Blue Iris hacked?

Walnut

n3wb
Joined
Dec 4, 2015
Messages
9
Reaction score
0
I run my BI on a Proliant server at home, and periodically check the status page for port scanning. As with most people, I get IP addresses occasionally appearing.

Recently, I have noticed the same IP appearing over the last few weeks, perhaps a couple of times a week. There has been no access to my server.

However, when I checked last night, this IP had 12 connections and some 200 frames viewed in one night!

I only have 1 admin account and 1 user account set up, both with strong passwords. The connection does not show a user on the status page.

I am now paranoid that they can access the web viewer, view old clips, alter setting etc., as I do not know what privilages they logged on with.

I am nowhere near an expert on networking, so how can this happen?

I have disabled the web server until I can find out what happened, and use RDC to view at the moment. Any help/advice gratefully received.

Thanks.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,896
Reaction score
21,247
Relax... sounds like attempted logins... post a screenshot...
 

Walnut

n3wb
Joined
Dec 4, 2015
Messages
9
Reaction score
0
Thanks fenderman. Attached are 2 screenshots. IP address is dynamic, but I use NOIP. It was the fact that a port scan had never shown webcast frames before that worried me.

status1.jpgstatus2.jpg
 

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
The Bad Guys are attracted to known ports; as a result TBGs are going to be hitting port 80 HTTP, port 3389 RDP and port 21 FTP (along with many others). If you want a very simple (but very effective) method to eliminate these annoying (and often worrisome) access attempts, simply change your HTTP port to something other than its default port of 80. If your going to do this then it is best to change it to a port in the 49152–65535 range (which are dynamic or private ports which are not registered with IANA). While it is true that TBGs could deploy port scanning to uncover all of your open WAN ports it takes a very demented individual to waste resources energy scanning Joe Homeowner networks. I have found that this simple technique completely reduces unwanted traffic as evidenced by bad RDP logon attempts reported in the machine's Windows (Security) Event Log.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,896
Reaction score
21,247
Also, you should upgrade to BI4 as there have been security enhancements made.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,656
Reaction score
13,984
Location
USA
Why does it say "User SRM"?

If it is showing a non-zero frame count, that does suggest someone is viewing video.
 

Walnut

n3wb
Joined
Dec 4, 2015
Messages
9
Reaction score
0
Thanks chaps. I will change the port from 8080 to something you suggest. I think I may also change the RDC port to another number at he same time.

I didn't upgrade due cost, but may have to do so now to get the benefit of security updates.

The ones that say User SRM are my login's. The one that is blank and shows 183 frames is completely unknown to me. As you say, it appears someone has logged in, which puzzles me as it's got a 127 bit password. Hence my real concern!

Thanks.
 

vulpes

n3wb
Joined
Sep 30, 2015
Messages
16
Reaction score
5
*Edit: Nevermind, didn't lookup the French IP. My mistake *
 
Last edited by a moderator:

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
Thanks chaps. I will change the port from 8080 to something you suggest. I think I may also change the RDC port to another number at he same time.

I didn't upgrade due cost, but may have to do so now to get the benefit of security updates.

The ones that say User SRM are my login's. The one that is blank and shows 183 frames is completely unknown to me. As you say, it appears someone has logged in, which puzzles me as it's got a 127 bit password. Hence my real concern!

Thanks.
the "blank" user login may be ghe anoynomous lan user login?
 

Walnut

n3wb
Joined
Dec 4, 2015
Messages
9
Reaction score
0
the "blank" user login may be ghe anoynomous lan user login?

Nope, it was def a log-in. I am still mystified how they did it, but going with all the suggestions on here, and VPN at some point in the future. It is also a known abuse IP address according to a google search.

I will pick a random high port number that is not used and keep the house cams off for a bit while I monitor it.

Thanks again chaps!
 

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,990
Reaction score
3,989
Location
Megatroplis, USA
Nope, it was def a log-in. I am still mystified how they did it, but going with all the suggestions on here, and VPN at some point in the future. It is also a known abuse IP address according to a google search.

I will pick a random high port number that is not used and keep the house cams off for a bit while I monitor it.

Thanks again chaps!
Did you do a lookup on the ip address associated with the mystery account?
 

Walnut

n3wb
Joined
Dec 4, 2015
Messages
9
Reaction score
0
Did you do a lookup on the ip address associated with the mystery account?
Yes, ran it thru AbuseIPDB. Some dodgy French address with a history. Didn't seem any point reporting it.
 

kampstra

n3wb
Joined
Jul 26, 2016
Messages
3
Reaction score
1
If the same IP addressing is appearing repeatedly there is a very easy way to stop them. Add a static routing entry on the server that routes that address to your server, which will block them from accessing your server. By default, all traffic that is not local to the network is sent to the router (default gateway). By adding a new static entry on the server to this rogue IP address it will black hole them from getting on your server. It's really simple, open a command prompt and type in the following: route add -p 10.0.0.0 mask 255.255.255.255 192.168.0.1 metric 2 [Change the 10.0.0.0 to match the rogue IP address, change the 192.168.0.1 to match the Blue Iris server address.] Bingo! You've blocked them from accessing your server until they obtain a new IP address. Hope this helps you.
 

Warsaws

Young grasshopper
Joined
Dec 13, 2015
Messages
74
Reaction score
2
Hmmm. Sure seems easier and more effective to just use VPN.
 

kampstra

n3wb
Joined
Jul 26, 2016
Messages
3
Reaction score
1
@Warsaws - I'm not sure I follow how a VPN will solve the problem. He has someone randomly connecting to his server. The VPN will only be effective if he first blocks all internet access to the box and then permits the VPN traffic to it. Then he will need to run a VPN client on any mobile device he wants to use to connect to the server to ensure the traffic is encrypted and secure. VPN alone is not the answer and he may not have the hardware capable of supporting a VPN tunnel. The quickest and easiest way to deny anyone that is hacking his box is to blackhole them using a simple static route on the server. No network/firewall/VPN experience required.
 
Last edited by a moderator:

Warsaws

Young grasshopper
Joined
Dec 13, 2015
Messages
74
Reaction score
2
This is news to me. I have always understood that VPN was a good strong, but simple solution that is available on most any modern router...I guess my VMS is not as secure as I thought. I still believe that rogue devices such as IP cams should be totally blocked from the Internet.
 
Top