Large amount of requests to config.amcrestcloud.com from IP4M-1041

tuaris

tuaris

n3wb
May 30, 2021
5
0
Naples
I have about (I think) 6 or more IP4M-1041B's at a location. These camera's appear to have a 'bug' where you can't change DNS servers. No matter what you do, they revert back to Google DNS. So I setup DNS query redirection on my firewall and enabled query logging on my DNS resolver. Here's what I see:

Code: 
Mar 23 23:12:11 earth named[91240]: client @0x83abce160 192.168.1.211#47437 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:11 earth named[91240]: client @0x83c316160 192.168.1.210#38330 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:11 earth named[91240]: client @0x83abce160 192.168.1.203#58125 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:12 earth named[91240]: client @0x83abce160 192.168.1.210#58391 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:12 earth named[91240]: client @0x83c316160 192.168.1.209#42542 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:12 earth named[91240]: client @0x83abce160 192.168.1.209#46501 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:12 earth named[91240]: client @0x83c316160 192.168.1.216#51552 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83c316160 192.168.1.212#55736 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83c316160 192.168.1.211#47712 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83c316160 192.168.1.216#39632 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83abcc160 192.168.1.203#46985 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83abcc160 192.168.1.203#44225 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83c316160 192.168.1.212#56374 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:13 earth named[91240]: client @0x83abcc160 192.168.1.211#37345 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:14 earth named[91240]: client @0x83abcc160 192.168.1.212#47015 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:14 earth named[91240]: client @0x83abcc160 192.168.1.210#55409 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:14 earth named[91240]: client @0x83abcc160 192.168.1.209#53789 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:14 earth named[91240]: client @0x83c316160 192.168.1.216#41368 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:15 earth named[91240]: client @0x83abcc160 192.168.1.211#38905 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:15 earth named[91240]: client @0x83c316160 192.168.1.210#59758 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:15 earth named[91240]: client @0x83c316160 192.168.1.209#52978 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:15 earth named[91240]: client @0x83abcc160 192.168.1.209#60445 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:15 earth named[91240]: client @0x83abcc160 192.168.1.216#39045 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:15 earth named[91240]: client @0x83c316160 192.168.1.203#53946 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:16 earth named[91240]: client @0x83c316160 192.168.1.212#42544 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:16 earth named[91240]: client @0x83abcc160 192.168.1.211#47163 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)
Mar 23 23:12:16 earth named[91240]: client @0x83c316160 192.168.1.210#59256 (config.amcrestcloud.com): query: config.amcrestcloud.com IN A + (192.168.1.254)

More than several times a second, are queries to some remote host "config.amcrestcloud.com". I don't know how this is possible. I have disabled all the known settings I can think of on the camera that have the slightest hint of P2P or cloud setup.

I have a HTTP server where those requests are forwarded to, and here's what the camera is trying to do:

Code: 
x.x.x.x - [21/Mar/2025:03:28:15 -0400] config.amcrestcloud.com "GET /api/config/amcrest/config.php?token=AMC10#X#X#####XXX HTTP/1.1" 200 "-" "-"

Why would it do this? As mentioned, I have all this (supposedly) turned off.
 
We have seen some cameras are hard-coded to do this.

It is either sloppy programming, intentional backdoor for anyone that has it connected to internet, or intentional to prevent company from getting slammed with 1-800 phone calls from users making changes to things they shouldn't and then losing access to their cameras.
 
I have one Amcrest that tries to contact their cloud 24/7
Blocked in firewall

IMG_8637.png IMG_8638.png
 
Yeah, some will do that no matter how you have things set. Also, some will have different behaviors depending on how you have the DNS set. e.g., 0.0.0.0 or left blank will cause it to seek whatever DNS is hard coded.

In the camera's set up for services, there's a disable checkbox at the top which would make you think that it shuts off everything listed below. It doesn't. Make sure that you've X'ed each of the services that you want to disable in the list below.

If you can't get it to stop, then in the camera's network setup point the gateway to the cam's own IP address. It still will be trying but at least it won't be cluttering up your logs.
 
  • Like
Reactions: bigredfish
Won't take 0.0.0.0
Best It can do is 1.0.0.1

I changed Gateway to itself so we'll see how that does
 
Have you been experiencing an issue where the camera is 'forgetting' what time it is and rebooting itself every 3 hours if you have auto-maintenance setup to reboot on Tuesday's at around 2:52 AM?

The camera's Date and Time at some point reset's itself to February 1, 2000 00:00:00. Which just so happens to be a Tuesday. Then about 3 hours later, it reboots itself. It's not just one camera, it's ALL of them!

amcrest-IP4M-1041-reboot-log.png
 
Last edited:
I haven’t no. But that same camera can’t hold the bitrate I give it. Not a browser thing, tried them all.
It’s going in the trash bin
 
The response from config.amcrestcloud.com is concerning. Seems to be configuring some kind of remote video upload location. Going to add hostedcloudvideo.com to my DNS block list.

XML: 
<?xml version="1.0" encoding="UTF-8"?>
<Config version="1">
  <ServerList>
    <Server>
      <Name>Command Server</Name>
      <Type>command</Type>
      <Host>command-5.hostedcloudvideo.com</Host>
      <Ports>
        <Port>
          <Number>443</Number>
          <Secure>true</Secure>
        </Port>
      </Ports>
    </Server>
    <Server>
      <Name>FTP Server</Name>
      <Type>ftp</Type>
      <Host>ftp.hostedcloudvideo.com</Host>
      <Ports>
        <Port>
          <Number>21</Number>
          <Secure>false</Secure>
        </Port>
      </Ports>
    </Server>
    <Server>
      <Name>Media Server</Name>
      <Type>media</Type>
      <Host>cr-46.hostedcloudvideo.com</Host>
      <Application>rtp-cr</Application>
      <Instance>_definst_</Instance>
      <Ports>
        <Port>
          <Number>1935</Number>
          <Secure>false</Secure>
        </Port>
      </Ports>
    </Server>
  </ServerList>
</Config>
 
It’s if you use their cloud storage. I don’t use it but that camera try’s to contact it regardless. My other Amcrest doesn’t at all.

All they’re going to see is the inside of a shed, but it’s on its way to the county landfill now
 
You must log in or register to reply here.
Top Bottom