Check Your Web Server Security!

ksnax

Young grasshopper
Joined
Jul 28, 2017
Messages
35
Reaction score
4
After some recent odd happenings on my network with IP addressing, I was forced to re-evaluate my authorized connections and DHCP reservations. In so doing, under the BI WebServer Advanced tab, I noted 3 IP addresses added to the 'Limit access by IP address' listing that I did not put there.

To be clear, I accept my responsibility and understand the nature of how this happened, with lax security on camera IP blocking - and allowing unchallenged LAN access. That has been locked down.

Regardless, there should not be any addresses in that list that you did not put there.

The offending addresses are two miscellaneous ChinaNet addresses, but more importantly, 162.209.239.31- which originates out of CloudRadium - an apparently recognized front for Chinese government hacking.

It is unclear what else they may be into on my network now, but I will be monitoring and blocking connections as they are discovered.
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
Oh wow. How do you access BI when away from home? Did you use the Remote Wizard for STUNNEL, port forward, VPN, etc.?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
That is how they got in....lots of threads where crap like this happens with port forwarding.
 

ksnax

Young grasshopper
Joined
Jul 28, 2017
Messages
35
Reaction score
4
Quite possibly, but I am not convinced it wasn't a backdoor exploit from a camera.
 

ksnax

Young grasshopper
Joined
Jul 28, 2017
Messages
35
Reaction score
4
I have blocked all outbound WAN connections from all IP cameras and tightened firewall settings, as well as added authentication for LAN services.
 

Futaba

Pulling my weight
Joined
Nov 13, 2015
Messages
220
Reaction score
153
is there a minus or plus sign in front of the ip addresses? Minus means they are blocked. If they have minus signs, it is OK.
 

ksnax

Young grasshopper
Joined
Jul 28, 2017
Messages
35
Reaction score
4
is there a minus or plus sign in front of the ip addresses? Minus means they are blocked. If they have minus signs, it is OK.

What? They are minuses! I could not find documentation about these addresses being there. Cripes.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Quite possibly, but I am not convinced it wasn't a backdoor exploit from a camera.
If it was a camera exploit they would be logging in locally. And they would not care to access the webserver.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
I would not expect the auto ban function to put anything into the IP blacklist. There are still a lot of possibilities for how the addresses ended up there.

1. Owner added them and forgot. (possibly by looking through the connections status and permanently blocking some addresses via right click menu)
2. Someone got into Blue Iris using its remote console API via the web server (which is undocumented, but for the most part easily reverse-engineered).
3. Someone got remote desktop access to the Blue Iris server.
4. Someone could have potentially used other remote management features within Windows to modify the registry where Blue Iris stores its settings. I'd expect this to not be possible on a default Windows installation though.

FYI a ^ symbol before the address would grant admin privilege too.
 

ksnax

Young grasshopper
Joined
Jul 28, 2017
Messages
35
Reaction score
4
Okay, thanks for setting me straight on this. Paranoia is how we keep things safe I suppose. LOL
 

ksnax

Young grasshopper
Joined
Jul 28, 2017
Messages
35
Reaction score
4
If it was a camera exploit they would be logging in locally. And they would not care to access the webserver.
Honestly, after reading Winn Schwartau, Kevin Mitnick, and Edward Snowden's books, I don't take that one for granted. If they want in, they will get in. No point in making it easy though.
 
Top