However, I've been looking at why my internet connection keeps spiking and trying to cut down on anything not required to chatter to the internet, as my home connection is a very poor ADSL that cannot sustain much traffic, so cutting any junk out will help lots!
So running packet traces on my public connection (All devices on the LAN default gateway to my home server (A linux server) and then this does NAT to the public IPs I have), and started to notice a pattern of requests constantly going out over the public interface.
The first one is shown below:
12:33:47.668240 IP OBSCURED.2614 > OBSCURED.domain: 6038+ A? www.db-power.com. (34) 12:33:47.686932 IP OBSCURED.domain > OBSCURED.2614: 6038 NXDomain* 0/0/0 (34) 12:33:47.690643 IP OBSCURED.2614 > OBSCURED.domain: 6039+ A? www.db-power.com. (34) 12:33:47.709829 IP OBSCURED.domain > OBSCURED.2614: 6039 NXDomain* 0/0/0 (34) 12:33:47.723202 IP OBSCURED.2614 > OBSCURED.domain: 6042+ A? www.db-power.com. (34) 12:33:47.742344 IP OBSCURED.domain > OBSCURED.2614: 6042 NXDomain* 0/0/0 (34) 12:33:47.746075 IP OBSCURED.2614 > OBSCURED.domain: 6043+ A? www.db-power.com. (34) 12:33:47.764766 IP OBSCURED.domain > OBSCURED.2614: 6043 NXDomain* 0/0/0 (34) 12:33:47.777307 IP OBSCURED.2614 > OBSCURED.domain: 6046+ A? www.db-power.com. (34) 12:33:47.796293 IP OBSCURED.domain > OBSCURED.2614: 6046 NXDomain* 0/0/0 (34) 12:33:47.801283 IP OBSCURED.2614 > OBSCURED.domain: 6047+ A? www.db-power.com. (34) 12:33:47.819959 IP OBSCURED.domain > OBSCURED.2614: 6047 NXDomain* 0/0/0 (34) 12:33:47.832231 IP OBSCURED.2614 > OBSCURED.domain: 6050+ A? www.db-power.com. (34) 12:33:47.850810 IP OBSCURED.domain > OBSCURED.2614: 6050 NXDomain* 0/0/0 (34)
(I've OBSCURED my IP/hostname and my upstream DNS providers resolver here)
So what was happening is something was asking for the dns entry for www.db-power.com and constantly being told this doesn't exist. So this capture was done on my external interface, switching to my internal interface (for my LAN on the NAT server) I then tracked this down to an IP Camera was making this constant request. Logging into the web interface of the camera I couldn't find anything referring to this, but clearly it has some process where it tries to 'phone home' so that was the first one tracked down. I simply put a block in my local caching DNS to stop this external request, so that stopped it from asking externally and wasting bandwidth (It was doing this every 60 seconds).
The next one I then spotted was this:
Again OBSCURED was my cameras IP address. So this was more interesting. The camera was constantly (every minute again) trying to contact something in the Amazon AWS cloud. This indicates somebody has a server on Amazon's cloud that these units are contacting. I have two IP cameras both different manufacturers and different interfaces but they were both doing this, so there must be a common firmware package being used that was making this communication.12:38:47.545925 IP OBSCURED.3203 > ec2-54-243-97-206.compute-1.amazonaws.com.32100: UDP, length 24 12:38:47.546216 IP OBSCURED.3203 > ec2-54-251-113-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 24 12:38:47.546402 IP OBSCURED.3203 > ec2-54-246-107-165.eu-west-1.compute.amazonaws.com.32100: UDP, length 24 12:38:49.354353 IP OBSCURED.3208 > ec2-54-243-97-206.compute-1.amazonaws.com.32100: UDP, length 44 12:38:49.354574 IP OBSCURED.3208 > ec2-54-251-113-251.ap-southeast-1.compute.amazonaws.com.32100: UDP, length 44 12:38:49.354774 IP OBSCURED.3208 > ec2-54-246-107-165.eu-west-1.compute.amazonaws.com.32100: UDP, length 44
Interestingly the machine at the other end was refusing the UDP connection, but still, why was it there?
First thing, I blocked this from making it out of my firewall, then set about looking to see what it's doing. The payload is UDP therefore it's stateless, so most likely it's just squirting a bit of info about itself (perhaps firmware, version, date/time) back to it's manufacturer. Possibly it was also used as a 'cloud' solution for viewing or managing your camera as I have seen this principle, but again this was all disabled on my unit, but this suggests even when disabled it still makes the initial phone-home even if nothing else was passed. As you can also see it's trying to talk to a few IP addresses in Amazon. I'm unsure if these are hard-coded in or if it's a DNS request the device makes, so next step was to sniff it's traffic and see what DNS requests it was making. In this case it didn't appear to be making any DNS requests, which suggests these hosts are hardcoded into it.
Viewing the actual payload didn't help much either:
Which I couldn't work out what this was containing. It was always the same length and contained similar information, only one or two characters changed, but I couldn't see any correlation between what the camera was doing and this value, so I don't think I'll spot what it is.13:17:00.226305 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 52) OBSCURED.3203 > 54.246.107.165.32100: [udp sum ok] UDP, length 24 0x0000: 4500 0034 0000 4000 4011 a06c c0a8 3709 E..4..@[email protected]. 0x0010: 36f6 6ba5 0c83 7d64 0020 f89b f191 0014 6.k...}d........ 0x0020: 4a57 4556 0000 0000 0003 95fe 4545 4343 JWEV........EECC 0x0030: 4300 0000 C... 13:17:01.942156 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72) OBSCURED.3208 > 54.243.97.206.32100: [udp sum ok] UDP, length 44 0x0000: 4500 0048 0000 4000 4011 aa32 c0a8 3709 E..H..@[email protected]. 0x0010: 36f3 61ce 0c88 7d64 0034 bf8e f110 0028 6.a...}d.4.....( 0x0020: 4a57 4556 0000 0000 0003 95fe 4545 4343 JWEV........EECC 0x0030: 4300 0000 0200 0721 0002 880c 0937 a8c0 C......!.....7.. 0x0040: 0000 0000 0000 0000 ........ 13:17:01.942371 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 72) OBSCURED.3208 > 54.251.113.251.32100: [udp sum ok] UDP, length 44 0x0000: 4500 0048 0000 4000 4011 99fd c0a8 3709 E..H..@[email protected]. 0x0010: 36fb 71fb 0c88 7d64 0034 af59 f110 0028 6.q...}d.4.Y...( 0x0020: 4a57 4556 0000 0000 0003 95fe 4545 4343 JWEV........EECC 0x0030: 4300 0000 0200 0721 0002 880c 0937 a8c0 C......!.....7.. 0x0040: 0000 0000 0000 0000
One final thing, was I port scanned the camera, which showed 23 (telnet), 99 (metagram), 8600 (asterisk). Now the first telnet port was correct as I could telnet and get a login prompt. Port 99 was the web port (I'd changed it to that) and 8600 seemed to answer telnet then immediately close it again. So I thought I'd try telnet:
Escape character is '^]'. (none) login: root Password: BusyBox v1.12.1 (2012-11-20 15:16:24 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # ps PID USER VSZ STAT COMMAND 1 root 1528 S init 2 root 0 SWN [ksoftirqd/0] 3 root 0 SW< [events/0] 4 root 0 SW< [khelper] 5 root 0 SW< [kthread] 6 root 0 SW< [kblockd/0] 7 root 0 SW< [khubd] 8 root 0 SW< [kswapd0] 9 root 0 SW [pdflush] 10 root 0 SW [pdflush] 11 root 0 SW< [aio/0] 12 root 0 SW< [scsi_tgtd/0] 13 root 0 SW [mtdblockd] 14 root 0 SW< [kmmcd] 20 root 1092 S nvram_daemon 23 root 0 SWN [jffs2_gcd_mtd6] 25 root 0 SWN [jffs2_gcd_mtd7] 28 root 1528 R telnetd 29 root 1696 S /system/system/bin/daemon.v5.12 30 root 1480 S /system/system/bin/cmd_thread 31 root 1480 S /system/system/bin/gmail_thread 32 root 1532 S /bin/sh 33 root 1696 S /system/system/bin/daemon.v5.12 36 root 1480 S /system/system/bin/cmd_thread 39 root 1480 S /system/system/bin/gmail_thread 40 root 1696 S /system/system/bin/daemon.v5.12 41 root 1696 S /system/system/bin/daemon.v5.12 43 root 1480 S /system/system/bin/cmd_thread 44 root 1480 S /system/system/bin/gmail_thread 50 root 0 SW [RtmpCmdQTask] 51 root 0 SW [RtmpWscTask] 89 root 1696 S /system/system/bin/daemon.v5.12 135 root 1524 S /sbin/udhcpc -i eth2 -n 140 root 1696 S /system/system/bin/daemon.v5.12 141 root 1696 S /system/system/bin/daemon.v5.12 142 root 1696 S /system/system/bin/daemon.v5.12 145 root 1696 S /system/system/bin/daemon.v5.12 146 root 1696 S /system/system/bin/daemon.v5.12 147 root 1696 S /system/system/bin/daemon.v5.12 151 root 11528 S /system/system/bin/encoder 158 root 11528 S /system/system/bin/encoder 159 root 11528 S /system/system/bin/encoder 160 root 11528 S /system/system/bin/encoder 161 root 11528 S /system/system/bin/encoder 164 root 11528 S /system/system/bin/encoder 165 root 11528 S /system/system/bin/encoder 167 root 11528 S /system/system/bin/encoder 168 root 11528 S /system/system/bin/encoder 169 root 11528 S /system/system/bin/encoder 170 root 11528 S /system/system/bin/encoder 171 root 11528 S /system/system/bin/encoder 172 root 11528 S /system/system/bin/encoder 173 root 11528 S /system/system/bin/encoder 178 root 11528 S /system/system/bin/encoder 179 root 11528 S /system/system/bin/encoder 180 root 11528 S /system/system/bin/encoder 181 root 11528 S /system/system/bin/encoder 182 root 11528 S /system/system/bin/encoder 183 root 11528 S /system/system/bin/encoder 184 root 11528 S /system/system/bin/encoder 185 root 11528 S /system/system/bin/encoder 186 root 11528 S /system/system/bin/encoder 187 root 11528 S /system/system/bin/encoder 188 root 11528 S /system/system/bin/encoder 189 root 11528 S /system/system/bin/encoder 190 root 11528 S /system/system/bin/encoder 191 root 11528 S /system/system/bin/encoder 192 root 11528 S /system/system/bin/encoder 193 root 11528 S /system/system/bin/encoder 194 root 11528 S /system/system/bin/encoder 195 root 11528 S /system/system/bin/encoder 196 root 11528 S /system/system/bin/encoder 197 root 11528 S /system/system/bin/encoder 198 root 11528 S /system/system/bin/encoder 199 root 11528 S /system/system/bin/encoder 200 root 11528 S /system/system/bin/encoder 201 root 11528 S /system/system/bin/encoder 202 root 11528 S /system/system/bin/encoder 203 root 11528 S /system/system/bin/encoder 204 root 11528 S /system/system/bin/encoder 205 root 11528 S /system/system/bin/encoder 206 root 11528 S /system/system/bin/encoder 207 root 11528 S /system/system/bin/encoder 208 root 11528 S /system/system/bin/encoder 209 root 11528 S /system/system/bin/encoder 210 root 11528 S /system/system/bin/encoder 211 root 11528 S /system/system/bin/encoder 213 root 11528 S /system/system/bin/encoder 214 root 11528 S /system/system/bin/encoder 215 root 11528 S /system/system/bin/encoder 216 root 11528 S /system/system/bin/encoder 217 root 11528 S /system/system/bin/encoder 218 root 11528 S /system/system/bin/encoder 221 root 11528 S /system/system/bin/encoder 222 root 11528 S /system/system/bin/encoder 223 root 11528 S /system/system/bin/encoder 224 root 11528 S /system/system/bin/encoder 225 root 11528 S /system/system/bin/encoder 226 root 11528 S /system/system/bin/encoder 227 root 11528 S /system/system/bin/encoder 228 root 11528 S /system/system/bin/encoder 229 root 11528 S /system/system/bin/encoder 230 root 11528 S /system/system/bin/encoder 231 root 11528 S /system/system/bin/encoder 236 root 11528 S /system/system/bin/encoder 237 root 11528 S /system/system/bin/encoder 238 root 11528 S /system/system/bin/encoder 239 root 11528 S /system/system/bin/encoder 240 root 11528 S /system/system/bin/encoder 252 root 11528 S /system/system/bin/encoder 253 root 11528 S /system/system/bin/encoder 1891 root 11528 S /system/system/bin/encoder 1892 root 11528 S /system/system/bin/encoder 3553 root 11528 S /system/system/bin/encoder 3554 root 11528 S /system/system/bin/encoder 3821 root 1532 S -sh 3824 root 1528 R ps
