Did my server get hacked?

mclain1 · Sep 30, 2017

I was checking my BI logs yesterday and i noticed multiple unusual entries that i never seen before. I noticed multiple connection attempts. What i found most concerning is the one highlighted in blue. It seems someone connected to my BI server for approx 7 hrs yesterday! The IP seemed it originated some 2300 miles away from someone in California.

I need to understand on how this could've happened! My server is relatively locked down. No port forwarding. "All passwords" are set with at least 10 characters on both the cameras side and user accounts. My phone is the only device that can access my BI server remotely I work from home so there is no other IP that should be registered for access. Another major concern that i see is that no user account was logged during the intrusion. If this is true, then the hacker must have found a back door to my server with only a few attempts!

NoloC · Sep 30, 2017

No frames indicated so doubtful this was a successful connection.

Go to "Shields Up" or a similar port scanning service and scan your ip. Something is open.

fenderman · Sep 30, 2017

Love how folks jump to conclusions...how are you accessing remotely?

mclain1 · Sep 30, 2017

Hello Noloc, thanks for you quick response... i went to shields up and i have attached my findings via shields up website port test.
over 2 millions Frames are indicated in the blue highlighted jpg.

Hello Fenderman: I use the blue iris android app.

NoloC · Sep 30, 2017

Sorry. Missed that. Did you run the common ports scan also? I am guessing your BI webserver port is open or those connections are you over your phone. If the BI webserver port is set to 80 and forwarded through the router, for example, these types of connection attempts are pretty common to see logged. What is your webserver port set to?

More details would be helpful on your remote connection setup. Assume you are using the BI Android app over the wan connection and that will require some form of vpn or port forwarding to establish a connection. Can you walk us through your set up?

fenderman · Sep 30, 2017

mclain1 said:
Hello Noloc, thanks for you quick response... i went to shields up and i have attached my findings via shields up website port test.
over 2 millions Frames are indicated in the blue highlighted jpg.

Hello Fenderman: I use the blue iris android app.

Are you using VPN? Because you claim you are not port forwarding...

mclain1 · Sep 30, 2017

NoloC said:
Sorry. Missed that. Did you run the common ports scan also? I am guessing your BI webserver port is open or those connections are you over your phone. If the BI webserver port is set to 80 and forwarded through the router, for example, these types of connection attempts are pretty common to see logged. What is your webserver port set to?

More details would be helpful on your remote connection setup. Assume you are using the BI Android app over the wan connection and that will require some form of vpn or port forwarding to establish a connection. Can you walk us through your set up?

Fenderman and Noloc, I have attached my common/service port scans.. During the time of the Intrusion, I had all my port forwarding disabled so no direct port forwarding through my router. I did have http webserver set through default 81 through UPNP for my lan android app access wan.

I currently have my webserver disabled for wan access until i can further troubleshoot and secure my server.

Let me know if you all need additional info.

Thanks again for your replies..

fenderman · Sep 30, 2017

mclain1 said:
Fenderman and Noloc, I have attached my common/service port scans.. During the time of the Intrusion, I had all my port forwarding disabled so no direct port forwarding through my router. I did have http webserver set through default 81 through UPNP for my lan android app access wan.

I currently have my webserver disabled for wan access until i can further troubleshoot and secure my server.

Let me know if you all need additional info.

Thanks again for your replies..

Oy...you do realize that upnp IS port forwarding.....

NoloC · Sep 30, 2017

Therein lies the rub.

VPN Primer for Noobs

mclain1 · Sep 30, 2017

Well, I feel like an IDIOT about now...! I was so focused on locking down everything else that i disregarded something so stupid as UPNP. What a newb, i cant believe i missed that! I have officially shut down all UPNP services on my router...
Well, time to setup secure VPN. Hopefully nothing else was compromised.

Hacker probably took no time to accessing my video feeds on my server. Dude was watching me for like 7hrs.. wow!

fenderman · Sep 30, 2017

mclain1 said:
Well, I feel like an IDIOT about now...! I was so focused on locking down everything else that i disregarded something so stupid as UPNP. What a newb, i cant believe i missed that! I have officially shut down all UPNP services on my router...
Well, time to setup secure VPN. Hopefully nothing else was compromised.

Hacker probably took no time to accessing my video feeds on my server. Dude was watching me for like 7hrs.. wow!

Again.. doubt anything was watched... session time is zero....you are making assumptions... there is no known vulnerability..

mclain1 · Sep 30, 2017

fenderman said:
Again.. doubt anything was watched... session time is zero....you are making assumptions... there is no known vulnerability..

Excuse my ignorance but what about the +2 mil frames? Doesn't that mean frames transmitted?

fenderman · Sep 30, 2017

mclain1 said:
Excuse my ignorance but what about the +2 mil frames? Doesn't that mean frames transmitted?

It would be impossible to watch that many frames in 6 hours....

mclain1 · Sep 30, 2017

Thanks Fender, for your logic.

adamrx7 · Sep 30, 2017

I still found great knowledge in this post. Reminds us to check our ports and what not.

bp2008 · Sep 30, 2017

The highlighted line in your log indicates 6 days 17 hours 2 minutes 34 seconds. Over that long a time, it would only take 4.71 FPS, a totally realistic number, to stream that number of frames.

fenderman · Sep 30, 2017

bp2008 said:
The highlighted line in your log indicates 6 days 17 hours 2 minutes 34 seconds. Over that long a time, it would only take 4.71 FPS, a totally realistic number, to stream that number of frames.

Lol..no one is logged in for 6 days watching him...his feed is not that good...

miniteeg · Sep 30, 2017

How did you check the BI logs?

mclain1 · Oct 1, 2017

bp2008 said:
The highlighted line in your log indicates 6 days 17 hours 2 minutes 34 seconds. Over that long a time, it would only take 4.71 FPS, a totally realistic number, to stream that number of frames.

Wow.. ok that is even worse... I missed read that as only being 6 hrs. 6 days! I'm lost for words.

fenderman · Oct 1, 2017

mclain1 said:
Wow.. ok that is even worse... I missed read that as only being 6 hrs. 6 days! I'm lost for words.

No one logged into your server...there is zero session time...you think someone remained logged in for 6 days? Any time someone lands on the login page it creates an entry and starts the timer.....

Search

Did my server get hacked?

mclain1

Young grasshopper

Attachments

NoloC

Getting comfortable

fenderman

mclain1

Young grasshopper

Attachments

NoloC

Getting comfortable

fenderman

mclain1

Young grasshopper

Attachments

fenderman

NoloC

Getting comfortable

mclain1

Young grasshopper

fenderman

mclain1

Young grasshopper

fenderman

mclain1

Young grasshopper

adamrx7

Young grasshopper

bp2008

fenderman

miniteeg

n3wb

mclain1

Young grasshopper

fenderman