Hypothesis: Running an [old, non-upgradeable OS] honeypot increases the probability of further scans and intrusion attempts on that range for awhile at least.
Is Windows XP on its own really this vulnerable to connections over the internet? This makes it seem like you'll get infected within 10 minutes.
I'm sure there are plenty of vulns in Windows XP by now, but it seems surprising to me that a random IP is getting scanned + infected + exploited within such a span of minutes just because it's running an old OS.
It would actually be pretty interesting to see which vulnerabilities are used for this type of thing. Sort of the opposite of a 0 day, I suppose... very old, well known exploits. But to do that on a PC with totally stock OS software is impressive.
All of Eric Parker's videos are faked, he installs malware manually for attention.
In this particular video you can get a glimpse of that at 2:50, he forgot to close an Internet Explorer window in which he was searching for "XP sp3 worms".
Windows by default, un-firewalled, will announce its presence to a network, and in old versions, that could even be the internet at large (back then you could even see SMB shares over the internet and would often see thousands of 'nearby' system).
The malware he got appeared to use a PNG exploit to affect remote code execution once running, but we don't see what bootstrapped that malware into the system
> Windows by default, un-firewalled, will announce its presence to a network, and in old versions, that could even be the internet at large
By announcements you are referring to broadcasts which are limited to the broadcast domain of whatever IP the ISP has assigned you. Plus those are largely blocked by the ISP beyond that.
So to say that you are broadcasting to the world that you have an SMB share available is not true. An attacker would have to scan for it (i.e. make an active connection to TCP port 445 on your machine).
This is the correct answer. Broadcast packets do not reach outside of a network segment. The “thousands” of Windows machines OP saw were probably part of the same office network they were sitting in (where other mechanisms may actually have made more of them visible than a simple broadcast would, but intentionally).
Sitting at home connected to the Internet over a point-to-point link, you’d see zero Windows machines that are not inside your home, now and back then.
When I got my first cable modem in maybe 1995, there were about half a dozen of my neighbors computers in Network Neighborhood. Most with unprotected shares and printers. Basically everyone running Windows on my C block. It got cleaned up within a few months tho.
Pre-cable modem era, the dialup networking "adapter" in Windows 95 was bound to "File and Print Sharing". People who had both a LAN and a modem could inadvertently "share" with the Internet.
I may or may not know something about sending print jobs that said "FEED ME CHEESE" in Figlet to inadvertantly shared printers and waiting for pings to stop coming back.
I stand corrected (sort of). I did specifically say that you‘d see zero other machines when connected to the Internet over a point-to-point link, but I indeed had no idea that in the US there were cable modems from different subscribers within the same subnet/segment and without any filtering.
In Germany, as far as I can tell it was all point-to-point.
That being said, around that time, or maybe slightly later, completely unencrypted WiFi networks were also commonplace, so…
You’re lucky it was only a few months. I think it took until 1999 or 2000 for my cable isp to subnet their entire /16 so that you weren’t flooding the entire city with broadcast packets, getting random windows messaging service messages, etc.
That said, it was super nice to open Quake 3 and be able to plan LAN mode with anyone in town.
Saw something similar at the summerhouse of a friend around 2008 or 2009. Somehow the whole neighborhood was in one giant LAN with one another there, sharing a common gateway to the internet? Around 30 or some such computers of neighbors showed up. Super weird.
A local FTTH provider in my area does shockingly little broadcast filtering. It was interesting to see how much noise traffic was out here in the "business class" subnet that my Customer's static IP was coming out of.
Back in the XP days it wasn't uncommon to have your only computer directly connected to a modem (probably ADSL or Cable/Coax, but dial-up was also still around).
I'm not entirely sure when it became the norm for modems to have routers (and thus NAT) built-in, but I assume it coincided with the rise of smartphones around 2008. I certainly remember buying a separate wifi routers to connect to the single ethernet port of the modem even post-dialup.
I came of age with Windows 95 and friends... All my IRC friends pretty much dialed in directly to the internet from our main PC. When we got cable or DSL, if you had one computer, it got to connect directly.
Windows 98 Second Edition came with internet connection sharing, so you could dial up on one computer and share with the LAN, and I think it worked for cable/dsl with two NICs as well. Many of my circle ended up with a Linux (or BSD) box doing NAT too. There was other software to share on Windows if you didn't have 98SE.
You had one PC connecting to the DSL box, having directly a public IP, and then if you were smart you would install a second network card in your computer with a crossover Ethernet cable connecting to the second computer.
Routers were super expensive, they came only later when internet was democratized more.
Same for switches. Most users were using Ethernet Hubs at that time.
Home routers almost all had MAC cloning as well. ISPs would send a technician out to set up service and would only want to connect the modem to a single system. The modem would then lock onto that MAC and refuse to connect to other hosts.
So home routers would clone that system's MAC address on the WAN port so the shitty modems wouldn't complain.
At the time many broadband ISPs expected you to sign up a new broadband account for each connected machine. They'd balk if you mentioned connection sharing, I had an AT&T CSR go so far as to tell me it was illegal.
This idiocy subsided as WiFi became more common and added directly to home routers.
My ISP didn't switch to combination devices until somewhere between 2013 (only got a modem) and 2018 (forced modem upgrade, included built-in router this time).
Un-service-packed XP reachable from public would get owned in single digit minutes back in 2000s. You needed at least SP2 to slow that down. Win2K Server was better, but not markedly.
By contrast, a Win2K3 box with service packs and security updates could act as a server with public address if you set it up appropriately before going online.
Not an accident — turns out Windows Server 2003 was their first OS to undergo extensive semi-automated bug testing with PREfast, a tool that helped catch 12% of its bugs. Additionally, human software development engineers in test (SDETs) — a claimed 60% of Microsoft's 4500 Windows devs — were crucial in finding the rest. This combined effort made it Microsoft's most rigorously tested release at the time, significantly enhancing its security.
Yes. I've had a new install compromised immediately after first boot. This was over a poorly configured cable internet service. I could also see and connect to other computers in the neighborhood and had full access to shared resources.
I did it to prove a point. ISP techs didn't believe it could happen. Yes, they were that bad.
However, this was done at the time when every other machine everywhere was compromised in some way and sputtering out malware all the time.
I have no idea what the results would be like today, but I suspect it would be far less dramatic because the exploits for XP have more than likely been offline for a long time.
I've never really liked Windows XP, but this video is a bit dishonest. As other commenters have pointed out, at around the 2 minute and 50 second mark, the person has a search query for "xp sp3 worm" in Internet Explorer. While the person in the video admits to disabling firewall and other security features of Windows XP, he never mentions his intent to search for worms targetting the platform and execute them.
There was a time when Windows XP would get infected by staying online overnight, but the most recent example I remember is the Blaster worm[1] from around 2003. I recall having an ADSL subscription back in 2007, and at the time, the ISP provided a device acting as both a modem and router. So in my case, at least since 2007, I wouldn't have to worry much about keeping a computer online overnight.
Also the connections opened could be watched in a router and/or with something like Wireshark.