Unidentified Scanning Activity
Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:
20190907-090937: 192.168.25.9:80-XXX.190.6.228:48968 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-093912: 192.168.25.9:80-XXX.188.126.243:36847 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-094441: 192.168.25.9:80-XXX.189.237.44:44343 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-100443: 192.168.25.9:80-XXX.188.40.103:35067 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115225: 192.168.25.9:80-XXX.177.116.123:40904 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115630: 192.168.25.9:80-XX.186.174.54:57636 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-122646: 192.168.25.9:80-XXX.189.27.141:38624 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
If you are seeing this kind of activity and are able to help identify the product targeted or confirm it is one of the 2 I listed, leave a comment on our page. I did find an exploit against HiSilicon DVR released last year searching for the same URL[3].
Update 1
I received the following update via Twitter:
GreyNoise Intelligence (@GreyNoiselO) has observed a very large spike in compromised Mirai-infected devices around the Internet bruteforcing DVR/IP camera devices using the NETsurveillance ActiveX plugin. This activity is originating from roughly 7% of total Mirai infects tracked by GreyNoise.
@MasafumiNegishi has observed the following port being scanned for the same activity: TCP: 80, 81, 82, 83, 85, 88, 8000, 8080, 8081, 9090 and being another moobot variant has been scanning Hisilicon DVR device on 80/tcp since August 29. Both moobot variants share same C2.
[1] https://www.dahuasecurity.com/
[2] http://www.hisilicon.com
[3] https://www.exploit-db.com/exploits/44004
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago