Solved - Wzye V3 cam... Any ideas to figure out why an outside IP attempting connections to two ports keeps following me?

[Mike A.]

An outside IP address (45.35.33.242) continually attempts connections to ports to 53204 and 58382. I can force a change to my external IP address and within a minute or so the attempts will follow. So I assume that I must have something that's beaconing out to report the change.

The IP is not associated with anything known to me. Whois info is below. By geolocation, server appears to be physically located in either Dallas Texas
or Bangladesh depending on which lookup service used..

IP Location Bangladesh Bangladesh Dhaka Mellowhost
ASN Bangladesh AS40676 AS40676, US (registered Feb 26, 2008)
Resolve Host esx1.fazey.org
Whois Server whois.arin.net
IP Address 45.35.33.242
NetRange: 45.34.0.0 - 45.35.255.255
CIDR: 45.34.0.0/15
NetName: PSYCHZ-NETWORKS
NetHandle: NET-45-34-0-0-1
Parent: NET45 (NET-45-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS40676
Organization: Psychz Networks (PS-184)
RegDate: 2015-03-03
Updated: 2015-03-03
Ref:

https://rdap.arin.net/registry/ip/45.34.0.0

OrgName: Psychz Networks
OrgId: PS-184
Address: 20687-2 Amar Road #312
City: Walnut
StateProv: CA
PostalCode: 91789
Country: US
RegDate: 2013-04-17
Updated: 2013-09-05
Ref:

https://rdap.arin.net/registry/entity/PS-184

ReferralServer: rwhois:/rwhois.psychz.net:4321

OrgTechHandle: NOC3077-ARIN
OrgTechName: NOC
OrgTechPhone: +1-626-549-2801
OrgTechEmail:
OrgTechRef:

https://rdap.arin.net/registry/entity/NOC3077-ARIN

OrgAbuseHandle: NOC3077-ARIN
OrgAbuseName: NOC
OrgAbusePhone: +1-626-549-2801
OrgAbuseEmail:
OrgAbuseRef:

https://rdap.arin.net/registry/entity/NOC3077-ARIN

NetRange: 45.35.33.0 - 45.35.33.255
CIDR: 45.35.33.0/24
NetName: PSYCHZ-NETWORKS
NetHandle: NET-45-35-33-0-1
Parent: PSYCHZ-NETWORKS (NET-45-34-0-0-1)
NetType: Reallocated
OriginAS: AS40676
Organization: Psychz Networks Dallas (PND-24)
RegDate: 2015-08-21
Updated: 2015-08-21
Ref:

https://rdap.arin.net/registry/ip/45.35.33.0

OrgName: Psychz Networks Dallas
OrgId: PND-24
Address: 1515 Round Table Drive
City: Dallas
StateProv: TX
PostalCode: 75247
Country: US
RegDate: 2015-08-21
Updated: 2015-08-21
Ref:

https://rdap.arin.net/registry/entity/PND-24

OrgTechHandle: TEXAS1-ARIN
OrgTechName: Texas - NOC
OrgTechPhone: +1-626-549-2801
OrgTechEmail:
OrgTechRef:

https://rdap.arin.net/registry/entity/TEXAS1-ARIN

OrgAbuseHandle: TEXAS1-ARIN
OrgAbuseName: Texas - NOC
OrgAbusePhone: +1-626-549-2801
OrgAbuseEmail:
OrgAbuseRef:

https://rdap.arin.net/registry/entity/TEXAS1-ARIN

NetRange: 45.35.33.224 - 45.35.33.255
CIDR: 45.35.33.224/27
NetName: PSYCHZ-NETWORKS
NetHandle: NET-45-35-33-224-1
Parent: PSYCHZ-NETWORKS (NET-45-35-33-0-1)
NetType: Reassigned
OriginAS: AS40676
Organization: Mellowhost (MELLO-3)
RegDate: 2016-03-09
Updated: 2016-03-09
Ref:

https://rdap.arin.net/registry/ip/45.35.33.224

OrgName: Mellowhost
OrgId: MELLO-3
Address: 174/A Lane 2 Apt 1B
Address: Baridhara DOHS
City: Dhaka
StateProv: DHAKA
PostalCode: 1206
Country: BD
RegDate: 2016-02-21
Updated: 2016-02-21
Ref:

