What We Discovered On a North Korean Server Part 1
Contents
Last year we discovered a North Korean server that was hosting numerous animation files. I wanted to share a more detailed write-up about how we discovered the server, as well as some more details about what we found. You can read the original coverage here: What We Learned Inside a North Korean Internet Server
The Initial Discovery
It began at the end of 2023 when I noticed a new DNS record for the domain cloud.star.net.kp
which resolved to the IP address 175.45.176.31
. At that time I had published a short post about an exposed ownCloud instance running on a North Korean IP: Exposed Nextcloud Instance
While browsing to the IP directly returned an error page, browsing several common directories revealed several folders that were accidentally exposed, the most notable of which was /data
What Was Exposed
The /data
directory provided access not only to all of the files for each user but access to the server logs …
The Initial Discovery
It began at the end of 2023 when I noticed a new DNS record for the domain cloud.star.net.kp
which resolved to the IP address 175.45.176.31
. At that time I had published a short post about an exposed ownCloud instance running on a North Korean IP: Exposed Nextcloud Instance
While browsing to the IP directly returned an error page, browsing several common directories revealed several folders that were accidentally exposed, the most notable of which was /data
What Was Exposed
The /data
directory provided access not only to all of the files for each user but access to the server logs …
IoC
85.203.21.0
175.45.176.31
104.234.140.0
[email protected]
[email protected]
[email protected]
[email protected]
175.45.176.31
104.234.140.0
[email protected]
[email protected]
[email protected]
[email protected]