As you can see, I logged in! I tried using the username and password I'd set using the web interface, but this failed. So I tried the default it shipped with, 'root' and password '123456' and it let me in! So it seems these all have this as a default, and once in it runs a basic busybox linux system. I've not had much time to look any further, but if you're interested here is the filesystem and what looks like the init script that is ran at system bootup to start the daemons
So there looks to be 3 daemons that I'd like to have a look inside, so may do at some point in the future.# df Filesystem 1k-blocks Used Available Use% Mounted on rootfs 3008 3008 0 100% / /dev/root 3008 3008 0 100% / /dev/mtdblock6 3072 1892 1180 62% /system /dev/mtdblock7 512 208 304 41% /param # ls /system system daemon Wireless init www # cat /system/init/ipcam.sh export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH export PATH=/system/system/bin:$PATH telnetd /system/system/bin/daemon.v5.12 & /system/system/bin/cmd_thread & /system/system/bin/gmail_thread & #
Makes you think dunnit? Give a few years and these IoT appliances that are starting to become popular could be sending lots of info to whoever. I guess all data is of interest to someone and, I presume, has value to anyone other than the end user. You just don't think of your web-enabled fridge to have Bloatware..
ReplyDeleteSorry to hijack your blog, but I've found something worth mentioning and I don't have anywhere else I can post this info. Since your page came near the top of google search, it seems to be a good spot to post for others to see.
ReplyDeleteFirst off, my camera is the Wanscam HW0041, so YMMV depending.
My FW came with telnet disabled (I've checked the ports, only ones open are all relating to normal camera functions).
Digging on the web gui, there's a hidden page: tplatform_men.html which toggles the P2P function on/off. Although on mine it looks broken, the settings do get saved when I clicked Apply (verified by my router's syslog that all those cloud connections stopped after doing this, also verified after a reboot the P2P ID is blank on the device information). There's also the upnp_men.html page (also hidden) that controls the upnp function. With the NTP function turned off, and ddns off. My camera's quiet as a rock after a restart. With the cloud off, and changed default password, this camera should be fairly secure.
Cheers.
Interesting topic for a blog. I have been searching the Internet for fun and came upon your website. Fabulous post. Thanks a ton for sharing your knowledge! It is great to see that some people still put in an effort into managing their websites. I'll be sure to check back again real soon. vpn reviews
ReplyDeleteI appreciate several from the Information which has been composed, and especially the remarks posted I will visit once more. lemigliorivpn.com
ReplyDeleteThat is really nice to hear. thank you for the update and good luck. IP cameras
ReplyDeleteThanks for the valuable information and insights you have so provided here... Photo cameras user manuals
ReplyDeleteFind out the truth behind those "FREE" Melbourne Hikvision offers worth $850. Are free security systems really free? We see them all the time in newspapers, TV ads, the yellow pages and even with door-to-door salesmen, all claiming to be free, so what's the catch? How does a security company make any money on a free system? All of these questions are answered and more.
ReplyDeleteClosed-circuit television is a kind of a security technique which involves the usages of video camera which are commonly called CCTV cameras. The purposes of these are to transmit a signal to TV sets or monitors for the purpose of security. Close circuit TV is a lot different than broadcast television. It differs in that the signal of a Camera Systems in Sydney is not openly transmitted. CCTV systems employ point to point wireless links.
