Did my server get hacked?

M

mclain1

Young grasshopper
Aug 18, 2017
41
8
I was checking my BI logs yesterday and i noticed multiple unusual entries that i never seen before. I noticed multiple connection attempts. What i found most concerning is the one highlighted in blue. It seems someone connected to my BI server for approx 7 hrs yesterday! The IP seemed it originated some 2300 miles away from someone in California.

I need to understand on how this could've happened! My server is relatively locked down. No port forwarding. "All passwords" are set with at least 10 characters on both the cameras side and user accounts. My phone is the only device that can access my BI server remotely I work from home so there is no other IP that should be registered for access. Another major concern that i see is that no user account was logged during the intrusion. If this is true, then the hacker must have found a back door to my server with only a few attempts!
 

Attachments

  • connections2.PNG.jpg
    connections2.PNG.jpg
    387.6 KB · Views: 91
No frames indicated so doubtful this was a successful connection.

Go to "Shields Up" or a similar port scanning service and scan your ip. Something is open.
 
Hello Noloc, thanks for you quick response... i went to shields up and i have attached my findings via shields up website port test.
over 2 millions Frames are indicated in the blue highlighted jpg.

Hello Fenderman: I use the blue iris android app.
 

Attachments

  • shieldsup.JPG
    shieldsup.JPG
    328.9 KB · Views: 56
Sorry. Missed that. Did you run the common ports scan also? I am guessing your BI webserver port is open or those connections are you over your phone. If the BI webserver port is set to 80 and forwarded through the router, for example, these types of connection attempts are pretty common to see logged. What is your webserver port set to?

More details would be helpful on your remote connection setup. Assume you are using the BI Android app over the wan connection and that will require some form of vpn or port forwarding to establish a connection. Can you walk us through your set up?
 
  • Like
Reactions: fenderman
mclain1 said:
Hello Noloc, thanks for you quick response... i went to shields up and i have attached my findings via shields up website port test.
over 2 millions Frames are indicated in the blue highlighted jpg.

Hello Fenderman: I use the blue iris android app.
Click to expand...
Are you using VPN? Because you claim you are not port forwarding...
 
NoloC said:
Sorry. Missed that. Did you run the common ports scan also? I am guessing your BI webserver port is open or those connections are you over your phone. If the BI webserver port is set to 80 and forwarded through the router, for example, these types of connection attempts are pretty common to see logged. What is your webserver port set to?

More details would be helpful on your remote connection setup. Assume you are using the BI Android app over the wan connection and that will require some form of vpn or port forwarding to establish a connection. Can you walk us through your set up?
Click to expand...


Fenderman and Noloc, I have attached my common/service port scans.. During the time of the Intrusion, I had all my port forwarding disabled so no direct port forwarding through my router. I did have http webserver set through default 81 through UPNP for my lan android app access wan.

I currently have my webserver disabled for wan access until i can further troubleshoot and secure my server.

Let me know if you all need additional info.

Thanks again for your replies..
 

Attachments

  • shieldsup2.JPG
    shieldsup2.JPG
    389.1 KB · Views: 33
  • shieldsup3.JPG
    shieldsup3.JPG
    346.3 KB · Views: 32
mclain1 said:
Fenderman and Noloc, I have attached my common/service port scans.. During the time of the Intrusion, I had all my port forwarding disabled so no direct port forwarding through my router. I did have http webserver set through default 81 through UPNP for my lan android app access wan.

I currently have my webserver disabled for wan access until i can further troubleshoot and secure my server.

Let me know if you all need additional info.

Thanks again for your replies..
Click to expand...
Oy...you do realize that upnp IS port forwarding.....
 
Well, I feel like an IDIOT about now...! I was so focused on locking down everything else that i disregarded something so stupid as UPNP. What a newb, i cant believe i missed that! I have officially shut down all UPNP services on my router...
Well, time to setup secure VPN. Hopefully nothing else was compromised.

Hacker probably took no time to accessing my video feeds on my server. Dude was watching me for like 7hrs.. wow!
 
mclain1 said:
Well, I feel like an IDIOT about now...! I was so focused on locking down everything else that i disregarded something so stupid as UPNP. What a newb, i cant believe i missed that! I have officially shut down all UPNP services on my router...
Well, time to setup secure VPN. Hopefully nothing else was compromised.

Hacker probably took no time to accessing my video feeds on my server. Dude was watching me for like 7hrs.. wow!
Click to expand...
Again.. doubt anything was watched... session time is zero....you are making assumptions... there is no known vulnerability..
 
fenderman said:
Again.. doubt anything was watched... session time is zero....you are making assumptions... there is no known vulnerability..
Click to expand...


Excuse my ignorance but what about the +2 mil frames? Doesn't that mean frames transmitted?
 
I still found great knowledge in this post. Reminds us to check our ports and what not.
 
The highlighted line in your log indicates 6 days 17 hours 2 minutes 34 seconds. Over that long a time, it would only take 4.71 FPS, a totally realistic number, to stream that number of frames.
 
bp2008 said:
The highlighted line in your log indicates 6 days 17 hours 2 minutes 34 seconds. Over that long a time, it would only take 4.71 FPS, a totally realistic number, to stream that number of frames.
Click to expand...
Lol..no one is logged in for 6 days watching him...his feed is not that good...
 
  • Like
Reactions: Philip Gonzales
bp2008 said:
The highlighted line in your log indicates 6 days 17 hours 2 minutes 34 seconds. Over that long a time, it would only take 4.71 FPS, a totally realistic number, to stream that number of frames.
Click to expand...


Wow.. ok that is even worse... I missed read that as only being 6 hrs. 6 days! I'm lost for words.
 
mclain1 said:
Wow.. ok that is even worse... I missed read that as only being 6 hrs. 6 days! I'm lost for words.
Click to expand...
No one logged into your server...there is zero session time...you think someone remained logged in for 6 days? Any time someone lands on the login page it creates an entry and starts the timer.....
 
You must log in or register to reply here.
Top Bottom