decided to run a port scan on it to see if there were any back doors open.
Not all listening ports are back doors. It would be a crude and easily-found way of providing one.
1018 (reserved according to IANA - may be used for ipcserver
That's commonly used as the 'ONVIF port'. You can confirm this using ONVIF Device Manager from sourceforge.net - check the URL under the 'Information' page.
Some firmware (eg Dahua, Hikvision and others) uses a dedicated port for the 'command and control' function of the camera. Generally, this would require authentication with a user-set password.
Some firmware (eg Dahua) uses a dedicated port to handle firmware updates.
Some firmware (eg lots) uses a non-standard port for command shell (eg telnet) access.
Some firmware (eg Herospeed, used on many brands) uses a variety of ports to indicate status, provide debug info, or announce events such as motion, or to enable command shell access.
Some firmware (eg herospeed) emulates other brands 'command and control' protocol on the other brands default ports.
I'm quite alarmed. No way all these ports should be open.
It does all depend on their purpose, it can be quite legitimate.
You will find much the same even on mainstream brands.
Suggestion :
Try a telnet session to each port and see what response, if any, you get. It may provide a clue as to the purpose.
And of course it's up to you whether your network allows unauthorised access to these ports.
Here is an example from a camera running Herospeed firmware:
Code:
alastair@PC-I5 ~ $ telnet 192.168.1.103 402
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
No arp reply received for this address
[Trace]: eth0 LINK up
Auto_Loop 5855: getaddrinfo start
Auto_Loop 5868: getaddrinfo end
No arp reply received for this address
^]
telnet> close
Connection closed.
alastair@PC-I5 ~ $ telnet 192.168.1.103 403
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
[Trace]: RtspAVCallback 878: Rtsp VideoIndex 1 still alive....
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[4](2) == 0
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](0) == 0
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](2) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
[Trace]: AVStreamGetAVDataThread 581: gTransFormStatusFunc[2](1) == 0
[Trace]: RTSP_SvrRecvThrFxn 4554
^]
telnet> close
Connection closed.
alastair@PC-I5 ~ $ telnet 192.168.1.103 407
Trying 192.168.1.103...
Connected to 192.168.1.103.
Escape character is '^]'.
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 2 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[2018.04.17][14:48:03.423357] DebugThread[480] WaitCoreThreadRsp:67: CoreThread normal!
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
[Trace]: AVStreamGetAVDataThread 725: Index = 0 Endflag == 255
[Trace]: AVStreamGetAVDataThread 727: VideoPos = 0
[Trace]: AVStreamGetAVDataThread 725: Index = 1 Endflag == 255
^]
telnet> close
Connection closed.
alastair@PC-I5 ~ $ nmap 192.168.1.103
Starting Nmap 7.01 ( https://nmap.org ) at 2018-04-17 14:49 BST
Nmap scan report for 192.168.1.103
Host is up (0.76s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
80/tcp open http
406/tcp open imsp
407/tcp open timbuktu
443/tcp open https
554/tcp open rtsp
787/tcp open qsc
8000/tcp open http-alt
Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
alastair@PC-I5 ~ $