However, I've been looking at why my internet connection keeps spiking and trying to cut down on anything not required to chatter to the internet, as my home connection is a very poor ADSL that cannot sustain much traffic, so cutting any junk out will help lots!
So running packet traces on my public connection (All devices on the LAN default gateway to my home server (A linux server) and then this does NAT to the public IPs I have), and started to notice a pattern of requests constantly going out over the public interface.
The first one is shown below:
12:33:47.668240 IP OBSCURED.2614 > OBSCURED.domain: 6038+ A? www.db-power.com. (34) 12:33:47.686932 IP OBSCURED.domain > OBSCURED.2614: 6038 NXDomain* 0/0/0 (34) 12:33:47.690643 IP OBSCURED.2614 > OBSCURED.domain: 6039+ A? www.db-power.com. (34) 12:33:47.709829 IP OBSCURED.domain > OBSCURED.2614: 6039 NXDomain* 0/0/0 (34) 12:33:47.723202 IP OBSCURED.2614 > OBSCURED.domain: 6042+ A? www.db-power.com. (34) 12:33:47.742344 IP OBSCURED.domain > OBSCURED.2614: 6042 NXDomain* 0/0/0 (34) 12:33:47.746075 IP OBSCURED.2614 > OBSCURED.domain: 6043+ A? www.db-power.com. (34) 12:33:47.764766 IP OBSCURED.domain > OBSCURED.2614: 6043 NXDomain* 0/0/0 (34) 12:33:47.777307 IP OBSCURED.2614 > OBSCURED.domain: 6046+ A? www.db-power.com. (34) 12:33:47.796293 IP OBSCURED.domain > OBSCURED.2614: 6046 NXDomain* 0/0/0 (34) 12:33:47.801283 IP OBSCURED.2614 > OBSCURED.domain: 6047+ A? www.db-power.com. (34) 12:33:47.819959 IP OBSCURED.domain > OBSCURED.2614: 6047 NXDomain* 0/0/0 (34) 12:33:47.832231 IP OBSCURED.2614 > OBSCURED.domain: 6050+ A? www.db-power.com. (34) 12:33:47.850810 IP OBSCURED.domain > OBSCURED.2614: 6050 NXDomain* 0/0/0 (34)
(I've OBSCURED my IP/hostname and my upstream DNS providers resolver here)
So what was happening is something was asking for the dns entry for www.db-power.com and constantly being told this doesn't exist. So this capture was done on my external interface, switching to my internal interface (for my LAN on the NAT server) I then tracked this down to an IP Camera was making this constant request. Logging into the web interface of the camera I couldn't find anything referring to this, but clearly it has some process where it tries to 'phone home' so that was the first one tracked down. I simply put a block in my local caching DNS to stop this external request, so that stopped it from asking externally and wasting bandwidth (It was doing this every 60 seconds).
The next one I then spotted was this:
Again OBSCURED was my cameras IP address. So this was more interesting. The camera was constantly (every minute again) trying to contact something in the Amazon AWS cloud. This indicates somebody has a server on Amazon's cloud that these units are contacting. I have two IP cameras both different manufacturers and different interfaces but they were both doing this, so there must be a common firmware package being used that was making this communication.12:38:47.545925 IP OBSCURED.3203 > ec2-54-243-97-206.compute-1.amazonaws.com.32100: UDP, length 24 12:38:47.546216 IP OBSCURED.3203 > ec2-54-251-113-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 24 12:38:47.546402 IP OBSCURED.3203 > ec2-54-246-107-165.eu-west-1.compute.amazonaws.com.32100: UDP, length 24 12:38:49.354353 IP OBSCURED.3208 > ec2-54-243-97-206.compute-1.amazonaws.com.32100: UDP, length 44 12:38:49.354574 IP OBSCURED.3208 > ec2-54-251-113-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 44 12:38:49.354774 IP OBSCURED.3208 > ec2-54-246-107-165.eu-west-1.compute.amazonaws.com.32100: UDP, length 44
Interestingly the machine at the other end was refusing the UDP connection, but still, why was it there?
First thing, I blocked this from making it out of my firewall, then set about looking to see what it's doing. The payload is UDP therefore it's stateless, so most likely it's just squirting a bit of info about itself (perhaps firmware, version, date/time) back to it's manufacturer. Possibly it was also used as a 'cloud' solution for viewing or managing your camera as I have seen this principle, but again this was all disabled on my unit, but this suggests even when disabled it still makes the initial phone-home even if nothing else was passed. As you can also see it's trying to talk to a few IP addresses in Amazon. I'm unsure if these are hard-coded in or if it's a DNS request the device makes, so next step was to sniff it's traffic and see what DNS requests it was making. In this case it didn't appear to be making any DNS requests, which suggests these hosts are hardcoded into it.
