Title fixed by fenderman. I mistakenly though I was hacked. Turns out, I didnt read the help file.

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
System hacked, help reading blue iris logs
I have big problems and need some big help please! My computer was hacked, 2 or more of 4, but it’s a little more complicated than just that.
Here’s the story and time line. 2 weeks ago I installed a demo of Blue iris onto a VM, thought it may be something I can use, I have an old computer that I’m willing to do some further testing with. All computers are on the same network, all logged in with my username and password (windows user and PW)
Last weekend I installed a new drive and windows onto SPARE, installed demo of blue iris, added cameras, working good, but now I want to add more cameras to see if the PC can handle it. I have 7 cameras on there now, looks promising, so now I want to test remote access.

Saturday 1-9-21
I went through the wizard, opened port 81 to allow access to SPARE that runs BI, all is working well, I am starting to like the software.

FF to this AM (1-13-21).
My main PC is off, I had a bunch of notes and websites open (including this one) from looking around on how to setup VLAN and just tweaking the software… so I’m annoyed. Start it back up, it’s all looking normal PC1 is working fine. My sick cat had an accident and I wanted to look at the camera to see what happened.. funny, the camera is not pointed where it was last night… long story short, a couple others are also not pointed correctly. I go into BI logs and find out there is a user (that was not there) named “anonymous” go into devices, there is an android device that I do not own… so now I know I have been hacked! The SPARE PC seems to be normal, it was on like it was before… however now I look into my router logs and see that PC1 tried to communicate to an ip in Germany now I know PC1 was hacked, or did they get into blue iris and then into the network… PC2 was on and PC3… they are both on screen saver now, and PC2 rebooted. I have image backups of the PC1, PC2, and PC3 and hopefully the image restore will get rid of what’s there….

HERE IS WHERE I NEEED HELP / ADVICE PLEASE!!!
I need to find PC-0 Patient Zero, did BI allow the attack, or did port 81 allow attacks from another PC? How do I read the logs to see when this “anonymous” user was created?
How do I read logs to see log ins and times logged in by users?
Any other logs I should look at? Any other advice would also be greatly appreciated.
I’m not blaming blue iris here, but opening that port 81 was a HUGE MISTAKE and I am trying to establish a timeline on activity that was not created from my use via the logs and information I can get from my PC in event viewer. Thanks in advance, and if some of you pummel me with lack of security measures and I told you so… that too will not offend me, I deserve it at my level of knowledge (not that I know how to prevent it completely, but to know better…. ) Just please, after slapping me in the head, please offer some help.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,541
Location
USA
You are probably right - opening a port was probably how someone got in.

With that said, I would venture to say it was through a camera so I would check those logs as well. And then turn off UPnP and P2P if you haven't already in the cameras and isolate them from your network.

Other than a login you didn't recognize, could the cameras pointing in a different direction be a power reset - some cameras on a reboot will go to a pre-determined location that isn't where you set it.
 

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
You are probably right - opening a port was probably how someone got in.

With that said, I would venture to say it was through a camera so I would check those logs as well. And then turn off UPnP and P2P if you haven't already in the cameras and isolate them from your network.

Other than a login you didn't recognize, could the cameras pointing in a different direction be a power reset - some cameras on a reboot will go to a pre-determined location that isn't where you set it.
I am using 5 amcrest in house PTZ cameras on wifi, yes same network, and they were added to blue iris,

the port was opened and assigned to the SPARE PC that was running the blue iris software. that computer is also on the same network. currently i have the ISP router completely unplugged from the internet until I can figure out how bad all of this is. them getting on PC1 is really bad for my situation and knowing it did a reboot pretty much ensures that something was installed on the drive before windows starts, so that's really bad. it was more than just someone wanting to look at cameras.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,541
Location
USA
OK so the amcrest cameras - how did you install them - did you simply scan the code on the app and you were up and running - if so those cameras are exposed to the internet and that is probably how a hacker got into your network. And if these a wifi cams, it opens up even more opportunities to be hacked. Could be perp neighbor trying to see your family inside. Maybe a car going by looking for wifi cams to hack and get their jollies in the car. Or could be someone around the world that exploited the poor security in these cameras.

But even if you didn't install that way, just those cameras being used on your same network that you use to surf the net and the same IP range gives a hacker all they need. Did you go the web gui of the cameras and confirm UpNp and P2P are turned off? I suspect they are turned on. Have you looked at the camera logs?

A breach involving cameras is always more than someone just wanting to look at cameras. One of the things preached here a lot is a hacker doesn't care about what your cameras are looking at, they are using the vulnerabilities of the cameras to gain access to your network to hack you and do DOS attacks to the internet using your system and IP as the bot to do the damage. People assume that all a hacker can do is see their cameras so they do not take the threat seriously of preventing the cams from reaching the internet until something like this happens.

I believe it is completely coincidental that it happened around the same time you were demoing Blue Iris. I am not aware of anyone that has been attacked thru Blue Iris. It is usually through the vulnerability of the camera. Turn off UpNp and P2P now in each camera and then go into your router and parental control those cameras from seeing the internet - until you do that and isolate the cams, any fix you make on PC1 doesn't actually solve the problem.

Or maybe Windows simply got hung up on something and turned the computer off and didn't turn back on. And maybe that caused the cams to reboot.
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
You were not hacked. You’re confusing a record that someone landed on your server page with being hacked. Unless you removed all Authentication no one even looked at your cameras. No one installed anything on your system or played with your cameras.
 

Kameraad

Pulling my weight
Joined
Oct 23, 2016
Messages
162
Reaction score
136
Try ro recreate what @fenderman said by taking your phone off wifi and browse to your public ip with :81 behind it. Don't login and see what the log says.
 

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
You were not hacked. You’re confusing a record that someone landed on your server page with being hacked. Unless you removed all Authentication no one even looked at your cameras. No one installed anything on your system or played with your cameras.
My main PC was rebooted for no reason, also I found in the log within the router system destination log, it shows
Proto NATed Address = icmp "my main PC address" - destination = 144.76.59.84 - STATE = UNREPLIED.
I went to what's my ip and typed in the destination and it's somewhere in Germany, nothing I did that I know of.
honestly, I don't recall exactly how I did the cameras, I the SADP tool and set the addresses, and then I know I am using the PSP via the amcrest app. they for sure looked at the cameras, they were moved and not to a reboot move, and not all of them were moved. Tonight I will check more. I must not have had some sort of authentication on I guess...

icmp 192.xx.xx.xx - destination 144.76.59.84 - status UNREPLIED. that destination IP is one I searched. I am in the logs of the PC and really can't make heads or tails of what has happened, but I know for sure there was no user in there named anonymous and there is an unidentified android device that logged in. Not necessarily blaming blue iris, maybe they created that while in the PC, but that above mentioned PC is not blue iris PC, it's my main one... so if they were logged in, I have it all wide open for my convenience, I know not smart if someone gets in. right now I know many of you on here have extensive knowledge on networking, I have been on here for years tapping into the knowledge, just never needed help before, so it appears I'm not active.
anyhow that above log and the fact the computer restarted and I don't know why is a problem. I am currently trying to establish a timeline of activity and want to see what the blue iris logs say, but i'm not really sure where that is. I will also look back at the recordings and SEE when the cameras moved, that will surely show if they moved without myself moving them, then I can check the logs on that time they moved to the "logged on" time of that added android phone.

thanks everyone... this is really scary for me, I have everything available on that network... lesson learned here for sure.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,541
Location
USA
Just because the computer restarted doesn't necessarily mean you were hacked, especially if you haven't disabled all updates, it could have easily been an update that hung up and shut the computer down. One of my computers did that this morning, so totally possible it was a windows update. Most of mine are disabled but I have one computer that I still allow that auto updates and that is the one that crashed. I didn't see anything out of the ordinary.

There are so many possibilities on what that Germany IP address is - it could be anything - the amcrest app running through that IP location, or anything else running on your computer or the router even if you have Trendnet or some other program running on it doing diagnostics.

When you type in the IP address of the Germany one, does a company name come up?
 

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
Just because the computer restarted doesn't necessarily mean you were hacked, especially if you haven't disabled all updates, it could have easily been an update that hung up and shut the computer down. One of my computers did that this morning, so totally possible it was a windows update. Most of mine are disabled but I have one computer that I still allow that auto updates and that is the one that crashed. I didn't see anything out of the ordinary.

There are so many possibilities on what that Germany IP address is - it could be anything - the amcrest app running through that IP location, or anything else running on your computer or the router even if you have Trendnet or some other program running on it doing diagnostics.

When you type in the IP address of the Germany one, does a company name come up?
I agree, I checked to see if the computer did an update and there haven't been any installed in the history, actually I always check that after a reboot too see what they did now (windows 10 PRO on all machines) and ya know what? I never realized that if you just plant that ip in the address bar that it may just pop up a website! Thanks for that! HAHA it goes to a company called "cfos software in GERMANY. I'm starting to feel a little better now.... THAT'S why I'm on here with you guys!! I have no such software that I know of, but it could have been some pop up add or something. I really need to find out what caused that reboot.
Either way, I have to find out how that Blue iris account was added... they had to get on the PC to add that account don't you think? That is the spare PC, not the above mentioned that rebooted. And thanks wittaj, that was very helpful. I'm headed to the house now and dig in!
 

vandyman

Getting comfortable
Joined
Jul 24, 2018
Messages
555
Reaction score
1,620
Location
US
Some cameras will go to a default position when they loss power.

