO’s website in addition to the primary work they do with toxicology and ecotoxicology they do research on explosives, solid rocket fuels, pyrotechnics, and chemical weapons, though they have a specialization in static electricity hazards! For their ecotoxicological they do tests with birds, fish, aquatic organisms that aren’t fish, bees, non-bee arthropods, earthworms, soil microorganisms, and plants. My mom studied chemistry in Poland and I started wondering if maybe she would have worked at a place like this had she stayed in the country. They have two offices, one in Warsaw and another in Pszczyna, not too far away from where my family lives.
I tried poking at all the ports, but didn’t find anything out of the ordinary. Everything seems secure, although Shodan did tell me that their version of postgresql was out of date and had a variety of exploitable vulnerabilities. But I did notice that the DNS entry for this IP resolves to
cloudserver060808.home.pl. That’s not what their URL actually is for their website, it’s www.ipo.waw.pl. A little interesting, their webhost is giving them a specific non-public url. Checking out home.pl I found it pretty easy to figure out the kind of plan that IPO had bought for their cloud server.
Even just iconographically it’s easy to see this is the one: a cloud server with email, a website, and databases.
What’s the history for the three ring cylinder representing a database anyway? See you tomorrow.