Viewing the actual payload didn't help much either:
Which I couldn't work out what this was containing. It was always the same length and contained similar information, only one or two characters changed, but I couldn't see any correlation between what the camera was doing and this value, so I don't think I'll spot what it is.13:17:00.226305 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 52) OBSCURED.3203 > 54.246.107.165.32100: [udp sum ok] UDP, length 24 0x0000: 4500 0034 0000 4000 4011 a06c c0a8 3709 E..4..@[email protected]. 0x0010: 36f6 6ba5 0c83 7d64 0020 f89b f191 0014 6.k...}d........ 0x0020: 4a57 4556 0000 0000 0003 95fe 4545 4343 JWEV........EECC 0x0030: 4300 0000 C... 13:17:01.942156 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72) OBSCURED.3208 > 54.243.97.206.32100: [udp sum ok] UDP, length 44 0x0000: 4500 0048 0000 4000 4011 aa32 c0a8 3709 E..H..@[email protected]. 0x0010: 36f3 61ce 0c88 7d64 0034 bf8e f110 0028 6.a...}d.4.....( 0x0020: 4a57 4556 0000 0000 0003 95fe 4545 4343 JWEV........EECC 0x0030: 4300 0000 0200 0721 0002 880c 0937 a8c0 C......!.....7.. 0x0040: 0000 0000 0000 0000 ........ 13:17:01.942371 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72) OBSCURED.3208 > 54.251.113.251.32100: [udp sum ok] UDP, length 44 0x0000: 4500 0048 0000 4000 4011 99fd c0a8 3709 E..H..@[email protected]. 0x0010: 36fb 71fb 0c88 7d64 0034 af59 f110 0028 6.q...}d.4.Y...( 0x0020: 4a57 4556 0000 0000 0003 95fe 4545 4343 JWEV........EECC 0x0030: 4300 0000 0200 0721 0002 880c 0937 a8c0 C......!.....7.. 0x0040: 0000 0000 0000 0000
One final thing, was I port scanned the camera, which showed 23 (telnet), 99 (metagram), 8600 (asterisk). Now the first telnet port was correct as I could telnet and get a login prompt. Port 99 was the web port (I'd changed it to that) and 8600 seemed to answer telnet then immediately close it again. So I thought I'd try telnet:
Escape character is '^]'. (none) login: root Password: BusyBox v1.12.1 (2012-11-20 15:16:24 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # ps PID USER VSZ STAT COMMAND 1 root 1528 S init 2 root 0 SWN [ksoftirqd/0] 3 root 0 SW< [events/0] 4 root 0 SW< [khelper] 5 root 0 SW< [kthread] 6 root 0 SW< [kblockd/0] 7 root 0 SW< [khubd] 8 root 0 SW< [kswapd0] 9 root 0 SW [pdflush] 10 root 0 SW [pdflush] 11 root 0 SW< [aio/0] 12 root 0 SW< [scsi_tgtd/0] 13 root 0 SW [mtdblockd] 14 root 0 SW< [kmmcd] 20 root 1092 S nvram_daemon 23 root 0 SWN [jffs2_gcd_mtd6] 25 root 0 SWN [jffs2_gcd_mtd7] 28 root 1528 R telnetd 29 root 1696 S /system/system/bin/daemon.v5.12 30 root 1480 S /system/system/bin/cmd_thread 31 root 1480 S /system/system/bin/gmail_thread 32 root 1532 S /bin/sh 33 root 1696 S /system/system/bin/daemon.v5.12 36 root 1480 S /system/system/bin/cmd_thread 39 root 1480 S /system/system/bin/gmail_thread 40 root 1696 S /system/system/bin/daemon.v5.12 41 root 1696 S /system/system/bin/daemon.v5.12 43 root 1480 S /system/system/bin/cmd_thread 44 root 1480 S /system/system/bin/gmail_thread 50 root 0 SW [RtmpCmdQTask] 51 root 0 SW [RtmpWscTask] 89 root 1696 S /system/system/bin/daemon.v5.12 135 root 1524 S /sbin/udhcpc -i eth2 -n 140 root 1696 S /system/system/bin/daemon.v5.12 141 root 1696 S /system/system/bin/daemon.v5.12 142 root 1696 S /system/system/bin/daemon.v5.12 145 root 1696 S /system/system/bin/daemon.v5.12 146 root 1696 S /system/system/bin/daemon.v5.12 147 root 1696 S /system/system/bin/daemon.v5.12 151 root 11528 S /system/system/bin/encoder 158 root 11528 S /system/system/bin/encoder 159 root 11528 S /system/system/bin/encoder 160 root 11528 S /system/system/bin/encoder 161 root 11528 S /system/system/bin/encoder 164 root 11528 S /system/system/bin/encoder 165 root 11528 S /system/system/bin/encoder 167 root 11528 S /system/system/bin/encoder 168 root 11528 S /system/system/bin/encoder 169 root 11528 S /system/system/bin/encoder 170 root 11528 S /system/system/bin/encoder 171 root 11528 S /system/system/bin/encoder 172 root 11528 S /system/system/bin/encoder 173 root 11528 S /system/system/bin/encoder 178 root 11528 S /system/system/bin/encoder 179 root 11528 S /system/system/bin/encoder 180 root 11528 S /system/system/bin/encoder 181 root 11528 S /system/system/bin/encoder 182 root 11528 S /system/system/bin/encoder 183 root 11528 S /system/system/bin/encoder 184 root 11528 S /system/system/bin/encoder 185 root 11528 S /system/system/bin/encoder 186 root 11528 S /system/system/bin/encoder 187 root 11528 S /system/system/bin/encoder 188 root 11528 S /system/system/bin/encoder 189 root 11528 S /system/system/bin/encoder 190 root 11528 S /system/system/bin/encoder 191 root 11528 S /system/system/bin/encoder 192 root 11528 S /system/system/bin/encoder 193 root 11528 S /system/system/bin/encoder 194 root 11528 S /system/system/bin/encoder 195 root 11528 S /system/system/bin/encoder 196 root 11528 S /system/system/bin/encoder 197 root 11528 S /system/system/bin/encoder 198 root 11528 S /system/system/bin/encoder 199 root 11528 S /system/system/bin/encoder 200 root 11528 S /system/system/bin/encoder 201 root 11528 S /system/system/bin/encoder 202 root 11528 S /system/system/bin/encoder 203 root 11528 S /system/system/bin/encoder 204 root 11528 S /system/system/bin/encoder 205 root 11528 S /system/system/bin/encoder 206 root 11528 S /system/system/bin/encoder 207 root 11528 S /system/system/bin/encoder 208 root 11528 S /system/system/bin/encoder 209 root 11528 S /system/system/bin/encoder 210 root 11528 S /system/system/bin/encoder 211 root 11528 S /system/system/bin/encoder 213 root 11528 S /system/system/bin/encoder 214 root 11528 S /system/system/bin/encoder 215 root 11528 S /system/system/bin/encoder 216 root 11528 S /system/system/bin/encoder 217 root 11528 S /system/system/bin/encoder 218 root 11528 S /system/system/bin/encoder 221 root 11528 S /system/system/bin/encoder 222 root 11528 S /system/system/bin/encoder 223 root 11528 S /system/system/bin/encoder 224 root 11528 S /system/system/bin/encoder 225 root 11528 S /system/system/bin/encoder 226 root 11528 S /system/system/bin/encoder 227 root 11528 S /system/system/bin/encoder 228 root 11528 S /system/system/bin/encoder 229 root 11528 S /system/system/bin/encoder 230 root 11528 S /system/system/bin/encoder 231 root 11528 S /system/system/bin/encoder 236 root 11528 S /system/system/bin/encoder 237 root 11528 S /system/system/bin/encoder 238 root 11528 S /system/system/bin/encoder 239 root 11528 S /system/system/bin/encoder 240 root 11528 S /system/system/bin/encoder 252 root 11528 S /system/system/bin/encoder 253 root 11528 S /system/system/bin/encoder 1891 root 11528 S /system/system/bin/encoder 1892 root 11528 S /system/system/bin/encoder 3553 root 11528 S /system/system/bin/encoder 3554 root 11528 S /system/system/bin/encoder 3821 root 1532 S -sh 3824 root 1528 R ps
As you can see, I logged in! I tried using the username and password I'd set using the web interface, but this failed. So I tried the default it shipped with, 'root' and password '123456' and it let me in! So it seems these all have this as a default, and once in it runs a basic busybox linux system. I've not had much time to look any further, but if you're interested here is the filesystem and what looks like the init script that is ran at system bootup to start the daemons
So there looks to be 3 daemons that I'd like to have a look inside, so may do at some point in the future.# df Filesystem 1k-blocks Used Available Use% Mounted on rootfs 3008 3008 0 100% / /dev/root 3008 3008 0 100% / /dev/mtdblock6 3072 1892 1180 62% /system /dev/mtdblock7 512 208 304 41% /param # ls /system system daemon Wireless init www # cat /system/init/ipcam.sh export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH export PATH=/system/system/bin:$PATH telnetd /system/system/bin/daemon.v5.12 & /system/system/bin/cmd_thread & /system/system/bin/gmail_thread & #