https://rdap.arin.net/registry/entity/MELLO-3

OrgTechHandle: SHS18-ARIN
OrgTechName: Shayan, Surid Halder
OrgTechPhone: +8801713123262
OrgTechEmail:
OrgTechRef:

https://rdap.arin.net/registry/entity/SHS18-ARIN

OrgAbuseHandle: SHS18-ARIN
OrgAbuseName: Shayan, Surid Halder
OrgAbusePhone: +8801713123262
OrgAbuseEmail:
OrgAbuseRef:

https://rdap.arin.net/registry/entity/SHS18-ARIN

Looks to be at a small hosting company. The host system noted at that IP appears to be an abandoned blog site for fazey.org. Looking up that domain directly now resolves to AWS (as mentioned in the guy's About section). So again, not something big and known that anything I have should be connecting to.

Unfortunately I have a ton of stuff on my network so hard to narrow things down much by turning things off. I've pulled the single cable connecting my internal network to my router and the attempts continue. I've not yet tried pulling the plug and then attempting to release/renew my IP.

I've run Wireshark to watch for anything calling out to that IP/hostname directly but don't see anything. Could be connecting to some other system to report I suppose.

I have no open ports at my router. VPN in only.

The connection attempts are blocked so not that big of a deal. Just curious why the damn thing keeps tracking me.

 

[Mike A.]

Ahhh... found it!

It's from two Wyze V3 cams. WiFi traffic didn't show in Wireshark.

udp 192.168.2.189:58382 45.35.33.242:10001 UNREPLIED
udp 192.168.2.238:53204 45.35.33.242:10001 UNREPLIED

Now the question is WTF are my Wyze cams doing connecting to that host?

I'll ask on Wyze's forums. At least I know what it is now.

 

[SpacemanSpiff]

Is your cam network not isolated from the wubwubwub?

 

[mikeynags]

Ahhh... found it!

It's from two Wyze V3 cams. WiFi traffic didn't show in Wireshark.

udp 192.168.2.189:58382 45.35.33.242:10001 UNREPLIED
udp 192.168.2.238:53204 45.35.33.242:10001 UNREPLIED

Now the question is WTF are my Wyze cams doing connecting to that host?

I'll ask on Wyze's forums. At least I know what it is now.

So they are "phoning home" but it sounds like you are blocking the return traffic.

 

[Mike A.]

Is your cam network not isolated from the wubwubwub?

Everything else is but not those two Wyze V3 cams that I picked up to play with. They need to get out in order to work. They were on a separate WiFi network but I moved them back over when trying the new RTSP beta to connect to BI. Have to look to better lock them down again now.

 

[SpacemanSpiff]

Now the question is WTF are my Wyze cams doing connecting to that host?

If I am not mistaken, they're designed to work with the cloud, which allows one to view their live feed. Reports say they can be set to work without the Internet

 

[Mike A.]

So they are "phoning home" but it sounds like you are blocking the return traffic.

Yes. Apparently it's related to their P2P service. They contract out that service and I suppose that the company that runs it likely picked up that IP at some point. Looking more closely once I found what it was I see a bunch of similar threads re their cams connecting in the same way to odd servers. Seems that blocking the incoming doesn't affect whatever operation. Not sure what the purpose of those ports is and why they'd expect that they'd ever be open. Maybe they try UPnP to open them which would be blocked on my network. They obviously tunnel in other ways also since they still work inside/outside my network.

Got just to mess around with since I found them cheap on clearance at Home Depot for $15 including the SD card. The color night pictures looked good in what I'd seen. In use I'm not all that impressed. Indoors at night they look great. In a more complex scene outdoors the compression that they use causes the image to degrade greatly (threads on that as well looking more). Starts breaking down to the point that the pixelation will trigger motion alerts in BI. ; ) (Example below.) I'm even less impressed now with the connection to some strange server but I suppose I knew that was happening in some form.

 

[Mike A.]

If I am not mistaken, they're designed to work with the cloud, which allows one to view their live feed. Reports say they can be set to work without the Internet

Yes, cloud-based cams. Not sure to what extent they'll work without Internet. They need the app to control them and the AI-based detection functions also are cloud-based. According to some posts in the beta forums when people have tried to block them, they need to connect when they first start up or they'll begin to disconnect every 4 or 5 minutes. Now that they have the RTSP beta on them and they're all set up in BI I'll play with them more to find out.

