Could there be virus in cheap Chinese IP cams?

t_andersen · May 23, 2017

I have a conventional system with 4 cheap Chinese IP cams and a Windows PC running BI. After the major virus attack all over the world a few months ago, I became aware of the risk that the cheap Chinese cams may function as sleeping soldiers for virus attacks, so I blocked the IP cams for outbound traffic in the router to make sure that they cannot access the internet. Any inward connections are of course also blocked (no port forwarding).

I have then recently looked into the log file of the router and noted that the Chinese IP cams indeed do try to access the Internet. I do not know why, maybe there is an innocent explanation. Does anyone have an idea why the cams try to access the internet?

I attach a picture of the cams I am using.

DWW0311 · May 23, 2017

Typically this is because you have their DDNS client activated and it's trying to phone the mothership to report in, but there are a variety of things which could be causing it. What port is it trying to hit?

Dodutils · May 23, 2017

if the cam integrate P2P feature then it's normal but... some cams may have some virus/trojan/bot some guys also like to buy cam, infect and return product for refund and wait until it is resold

alastairstevenson · May 23, 2017

t_andersen said:
and noted that the Chinese IP cams indeed do try to access the Internet.

Some sample IP addresses would help answer the question about why.

t_andersen · May 23, 2017

The router log regretfully doesn't show which port that was blocked.

The P2P and the DDNS features are turned off in the cam software.

alastairstevenson · May 23, 2017

t_andersen said:
The router log regretfully doesn't show which port that was blocked.

But does the log list the destination IP address?

framednlv · May 24, 2017

Is NTP on in the time settings?

framednlv · May 24, 2017

Check to see if the Preferred DNS Server is set to the routers ip or an external one.

zero-degrees · May 24, 2017

Make sure your DNS is set to the router or google 8.8.8.8 and 8.8.4.4

Next as someone said check your NTP server and see where it is located.

Double check that ALL DNS and UPNP and P2P are shut off. Sometimes they have drop down menus listing mult DNS services and one is left on.

Mike A. · May 24, 2017

It's not just the cheap ones. The Dahua that I just got appears to be doing the same crap. Continually tries to hit their cloud service every 10 seconds even though I have everything turned off.

2017-05-24 EDT 16:56:45 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:56:34 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:56:24 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:56:14 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:56:04 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:55:54 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:55:44 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:55:34 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:55:24 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:55:14 A dms.easy4ipcloud.com 192.168.2.22
2017-05-24 EDT 16:55:04 A dms.easy4ipcloud.com 192.168.2.22
etc...

PITA.

fenderman · May 24, 2017

Mike A. said:
It's not just the cheap ones. The Dahua that I just got appears to be doing the same crap. Continually tries to hit their cloud service every 10 seconds even though I have everything turned off.

PITA.

Is yours a China region dahua?

Mike A. · May 24, 2017

fenderman said:
Is yours a China region dahua?

Not supposed to be and doesn't appear to be best that I can tell.

Is there a way to tell for sure from the firmware?

It shows as:

Device Type DH-SD29204T-GN
Software Version 2.422.0000.3.R.T4.484.9A.NR, Build Date: 2016-10-09
WEB Version 3.2.1.383637
ONVIF Version 2.42
PTZ Version 2.06.29.RHNVFJCA
S/N 3A0220CPAMxxxxx
Copyright 2016,All Rights Reserved.

fenderman · May 24, 2017

Mike A. said:
Not supposed to be and doesn't appear to be best that I can tell.

Is there a way to tell for sure from the firmware?

It shows as:

Device Type DH-SD29204T-GN
Software Version 2.422.0000.3.R.T4.484.9A.NR, Build Date: 2016-10-09
WEB Version 3.2.1.383637
ONVIF Version 2.42
PTZ Version 2.06.29.RHNVFJCA
S/N 3A0220CPAMxxxxx
Copyright 2016,All Rights Reserved.

Are you certain you disabled P2P and upnp

Mike A. · May 24, 2017

fenderman said:
Are you certain you disabled P2P and upnp

Yep. Multiple times with multiple saves and reboots.

Also disabled the checkbox on the "Easy4IP" tab under Network > TCP/IP. Also disabled the "Enable ARP/Ping to set IP address service" checkbox at the bottom of the TCP/IP screen. I've turned off everything else that I can see under the networking tab (other than basic addressing as required obviously).

DWW0311 · May 24, 2017

Note: IMO this is one of the many reasons that IP cams and NVRs should be sandboxed

Jareds · May 26, 2017

Block cameras from using the wan then you won't have any issues. Only allow BI to access the wan. I had issues and this fixed my issues completely.

Search

Could there be virus in cheap Chinese IP cams?

t_andersen

Young grasshopper

DWW0311

Young grasshopper

Dodutils

Pulling my weight

alastairstevenson

t_andersen

Young grasshopper

alastairstevenson

framednlv

Getting the hang of it

framednlv

Getting the hang of it

zero-degrees

Known around here

Mike A.

Known around here

fenderman

Mike A.

Known around here

fenderman

Mike A.

Known around here

DWW0311

Young grasshopper

Jareds

Young grasshopper