Sent from my Pixel 5 using Tapatalk
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,541
Location
USA
Ok so a search on that comes up as:

The genuine cfosspeed.exe file is a software component of cFosSpeed by cFos Software.
cFosSpeed is an Internet traffic shaping utility. cfosspeed.exe runs the user interface process for the cFosSpeed program. This is not an essential process for Windows and can be disabled if known to create problems.

cFosSpeed is a packet filtering program used for controlling incoming and outgoing data streams in order to improve internet latency and overall connection speed. The program features a firewall, data volume configuration, displays online time, and also offers a network monitoring utility. cFosSpeed supports the Windows platform.

cFos Software GmbH is a German software company that develops communication and traffic shaping software for the Windows platform. The company was founded in 1993 and has since developed software for servers, routers, DSL and ISDN dial-ups, as well as personal computers. cFos is based in Bonn, Germany.


So based on that, I do not believe that is an issue and is probably something in your router and/or PC.

The android device could be still showing up in a log and was once a device you or someone had that logged into your wifi. I have noticed those things are not the greatest at clearing out devices that were once logged in. I have an old phone still sitting here turned off in the drawer and the router says it is logged in until I do multiple refreshes of what is connected before it disappeared. And sometimes the router will miss label a device as android when it is something else.

I would chase IP address and Mac address of every device in your house and see if you can track down what it is. And create an excel sheet or something and then also track what IP addresses and MAC addresses each device is to make this a lot simpler in the future!

Now the login in BI is the one we still need to figure out - it could be something as simple as the laptop you tried doesn't have authentication turned on and that is how it logged in, or maybe that is the default with the demo, or anything else, so hopefully someone else has an idea on that.
 

Old Timer

Known around here
Joined
Jul 20, 2018
Messages
1,352
Reaction score
2,945
Location
I'm ok
Is that the user that the console logs in on?
I know I went to change a user, and found there was an extra user added. Turns out it was
the user for the console, and was set so it could only be used from the local subnet.
 

spend2much

n3wb
Joined
Feb 9, 2017
Messages
18
Reaction score
9
I went into Program Files\Blue Iris 5\Logs and there is nothing in there. I would really like to see when someone signed on, track IP, device, something... My Alibi NVR keeps a log on all that, doesn't BI keep a log like that? I can't seem to find anything. I have only used the software for a few days, in fact I logged in just now and it says I have 11 days left. I would really like to read the activity logs or something, the only thing there is sdk log

As for the cameras that were moved, I have motion detection on so I don't know exactly when they moved, but a couple recorded at 1:48am in normal sport, after that a couple were moved, and they were not moved as a reboot move, they were moved. I scanned the PC that houses Blue iris, and nothing was found, ,scanned PC3, found some pup button from alexa or something like that, and nothing, but that was after a restore from Macrium Now it's going to be time to turn on the main PC and see why that thing restarted. Then going to plug in one of those cameras and go into it and see if they logged something.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
My main PC was rebooted for no reason, also I found in the log within the router system destination log, it shows
Proto NATed Address = icmp "my main PC address" - destination = 144.76.59.84 - STATE = UNREPLIED.
I went to what's my ip and typed in the destination and it's somewhere in Germany, nothing I did that I know of.
honestly, I don't recall exactly how I did the cameras, I the SADP tool and set the addresses, and then I know I am using the PSP via the amcrest app. they for sure looked at the cameras, they were moved and not to a reboot move, and not all of them were moved. Tonight I will check more. I must not have had some sort of authentication on I guess...

icmp 192.xx.xx.xx - destination 144.76.59.84 - status UNREPLIED. that destination IP is one I searched. I am in the logs of the PC and really can't make heads or tails of what has happened, but I know for sure there was no user in there named anonymous and there is an unidentified android device that logged in. Not necessarily blaming blue iris, maybe they created that while in the PC, but that above mentioned PC is not blue iris PC, it's my main one... so if they were logged in, I have it all wide open for my convenience, I know not smart if someone gets in. right now I know many of you on here have extensive knowledge on networking, I have been on here for years tapping into the knowledge, just never needed help before, so it appears I'm not active.
anyhow that above log and the fact the computer restarted and I don't know why is a problem. I am currently trying to establish a timeline of activity and want to see what the blue iris logs say, but i'm not really sure where that is. I will also look back at the recordings and SEE when the cameras moved, that will surely show if they moved without myself moving them, then I can check the logs on that time they moved to the "logged on" time of that added android phone.

