The Shadowserver Foundation: X Display Manager Control Protocol Scanning Project

Accessible X Display Manager Control Protocol Scanning Project

If you are looking at this page, then more than likely, you noticed a scan coming from this server across your network and/or poking at the XDMCP (X Display Manager Control Protocol) service on port 177/udp.

The Shadowserver Foundation is currently undertaking a project to search for publicly accessible devices that have the XDMCP service running. The goal of this project is to identify openly accessible systems that have the XDMCP service running and report them back to the network owners for remediation.

In addition to the possibility of disclosing sensitive information or unknowningly providing remote access to the system, this service has the potential to be used in UDP amplification attacks. If at all possible, we would like to see these services made un-available to miscreants that would misuse these resources.

Servers that are configured this way have been incorporated into our reports and are being reported on a daily basis.

Information on UDP-based amplification attacks in general can be found in US-CERT alert TA14-017A at: https://www.us-cert.gov/ncas/alerts/TA14-017A

Methodology

We are querying all computers with routable IPv4 addresses that are not firewalled from the internet on port 177/udp with an XDMCP "query" request and capturing the response. We intend no harm, but if we are causing problems, please contact us at: dnsscan [at] shadowserver [dot] org.

If you would like to test your own device to see if it has XDMCP accessible, try the nmap command: "nmap -sU -p 177 --script xdmcp-discover [IP]"

Blocklisting

To be removed from this set of scanning you will need to send an email to dnsscan [at] shadowserver [dot] org with the specific CIDR's that you would like to have removed. You will have to be the verifiable owner of these CIDR's and be able to prove that fact. Any address space that is blocklisted will be publicly available here: https://xdmcpscan.shadowserver.org/exclude.html

Useful Links

Blog Summary: https://www.shadowserver.org/news/the-scannings-will-continue-until-the-internet-improves/
Get reports on your network: https://www.shadowserver.org/what-we-do/network-reporting/get-reports/
Current Whitelist: https://xdmcpscan.shadowserver.org/exclude.html

Scan Status

Statistics on current run

Other Statistics

All devices with XDMCP Accessible

(Click image to enlarge)

These are the 14,000 devices with XDMCP accessible

If you would like to see more regions click here

All devices with XDMCP Accessible

(Click image to enlarge)

These are the 14,000 devices with XDMCP accessible