Check Your Web Server Security!

[ksnax]

After some recent odd happenings on my network with IP addressing, I was forced to re-evaluate my authorized connections and DHCP reservations. In so doing, under the BI WebServer Advanced tab, I noted 3 IP addresses added to the 'Limit access by IP address' listing that I did not put there.

To be clear, I accept my responsibility and understand the nature of how this happened, with lax security on camera IP blocking - and allowing unchallenged LAN access. That has been locked down.

Regardless, there should not be any addresses in that list that you did not put there.

The offending addresses are two miscellaneous ChinaNet addresses, but more importantly, 162.209.239.31- which originates out of CloudRadium - an apparently recognized front for Chinese government hacking.

It is unclear what else they may be into on my network now, but I will be monitoring and blocking connections as they are discovered.

 

[wittaj]

Oh wow. How do you access BI when away from home? Did you use the Remote Wizard for STUNNEL, port forward, VPN, etc.?

 

[ksnax]

Oh wow. How do you access BI when away from home? Did you use the Remote Wizard for STUNNEL, port forward, VPN, etc.?

Port forwarding.

 

[wittaj]

That is how they got in....lots of threads where crap like this happens with port forwarding.

 

[ksnax]

Quite possibly, but I am not convinced it wasn't a backdoor exploit from a camera.

 

[ksnax]

I have blocked all outbound WAN connections from all IP cameras and tightened firewall settings, as well as added authentication for LAN services.

 

[Futaba]

is there a minus or plus sign in front of the ip addresses? Minus means they are blocked. If they have minus signs, it is OK.

 

[ksnax]

is there a minus or plus sign in front of the ip addresses? Minus means they are blocked. If they have minus signs, it is OK.

What? They are minuses! I could not find documentation about these addresses being there. Cripes.

 

[fenderman]

Quite possibly, but I am not convinced it wasn't a backdoor exploit from a camera.

If it was a camera exploit they would be logging in locally. And they would not care to access the webserver.

 

[bp2008]

I would not expect the auto ban function to put anything into the IP blacklist. There are still a lot of possibilities for how the addresses ended up there.

1. Owner added them and forgot. (possibly by looking through the connections status and permanently blocking some addresses via right click menu)
2. Someone got into Blue Iris using its remote console API via the web server (which is undocumented, but for the most part easily reverse-engineered).
3. Someone got remote desktop access to the Blue Iris server.
4. Someone could have potentially used other remote management features within Windows to modify the registry where Blue Iris stores its settings. I'd expect this to not be possible on a default Windows installation though.

FYI a ^ symbol before the address would grant admin privilege too.

 

[ksnax]

Okay, thanks for setting me straight on this. Paranoia is how we keep things safe I suppose. LOL

 

[ksnax]

If it was a camera exploit they would be logging in locally. And they would not care to access the webserver.

Honestly, after reading Winn Schwartau, Kevin Mitnick, and Edward Snowden's books, I don't take that one for granted. If they want in, they will get in. No point in making it easy though.

 

[Futaba]

What? They are minuses! I could not find documentation about these addresses being there. Cripes.

Click the "Help" button in the "Web server - Advanced" dialog box to get context help:

 

[ksnax]

Click the "Help" button in the "Web server - Advanced" dialog box to get context help:

View attachment 145788

My error was in searching for "limit access by IP address".