Dahua Backdoor Uncovered
- Thread starter Zeddy
- Start date
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,901
- Reaction score
- 21,269
I believe they build their own...or at least write their own firmware...I think some reolink models are rebranded and sold by swann..(not every swann is hikvision)..
Last edited:
SyconsciousAu
Getting comfortable
- Joined
- Sep 13, 2015
- Messages
- 872
- Reaction score
- 825
114.55.152.165:9084 was what I found in my firewall logs. It stopped smacking its head on the firewall when I disabled the cloud service. Haven't seen anything like the other address yetWell just for giggles I figured I would go home and log onto my router and see if I could find any outbound connections so I viewed my "active connections" log under my WAN section and cam across two of my IP addressed cameras connecting to various outside addresses....not sure what this is all about? Any assistance would be appreciated...
hmjgriffon
Known around here
if you changed the dns to nothing or your internal stuff you won't see it again, I dunno why the other one is there, that usually happens when machines try to get an IP and there is no DHCP server to hand one out, they auto generate a 169.254.x.x address.
Hound Dog 911
Getting comfortable
- Joined
- Jan 30, 2017
- Messages
- 835
- Reaction score
- 320
I had DMZ on in my router. It's now off. I guess it drew attention to my ip address I guess and my router showed a few dos attacks since shutting down the security issue. Just curious if you would have your provider assign a new ip or just let the router do its thing hoping they stop?
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,901
- Reaction score
- 21,269
generally cutting power to the modem for a bit will get you a new ip..but it really wont make much difference.
Hound Dog 911
Getting comfortable
- Joined
- Jan 30, 2017
- Messages
- 835
- Reaction score
- 320
Even better. Will give it a try. Thanks.
hmjgriffon
Known around here
I would not bother changing IPs, people scan the internet everyday to look for stuff to poke at, just lock down your stuff
Sent from my Nexus 6P using Tapatalk
Sent from my Nexus 6P using Tapatalk
Hound Dog 911
Getting comfortable
- Joined
- Jan 30, 2017
- Messages
- 835
- Reaction score
- 320
Agreed! All the kids are playing on the net so I haven't had a chance to shut down.
nayr
IPCT Contributor
Hound Dog 911
Getting comfortable
- Joined
- Jan 30, 2017
- Messages
- 835
- Reaction score
- 320
Hmjgriffon got me all figured out I think. Installed a stunnel today with his assistance.
Bryan
Getting comfortable
- Joined
- Nov 25, 2016
- Messages
- 267
- Reaction score
- 274
I got to looking at my router. Don't have any of the UPNP, DMZ, DNS or port forwarding enabled. But went to the security and system log. Security log is spitting out new entry every 5 seconds. I unplugged every device in the house (NVR, cut off all computers, Tablets, shut down my smartphone) except this laptop. Still chugging out entries. Anybody know what these mean? I deleted my public IP from the picture of security log. Anything I left that I shouldn't post?
Attachments
alastairstevenson
Staff member
The common outbound destination is :
Do you have AVG AV on the laptop?
Code:
NetRange: 209.10.120.0 - 209.10.120.255
CIDR: 209.10.120.0/24
NetName: QTS-209-10-120-0-24
NetHandle: NET-209-10-120-0-1
Parent: QTS-209-10-0-0-16 (NET-209-10-0-0-1)
NetType: Reassigned
OriginAS: AS20141
Customer: AVG Exploit Prevention Labs, Inc. (C05877816)
RegDate: 2015-08-20
Updated: 2015-08-20
Ref: https://whois.arin.net/rest/net/NET-209-10-120-0-1Bryan
Getting comfortable
- Joined
- Nov 25, 2016
- Messages
- 267
- Reaction score
- 274
Yes..got AVG...and I started looking through the IPs.. a lot are Google, the 31.13.65.7 and similar were Facebook, one was Taiwan and another from India. If the ACK is zero...does that mean it's safe (no contact)? How concerned should I be? The blank IPs are my Public WAN address.
Last edited:
alastairstevenson
Staff member
If you started looking at the outbound chatter that a regular Windows PC conducts even when you are not using it - you'd be gobsmacked.
You need only be concerned if a destination was linked to bad things on the internet such as a C&C server but you're unlikely to spot that by manual inspection.
You'd only really know that if the output was subject to automated inspection, such as an IPS system.
You need only be concerned if a destination was linked to bad things on the internet such as a C&C server but you're unlikely to spot that by manual inspection.
You'd only really know that if the output was subject to automated inspection, such as an IPS system.
reolink cameras?
Read my posts in this thread. Blocking a pair of ports (outgoing and incoming) will stop the communications.
TL1096r
IPCT Contributor
- Joined
- Jan 28, 2017
- Messages
- 1,223
- Reaction score
- 465
Yes, I shut that off. I still see this in the firewall but I don't have any access to my router IP, it is all done through my ISP:
I just wanted to post back and say since I changed one cams dns settings to point to a non-existent address (1.0.0.1) it is not communicating with the China ip any longer. Instead in the logs it just lists the cam's ip address and then the destination address of that non-existent ip I changed it to and the status is "syn_sent" instead of "established" which is leading me to believe it is not getting outbound any longer.
I still am going to pursue custom FW entires to stop all outbound communication but for now this is a good temp fix in my mind.
I still am going to pursue custom FW entires to stop all outbound communication but for now this is a good temp fix in my mind.
hmjgriffon
Known around here
as long as you don't see an SYN/ACK after the SYN, you are good to go lol.