After downloading the file and extracting it to be the size of 5GB I then parsed it with the following command to only grab the FTP Banner. Then I also parsed it to only give me the first line:
cat b70f5n9ffx49j6g8-zgrab-results-21-ftp-banner-full_ipv4-20150417T160718.json | sed 's/^.*response":"220//' | sed 's/"},"error.*$//' | grep -v "host" | sed 's/\\r\\n.*//' | sed 's/^$//' > ftp_banner_raw.txt
With the above information I did a count on the number of lines to identify the number of FTP servers in the dataset that either responded on port 21 or timed out trying to receive a response on port 21:
Then using the ftp_banner_raw.txt file I then sorted and counted the unique instances to find the most common headers.
cat ftp_banner_raw.txt | sort | uniq -c | sort -nr > sorted_ftp_banner_raw.txt
With the above command below I have placed the top 10 most common headers found in the dataset. The information displayed is the number found, followed by the percentage of the total population that it is, and then the banner line:
2,370,756 (17.2%) ---------- Welcome to Pure-FTPd ----------
1,195,904 (8.7%) Microsoft FTP Service
671,654 (4.9%) Ftp firmware update utility
647,822 (4.7%) FTP Server ready.
301,211 ProFTPD 1.3.3g Server
277,210 FTP server ready.
275,113 ProFTPD 1.3.4a Server
269,944 -Microsoft FTP Service
205,591 ProFTPD 1.3.5 Server
301,211 ProFTPD 1.3.3g Server - Exploit Available
275,113 ProFTPD 1.3.4a Server - 1.3.5 is the most up-to-date server version
131,333 FileZilla Server version 0.9.41 beta - Exploit Available
84,426 ProFTPD 1.3.4c Server - 1.3.5 is the most-up-to-date server version
81,101 ProFTPD 1.3.3a Server - Exploit Available
70,881 ProFTPD 1.3.1 Server - Exploit Available
62,940 FileZilla Server version 0.9.24 beta - Exploit Available
60,920 Serv-U FTP Server v6.2 for WinSock - Exploit Available
48,328 ProFTPD 1.3.3e Server - Exploit Available
39,463 ProFTPD 1.3.4d Server - 1.3.5 is the most-up-to-date server version
Then if you divide that by the total number of FTP servers available you get the following percentage of FTP servers that are vulnerable to an available exploit:
I again found this research very interesting. Wow! The question I end with, how do we get this in the hands of the right-people to get these vulnerabilities fixed? How is it possible to fix over a million FTP servers?