MEDIUM: Accessible Rsync Report

DESCRIPTION LAST UPDATED: 2025-01-20

DEFAULT SEVERITY LEVEL: MEDIUM

This report identifies hosts that have the rsync service running, bound to a network port (873/tcp, 8873/tcp) and accessible on the Internet without a password. 8873/tcp scanning was added 2025-01-19.

See https://rsync.samba.org/ and https://github.com/RsyncProject/rsync for more information.

We have also added fingerprinting of rsync instances vulnerable to CVE-2024-12084, a heap-based buffer overflow flaw with a 9.8 CVSS v3 rating.  See https://kb.cert.org/vuls/id/952657 for more information. Please make sure to apply the latest patches. Instances tagged cve-2024-12084 have their severity levels set to CRITICAL. The cve-2024-12084 tagging is version based and was first added 2025-01-15. If you believe a tagging was made in error, please provide feedback! Thank you to Simon Scannell and Max Hils for the collaboration.

For a daily update of rsync instances vulnerable to CVE-2024-12084 please visit our Dashboard statistics.

For a daily update of all global rsync scan statistics please visit our rsync Dashboard statistics.

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page..

This report comes in 2 versions: for IPv4 and IPv6. IPv6 scanning was added 2025-01-15.

Filename: scan_rsync, scan6_rsync

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the rsync response came on (always TCP)
  • port
    Port that the rsync response came from (873/TCP)
  • hostname
    Reverse DNS name of the device in question
  • tag
    This will be rsync and may include the cve-2024-12084 tag
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • module
    Module(s) (repositories of data) presented
  • motd
    Message of the Day
  • has_password
    Checks to see if a password was requested; if "N" or "" a password challenge was not given
  • sector
    Sector the IP belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","module","motd","has_password","sector"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,873,node01.example.com,rsync,64512,ZZ,Region,City,0,,"system|Backup system;system_full|Backup full system;mysql|Backup virtual mysql;netadmin|Backup virtual netadmin;",,,
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,873,node02.example.com,rsync,64512,ZZ,Region,City,0,,"system|Backup system;system_full|Backup full system;mysql|Backup virtual mysql;netadmin|Backup virtual netadmin;",,N,
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,873,node03.example.com,rsync,64512,ZZ,Region,City,0,,"system|Backup system;system_full|Backup full system;mysql|Backup virtual mysql;netadmin|Backup virtual netadmin;",,N,

Our 133 Report Types

« Back to Network Reporting