Backdoor open ports on POE IP Camera?

Joined
Apr 11, 2018
Messages
3
Reaction score
1
I've been trying to set up a small surveilance solution for our home, using a newly-acquired QNAP TS253 NAS as the NVR.

I bought some cameras from Amazon - 2 Hikvisions and one SV3C.

I've only got the SV3C one set up so far, and decided to run a port scan on it to see if there were any back doors open. Here is what I found. The camers is responding on the following ports:

80 (HTTP)
554 (RTSP)
1018 (reserved according to IANA - may be used for ipcserver
1235 (mosaicsyssvc1 - seems to be used for some RAM optimisation?)
8840 (unassigned)
42608 (unassigned)

I'm quite alarmed. No way all these ports should be open. The only one I know of that's legitimate is 1018. Before I send the camera back, does anyone thing this looks correct?

I've contacted SV3C and they say it's all fine, and there's no new firmware.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
decided to run a port scan on it to see if there were any back doors open.
Not all listening ports are back doors. It would be a crude and easily-found way of providing one.

1018 (reserved according to IANA - may be used for ipcserver
That's commonly used as the 'ONVIF port'. You can confirm this using ONVIF Device Manager from sourceforge.net - check the URL under the 'Information' page.
Some firmware (eg Dahua, Hikvision and others) uses a dedicated port for the 'command and control' function of the camera. Generally, this would require authentication with a user-set password.
Some firmware (eg Dahua) uses a dedicated port to handle firmware updates.
Some firmware (eg lots) uses a non-standard port for command shell (eg telnet) access.
Some firmware (eg Herospeed, used on many brands) uses a variety of ports to indicate status, provide debug info, or announce events such as motion, or to enable command shell access.
Some firmware (eg herospeed) emulates other brands 'command and control' protocol on the other brands default ports.
I'm quite alarmed. No way all these ports should be open.
It does all depend on their purpose, it can be quite legitimate.
You will find much the same even on mainstream brands.

Suggestion :
Try a telnet session to each port and see what response, if any, you get. It may provide a clue as to the purpose.
And of course it's up to you whether your network allows unauthorised access to these ports.

Here is an example from a camera running Herospeed firmware:
Code:
alastair@PC-I5 ~ $ telnet 192.168.1.103 402
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
Auto_Loop 5855: getaddrinfo start
Auto_Loop 5868: getaddrinfo end
No arp reply received for this address
^]
telnet> close
Connection closed.
alastair@PC-I5 ~ $ telnet 192.168.1.103 403
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
[Trace]: RtspAVCallback 878: Rtsp VideoIndex 1 still alive....
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
^]
telnet> close
Connection closed.
alastair@PC-I5 ~ $ telnet 192.168.1.103 407
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 2 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[2018.04.17][14:48:03.423357] DebugThread[480] WaitCoreThreadRsp:67: CoreThread normal!
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
^]
telnet> close
Connection closed.
alastair@PC-I5 ~ $ nmap 192.168.1.103

Starting Nmap 7.01 ( https://nmap.org ) at 2018-04-17 14:49 BST
Nmap scan report for 192.168.1.103
Host is up (0.76s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
80/tcp   open  http
406/tcp  open  imsp
407/tcp  open  timbuktu
443/tcp  open  https
554/tcp  open  rtsp
787/tcp  open  qsc
8000/tcp open  http-alt

Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
alastair@PC-I5 ~ $
 
Top