 

[Mike A.]

Did a quick test to see what would happen if blocked. Kind of as expected.

• The attempted outside connection does stop since no call out on port 10001.
• The app does not work since it can't reach the cam. No big deal once set up in BI other than if you need to change something. Can use BI to view locally/remotely.
• AI motion detection doesn't work since cloud-based.
• Cam does briefly drop off about every 5 minutes. Not that big of a deal since it's a very quick drop and immediate reconnect. You would not notice unless looking at it at the time or on the BI status page.

 

[Teken]

Did a quick test to see what would happen if blocked. Kind of as expected.

• The attempted outside connection does stop since no call out on port 10001.
• The app does not work since it can't reach the cam. No big deal once set up in BI other than if you need to change something. Can use BI to view locally/remotely.
• AI motion detection doesn't work since cloud-based.
• Cam does briefly drop off about every 5 minutes. Not that big of a deal since it's a very quick drop and immediate reconnect. You would not notice unless looking at it at the time or on the BI status page.

Thank you for this insight and valuable information as it relates to this problem. Along with testing out the RTSP firmware for me and others!

I purchased this camera for the soul purpose as a throw away and used on a dedicated isolated network. I’m not concerned about someone being able to watch a bird nest in a eve trough or my sump pump in the pitch black!

 

[mat200]

Thanks @Mike A.

Always enjoy seeing good info posted

definitely keep us informed on what you learn.

 

[Mike A.]

Another issue noticed with blocking the Wyze cams - time.

The cam now has no way to get the correct time and I see no way to select some alternative time server.

Since I posted above a little more than 24 hours ago, it's already about 1/2 hour behind actual time.

 

[Teken]

Another issue noticed with blocking the Wyze cams - time.

The cam now has no way to get the correct time and I see no way to select some alternative time server.

Since I posted above a little more than 24 hours ago, it's already about 1/2 hour behind actual time.

That’s pretty disheartening to learn given modern elections now in place. I guess none of us should be too surprised the camera doesn’t incorporate a RTC.

I would have thought this camera would lose maybe on the extreme end of the scale from maybe 1-3 seconds per day.

Not 30 minutes?!?

 

[Mike A.]

Seems to have stayed at about 1/2 hour since I posted.

I pulled the plug on it now and on restart it comes up about 12 hours behind showing yesterday's date. i.e., 27 minutes after midnight 10/13/2021

I think it might be that it wasn't losing time. Maybe it just started up that far behind and I didn't notice then.

No idea where it's coming up with the time/date shown.

I'll unblock it and let it do whatever it does when drops offline at the next 5 minute interval and see if it grabs the right time again.

Edit to add... Didn't have to wait long. Pulls the right time after the usual drop-off as I thought that it probably would. I blocked it again and now have a good reference time. See how well it stays on time from here.

 

[Teken]

Seems to have stayed at about 1/2 hour since I posted.

I pulled the plug on it now and on restart it comes up about 12 hours behind showing yesterday's date. i.e., 27 minutes after midnight 10/13/2021

I think it might be that it wasn't losing time. Maybe it just started up that far behind and I didn't notice then.

No idea where it's coming up with the time/date shown.

I'll unblock it and let it do whatever it does when drops offline at the next 5 minute interval and see if it grabs the right time again.

I also agree that this camera should offer the ability to point to a NTP Server whether local first vs cloud first.

 

[Mike A.]

It was doing so well for most of the day. I was about to post that it had stayed on time since I let it get out and get the time.

But then I go look now and it says that it's 14:22 when it's actually 22:43.

Not sure when it lost it but whenever it did, it did in a big way.

 

[jack7]

Perhaps you can forget the Wyze time and use the BI timestamp Overlay. The following thread towards the end seems to indicate that it might work well. You may need to figure out how to get rid of the Wyze timestamp.

Burn Timestamp into Video - Blue Iris

 

[Mike A.]

Yes, I could. Don't really care in this case. Not a critical cam just something to play around with and reporting what I've found. Have plenty of others to capture things.

You can turn off the time display in the Wyze app so that wouldn't be a problem if someone wanted to.

Thanks for the link. Reading through it I learned that the overlays no longer increase overhead quite a bit like they did. Didn't realize that had changed.