Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Unidentified Scanning Activity - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unidentified Scanning Activity

Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:

20190907-090937: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-093912: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-094441: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-100443: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115225: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115630: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-122646: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'

If you are seeing this kind of activity and are able to help identify the product targeted or confirm it is one of the 2 I listed, leave a comment on our page. I did find an exploit against HiSilicon DVR released last year searching for the same URL[3].

Update 1

I received the following update via Twitter:

GreyNoise Intelligence (@GreyNoiselO) has observed a very large spike in compromised Mirai-infected devices around the Internet bruteforcing DVR/IP camera devices using the NETsurveillance ActiveX plugin. This activity is originating from roughly 7% of total Mirai infects tracked by GreyNoise.

@MasafumiNegishi has observed the following port being scanned for the same activity: TCP: 80, 81, 82, 83, 85, 88, 8000, 8080, 8081, 9090 and being another moobot variant has been scanning Hisilicon DVR device on 80/tcp since August 29. Both moobot variants share same C2.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


443 Posts
ISC Handler

I see this traffic on my logs. The service running is I will try to find further information. Hope it may help.


Sign Up for Free or Log In to start participating in the conversation!