Backdoor open ports on POE IP Camera?

Discussion in 'Chit-Chat' started by Kevin Wilson, Apr 17, 2018.

Share This Page

  1. Kevin Wilson

    Kevin Wilson n3wb

    Joined:
    Apr 11, 2018
    Messages:
    1
    Likes Received:
    1
    I've been trying to set up a small surveilance solution for our home, using a newly-acquired QNAP TS253 NAS as the NVR.

    I bought some cameras from Amazon - 2 Hikvisions and one SV3C.

    I've only got the SV3C one set up so far, and decided to run a port scan on it to see if there were any back doors open. Here is what I found. The camers is responding on the following ports:

    80 (HTTP)
    554 (RTSP)
    1018 (reserved according to IANA - may be used for ipcserver
    1235 (mosaicsyssvc1 - seems to be used for some RAM optimisation?)
    8840 (unassigned)
    42608 (unassigned)

    I'm quite alarmed. No way all these ports should be open. The only one I know of that's legitimate is 1018. Before I send the camera back, does anyone thing this looks correct?

    I've contacted SV3C and they say it's all fine, and there's no new firmware.
     
    mat200 likes this.
  2. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    8,102
    Likes Received:
    2,172
    Location:
    Scotland
    Not all listening ports are back doors. It would be a crude and easily-found way of providing one.

    That's commonly used as the 'ONVIF port'. You can confirm this using ONVIF Device Manager from sourceforge.net - check the URL under the 'Information' page.
    Some firmware (eg Dahua, Hikvision and others) uses a dedicated port for the 'command and control' function of the camera. Generally, this would require authentication with a user-set password.
    Some firmware (eg Dahua) uses a dedicated port to handle firmware updates.
    Some firmware (eg lots) uses a non-standard port for command shell (eg telnet) access.
    Some firmware (eg Herospeed, used on many brands) uses a variety of ports to indicate status, provide debug info, or announce events such as motion, or to enable command shell access.
    Some firmware (eg herospeed) emulates other brands 'command and control' protocol on the other brands default ports.
    It does all depend on their purpose, it can be quite legitimate.
    You will find much the same even on mainstream brands.

    Suggestion :
    Try a telnet session to each port and see what response, if any, you get. It may provide a clue as to the purpose.
    And of course it's up to you whether your network allows unauthorised access to these ports.

    Here is an example from a camera running Herospeed firmware:
    Code:
    alastair@PC-I5 ~ $ telnet 192.168.1.103 402
    Trying 192.168.1.103...
    Connected to 192.168.1.103.
    Escape character is '^]'.
    [Trace]: eth0 LINK up
    No arp reply received for this address
    [Trace]: eth0 LINK up
    No arp reply received for this address
    [Trace]: eth0 LINK up
    No arp reply received for this address
    [Trace]: eth0 LINK up
    No arp reply received for this address
    [Trace]: eth0 LINK up
    Auto_Loop 5855: getaddrinfo start
    Auto_Loop 5868: getaddrinfo end
    No arp reply received for this address
    ^]
    telnet> close
    Connection closed.
    alastair@PC-I5 ~ $ telnet 192.168.1.103 403
    Trying 192.168.1.103...
    Connected to 192.168.1.103.
    Escape character is '^]'.
    [Trace]: RtspAVCallback 878: Rtsp VideoIndex 1 still alive....
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    [Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
    [Trace]: RTSP_SvrRecvThrFxn 4554
    ^]
    telnet> close
    Connection closed.
    alastair@PC-I5 ~ $ telnet 192.168.1.103 407
    Trying 192.168.1.103...
    Connected to 192.168.1.103.
    Escape character is '^]'.
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 2 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [2018.04.17][14:48:03.423357] DebugThread[480] WaitCoreThreadRsp:67: CoreThread normal!
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
    [Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
    [Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
    ^]
    telnet> close
    Connection closed.
    alastair@PC-I5 ~ $ nmap 192.168.1.103
    
    Starting Nmap 7.01 ( https://nmap.org ) at 2018-04-17 14:49 BST
    Nmap scan report for 192.168.1.103
    Host is up (0.76s latency).
    Not shown: 993 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http
    406/tcp  open  imsp
    407/tcp  open  timbuktu
    443/tcp  open  https
    554/tcp  open  rtsp
    787/tcp  open  qsc
    8000/tcp open  http-alt
    
    Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
    alastair@PC-I5 ~ $
    
     
    mat200 and fenderman like this.