Connections from Europe?

[jmburton2001]

I'm in the US. Does Blue Iris Tools connect to a server or something in the UK and/or EU?

The actual IP address traces to "Oracle Cloud" in Frankfurt Germany.

 

[sebastiantombs]

You're probably port forwarding and being scanned by hackers. Read these two threads and get a VPN going, an inbound VPN not the services you see advertised to hide your surfing. Those are outbound VPNs.

Secure Network

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

VPN Primer

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

 

[jmburton2001]

Thanks sebastiantombs!

I have a single port (8080) forwarded for the Blue Iris ui3 interface. The "guest" account is disabled and in order to open that webpage a user/pass combo is required.

Do I need a VPN for this webpage?

It appears that they're scanning port 80 but that port's not open to the internet according to the IPCT open port checker.

Is letting them scan a closed port problematic?

 

[sebastiantombs]

If you have a port open for any reason it is a risk. 8080 is a very common alternate port for port 80 and will get hammered. Every attempt is moving the point of probability closer and closer to being hacked. Use a VPN, OpenVPN is easiest, and stop forwarding ports. Yes, it's an extra step on the remote device when you want to access your BI machine, or anything else on your LAN, but it is pretty good insurance and doesn't cost a dime.

 

[jmburton2001]

Thank you again! Looks like I have some reading in my future!

 

[Mike A.]

You do show a remote connection made on port 80. See third line. But it's to BI Tools on that same remote IP? I don't use it but does BI Tools use some server located in the UK that would be making a connection to your system on port 80? Watchdog or something like that maybe?

 

[sebastiantombs]

Given that BIT was written in the US I can't think of any reason why it would connect to a server in the UK.

Have you done a full system virus scan on this machine? Shut down BI and anything else running including BIT, and run a full scan.

 

[jmburton2001]

I was hoping to gain some insight from the BI Tools dev about that. I know it watches port 8080 for the watchdog function but the three other connections to the UK from the same IP address on port 80 are what's concerning.

Does he have it connecting to an Oracle server overseas for some legitimate reason?

 

[jmburton2001]

Updating virus definitions and executing a full scan. I should have the results in a few hours.

 

[Mike A.]

Could be some edge server that's in the pool for whatever hosting service BI Tools uses. Given the Oracle Cloud origin that would make sense. I get connections from all over for some other US-based products/services that I use (but they're not coming in through an open port).

 

[jmburton2001]

Yeah. I don't know how Oracle load balances their services and servers but the BI Tools executable is connecting to it for some reason.

 

[sebastiantombs]

Still sounds very fishy to me. I've been running BIT for years and have never had any outside connections to it, let alone a connection from the UK, and that could easily be a spoofed address anyway.

 

[Mike A.]

I don't know BI Tools well enough to know how it's set up and what connections are made but @Mike does. Maybe he'll chime in.

In any case, putting up the VPN still is a good idea. Won't help with outgoing connections but will block some incoming returns and unsolicited attempts.

 

[jmburton2001]

I've never had the IPCT brain trust steer me wrong. I have full confidence that we can figure this out.

In the meantime I have 12+ hours left on my full virus scan.

 

[Mike A.]

Still sounds very fishy to me. I've been running BIT for years and have never had any outside connections to it...

These look to be outgoing connections from BI Tools to the server in the UK.

 

[sebastiantombs]

That's exactly what worries me.

 

[looney2ns]

Hey, @Mike

 

[Mike A.]

Yeah, some random process or connection to a sketchy server somewhere I'd definitely be giving side-eye to. I think there's probably a more innocent answer in this case. You'll see the same these days with lots of US cloud-based services so doesn't cause me too much concern just based on that alone. Given things like Watchdog, it needs to connect somewhere. @Mike should be able to clear things up.

 

[cyberwolf_uk]

I'm in the US. Does Blue Iris Tools connect to a server or something in the UK and/or EU?

The actual IP address traces to "Oracle Cloud" in Frankfurt Germany.

History tells me not to trust the Germans

But seriously, now and again I open the odd port when tinkering around with stuff... It only takes a couple of hours for bots to start hammering my ports... luckily for me I have a good understanding of networks so these get blocked but I always tell people unless you understand what you are doing then don't open ports and keep your LAN behind a VPN or some sort of tunnel whereby ports don't need to be forwarded on your router to gain remote access to your LAN.

 

[jmburton2001]

After a 12+ hour virus and malware scan, good news... nothing found!

I'm currently thinking it's probably not nefarious but I'm going forward with some type of shield against external threats (VPN, ZeroTier, etc). The problem right now is that the system this is occurring on is >2,000 miles away and I don't want to mess something up and lose my remote connection. That's a looooong drive!