Malicious OGNL Expression Upload from BI?

artworksmetal · Apr 7, 2018

My Norton AV just stopped a "Malicious Attack" coming from BI. Maybe it was a legitimate packet upload, I don't know squat about it. Here's the message:

The Attacker URL is my IP.
Anyone else see this? Maybe it was some kind of anomaly. Thanks!

tangent · Apr 7, 2018

180.97.220 . 35 is the ip of a server in china that's found it's way onto a couple spam blacklists. Are you forwarding ports to your Blue Iris server?

cb8 · Apr 7, 2018

Are you port-forwarding traffic to Blue Iris? If 208.76.202.112 is your IP then it sounds like 80.97.220.35 was probing your machine for vulnerabilities, which Norton AV blocked. From the description here, it appears to be a vulnerability in Apache Struts, not something Blue Iris would be vulnerable to.

artworksmetal · Apr 8, 2018

Yeah, I am Port forwarding to BI so I can access it remotely. Am I confused because "Attacker URL" really means "Attackee?" Also it used the term "Upload."

I guess I'm also confused by the the intransitive verb resulted preceded by third person singular past tense of be (was) instead of "had. :wtf:

" It's not clear from this who did what.

looney2ns · Apr 9, 2018

artworksmetal said:
Yeah, I am Port forwarding to BI so I can access it remotely. Am I confused because "Attacker URL" really means "Attackee?" Also it used the term "Upload."

I guess I'm also confused by the the intransitive verb resulted preceded by third person singular past tense of be (was) instead of "had." It's not clear from this who did what.

Bottom line, don't forward ports.
Turn off UPNP in all devices.
Block cams from contacting the internet.
Use VPN: VPN Primer for Noobs

Search

Malicious OGNL Expression Upload from BI?

artworksmetal

n3wb

tangent

cb8

Getting comfortable

artworksmetal

n3wb

looney2ns