ReplyDeleteI have bookmarked your blog, the articles are way better than other similar blogs.. thanks for a great blog! best dslr camera under 30000 quora
ReplyDeleteWhen you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. custom packaging boxes
ReplyDeleteThis is a great post; it was very edifying. I look ahead in reading more of your work.
ReplyDeleteweatherproof security cameras
You make so many great points here that I read your article a couple of times. Your views are in accordance with my own for the most part. This is great content for your readers. 192.168.0.1
ReplyDeleteTo disable the WANSVIEW Camera from connecting to remote port 32100 you can use the following command http://IPADRESS:80/hy-cgi/factory_param.cgi?cmd=setsmartp2p&enable=0. However you will not be able to use the camera application but to get around it you can connect directly to the camera via IP.
ReplyDeletePackin is one of the well known industry in UK providing Online Packaging Solution for your required Custom Boxes
ReplyDeleteY-Zee provide you customs packaging solution with free box template, and design support including free shipping. get 50% discount on first order
ReplyDelete
ReplyDeleteBrilliant Packaging Suppliers.co.uk is a perfect custom printing company that has been giving its administrations for over 10 years. Brilliant Packaging Suppliers is committed to furnishing clients with great items and tweaked administrations and unimaginable conveyance time.
Are you looking for Box templates ? you are in the right place Please Download Free Box Templates Free of Charges
ReplyDeleteWhen you use a genuine service, you will be able to provide instructions, share materials and choose the formatting style. CCTV in Bayswater
ReplyDelete
ReplyDeleteCheck out our custom printed tags selection for the very best in unique or custom, handmade pieces from our party & gifting shops
ReplyDeleteDownload FREE Printable envelope template for different formats. Business & Personal Envelope Template available on freeenvelopetemplates.co.uk
Thanks for sharing the post.. parents are worlds best person in each lives of individual..they need or must succeed to sustain needs of the family. Serious Security
ReplyDeleteIts fantastic as your other blog posts : D, thanks for posting . camworks 2020
ReplyDeleteAny business, whether it is home based or, a large enterprise that employs several individuals, choosing the best broadband deals would go a long way in helping the owner of the business save a great deal in terms of the money as well as the time invested. Irrespective of the nature of the size of the business venture, the number of employees that it employs or the genre of the business, it would need a phone as well as an Internet to operate and function these days. It becomes imperative that business owners thoroughly analyze the existing market and only... cheap cad software for 3d printing
ReplyDeletevery Informative article, thanks for sharing. Custom Boxes
ReplyDeleteCustom CBD Boxes
ReplyDeleteCustom Soap Boxess
Custom Mailer Boxes
I have suggested this web site through my cousin. I am not certain whether
this post is written by him as nobody else realizes such targeted approximately my trouble.
You are incredible! Thank you!
this information is very good. i like after reading. it is amazing post. such posts are difficult to find. wireless microphone for ipad
ReplyDeleteIt is vital to select the right SEO Company for the search engine optimization and marketing of your business website. The experience and expertise of your SEO firm will help to generate more clicks and online traffic for your business. buy backlinks
ReplyDeleteIt is vital to select the right SEO Company for the search engine optimization and marketing of your business website. The experience and expertise of your SEO firm will help to generate more clicks and online traffic for your business. moz
ReplyDeleteIt is vital to select the right SEO Company for the search engine optimization and marketing of your business website. The experience and expertise of your SEO firm will help to generate more clicks and online traffic for your business. Niche blog comments
ReplyDeleteI like the valuable info you provide in your articles. I will bookmark your blog and check again here frequently. I am quite certain I will learn many new stuff right here! Good luck for the next!
ReplyDeleteCBD Boxes
Are you looking for free guest posting sites? you are on the right place, If you are a Business Owner, then you have a great chance to get more do follow back links for your #business_website for rank #1_in_google or any #search_engine, let submit you free guest post at zero cost$. please click for submitting your post on #Brands_World_Info https://brandsworld.info
ReplyDelete