Blue Iris Shows Connection to Server in Vietnam?

[DLONG2]

Looking at the log file, I see that Blue Iris reports a connection to a server in Ho Chi Minh City many times a day. What would cause that event? Would this likely be a hacker attempt? My Blue Iris outside connection is my public IP address and then a port number to reach the BI login screen.

 

[bp2008]

Yes, it would be a hacking attempt. Although more than likely an unsuccessful one.

 

[wayner]

Presumably you aren't located in Ho Chi Minh City?

 

[MrRalphMan]

As I don't know BI I might be talking poo poo, but is this a connection from or to the IP address in Ho Chi Minh City?

Also is it successful?

 

[fenderman]

As I don't know BI I might be talking poo poo, but is this a connection from or to the IP address in Ho Chi Minh City?

Also is it successful?

blue iris does not make outside connections to any foreign servers...blue iris does support a quasi ddns service if you enable it, but that is a US server....it is only china based companies like dahua and hikvision that dont take privacy and security seriously..

 

[wayner]

....it is only china based companies like dahua and hikvision that dont take privacy and security seriously..

And most of all - Foscam.

 

[DLONG2]

I am in California. I had to shut down the http server in BI because remote server connections were being made and successful logins to two of my accounts last night. I'll need to investigate the use of VPN to secure my network.

With hackers having been looking in my cameras, will I need to factory-reset the cameras? Neither of the hacked accounts were admin accounts, just user accounts.

 

[fenderman]

I am in California. I had to shut down the http server in BI because remote server connections were being made and successful logins to two of my accounts last night. I'll need to investigate the use of VPN to secure my network.

With hackers having been looking in my cameras, will I need to factory-reset the cameras? Neither of the hacked accounts were admin accounts, just user accounts.

How in the world we the camera's accessed? Did you port forward the cams? How do you know your bi account was hacked?

 

[MrRalphMan]

blue iris does not make outside connections to any foreign servers...blue iris does support a quasi ddns service if you enable it, but that is a US server....it is only china based companies like dahua and hikvision that dont take privacy and security seriously..

That's why I was asking if it was outgoing or incoming connections and if they were successful, I wasn't clear from the initial post.

I guess we have the answer now and it's not good.

 

[fenderman]

That's why I was asking if it was outgoing or incoming connections and if they were successful, I wasn't clear from the initial post.

I guess we have the answer now and it's not good.

It's likely user error...there may have been an attempt but not a successful login unless user is using a silly password

 

[DLONG2]

The user password I set up had lower and upper cases and special characters. The early connections from Ho Chi Minh city would only show "CONNECTION" in the logs, surrounded with the usual MOTION entries. But last night the CONNECTION entries (from another country) were immediately followed with the markers to indicate LOGGED IN, from a user account. The password was not very simple, and I had even changed it after I saw the initial attempt from Vietnam.

 

[fenderman]

The user password I set up had lower and upper cases and special characters. The early connections from Ho Chi Minh city would only show "CONNECTION" in the logs, surrounded with the usual MOTION entries. But last night the CONNECTION entries (from another country) were immediately followed with the markers to indicate LOGGED IN, from a user account. The password was not very simple, and I had even changed it after I saw the initial attempt from Vietnam.

That is meaningless, bi will tell you if any frames it minutes of video was sent...

 

[DLONG2]

When I get home tonight I'll review the logs to see if these details were included as well as the login and logout events.

 

[DLONG2]

I exported the log file and opened it in Excel for clearer viewing. There were successful logins from 3 countries in the near or middle east. Unfortunately, the login used was common to my mobile devices as well as the Roku app. When I rebuild my network and reopen the BI web server, I'll be sure to use unique accounts for each device so as to better understand how a leak may occur in the future, and to watch the logs more closely.

My logs don't show any data regarding the viewing of clips, just that clips were either moved or deleted. I am concerned about the state of my two cameras, if they were in any way compromised. The account which was hacked was not an admin account, but when I do the network redesign with VPN, and rebuild the BI, I'll factory reset both cameras.

 

[fenderman]

I exported the log file and opened it in Excel for clearer viewing. There were successful logins from 3 countries in the near or middle east. Unfortunately, the login used was common to my mobile devices as well as the Roku app. When I rebuild my network and reopen the BI web server, I'll be sure to use unique accounts for each device so as to better understand how a leak may occur in the future, and to watch the logs more closely.

you say successful..what does the log say about video transferred?

 

[DLONG2]

Hi fenderman. My logs never show that any video was transferred, just that files were either moved or deleted.

 

[fenderman]

Hi fenderman. My logs never show that any video was transferred, just that files were either moved or deleted.

If you click on the status icon then connection tab it will tell you the frames transfer if any...
in the log you will see a login time and logoff time with a calculation of the duration...if you just see a "connection" that is meaningless, that happens when anyone hits the login page even if entering improper credentials..that is likely what you saw...

 

[DLONG2]

Since I've shut down the web server, my "Status/Connections" tab shows nothing. The log files, however, do have "CONNECTED" and "LOGIN" and "LOGOUT" items listed, all with IPs from the near or middle east. Yes, the logout item does show a total logged in duration.

I know that "CONNECTED" means nothing except someone landing on the login page, and the successful logins were preceded with a series of connections. It was the 'CONNECTED" item from Vietnam which I first saw in the logs, and after looking deeper into them I found 3 logins.

And that is actually what I see.

 

[fenderman]

Since I've shut down the web server, my "Status/Connections" tab shows nothing. The log files, however, do have "CONNECTED" and "LOGIN" and "LOGOUT" items listed, all with IPs from the near or middle east. Yes, the logout item does show a total logged in duration.

I know that "CONNECTED" means nothing except someone landing on the login page, and the successful logins were preceded with a series of connections. It was the 'CONNECTED" item from Vietnam which I first saw in the logs, and after looking deeper into them I found 3 logins.

And that is actually what I see.

This is highly unlikely...I would email support...
is it possible you or one of your users is logging in via a connection that uses a vpn service that places you in remote locations? how long were they logged in for?

 

[haynstyle]

I have seen a number of remote login attempts on my BI. Granted I have Foscam systems, I have seen attempts from China, India, Russia, Uzbekistan, Pakistan, and other places. I have had to block range of IP's at my gateway router. I am just wondering, is something being advertised that I am not aware of? I cant shutdown my webserver because I use the iphone app to connect remotely to my system. I have locked it down to only my iphone. Any thoughts of how I stop them from getting in?