thanks everyone... this is really scary for me, I have everything available on that network... lesson learned here for sure.
Your pc was not rebooted. You state it was off. That was a result of a power interruption. This would also explain why your cams went to their default positions. You may have some cameras set to return to X position after reboot.
You are not reading your router logs correctly.
You also have exposed all your cameras by using dahua/amcrest p2p which is notoriously not secure.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
I went into Program Files\Blue Iris 5\Logs and there is nothing in there. I would really like to see when someone signed on, track IP, device, something... My Alibi NVR keeps a log on all that, doesn't BI keep a log like that? I can't seem to find anything. I have only used the software for a few days, in fact I logged in just now and it says I have 11 days left. I would really like to read the activity logs or something, the only thing there is sdk log

As for the cameras that were moved, I have motion detection on so I don't know exactly when they moved, but a couple recorded at 1:48am in normal sport, after that a couple were moved, and they were not moved as a reboot move, they were moved. I scanned the PC that houses Blue iris, and nothing was found, ,scanned PC3, found some pup button from alexa or something like that, and nothing, but that was after a restore from Macrium Now it's going to be time to turn on the main PC and see why that thing restarted. Then going to plug in one of those cameras and go into it and see if they logged something.
If the cameras were moved, you would have a motion event that shows they were moved. You dont.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
I went into Program Files\Blue Iris 5\Logs and there is nothing in there. I would really like to see when someone signed on, track IP, device, something... My Alibi NVR keeps a log on all that, doesn't BI keep a log like that? I can't seem to find anything. I have only used the software for a few days, in fact I logged in just now and it says I have 11 days left. I would really like to read the activity logs or something, the only thing there is sdk log

As for the cameras that were moved, I have motion detection on so I don't know exactly when they moved, but a couple recorded at 1:48am in normal sport, after that a couple were moved, and they were not moved as a reboot move, they were moved. I scanned the PC that houses Blue iris, and nothing was found, ,scanned PC3, found some pup button from alexa or something like that, and nothing, but that was after a restore from Macrium Now it's going to be time to turn on the main PC and see why that thing restarted. Then going to plug in one of those cameras and go into it and see if they logged something.
Read the Blue Iris help file about the logs, they are there. You have to enable a more detailed log, if you want it. Again read The help file.
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,660
Reaction score
3,480
Unless I'm very mistaken you cannot hack a Virtual Machine. It's completely isolated from the rest of your PC and network and the system files are software simulated and so can't be deleted or altered as they exist in the memory only - hence why VM's are used for live virus testing - because it cannot get out and spread to the actual pc or network. Whether they could use BI to get to network cameras attached to your App in your VM is another matter, however, Fenderman and others have answered that. The very fact you suspect a wider pc network hack tells me it's not a hack by virtue of the VM.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
A
Unless I'm very mistaken you cannot hack a Virtual Machine. It's completely isolated from the rest of your PC and network and the system files are software simulated and so can't be deleted or altered as they exist in the memory only - hence why VM's are used for live virus testing - because it cannot get out and spread to the actual pc or network. Whether they could use BI to get to network cameras attached to your App in your VM is another matter, however, Fenderman and others have answered that. The very fact you suspect a wider pc network hack tells me it's not a hack by virtue of the VM.
Actually - that's not true it is possible. A lot depends on how you have the VM's network configured. In most cases, the default setting is a bridged network where the VM network has its own RFC-1918 private IP and is bridged or routed to the actual local network that its host lives on. There was also an article (published last summer I believe) where a security researcher proved the opposite is true as well where they "broke out" of a guest VM and gained access to the host.
 

IpCam_User

n3wb
Joined
Jul 14, 2018
Messages
19
Reaction score
15
Location
Earth
"icmp 192.xx.xx.xx - destination 144.76.59.84 - status UNREPLIED"

ICMP is a "ping". This is basically like your computer shouting "hello, anyone there" to the destination IP and it not shouting back, "yes, I am here". In addition, this is showing to go from inside your network to the Internet. Something that might be a little more worry is if the router logs showed TCP 144.76.59.84 - Destination 192.xxx.xxx.xxx:80 - status new. Then TCP 192.xxx.xxx.xxx - Destination 144.76.59.84:80 - status replied. Followed later by TCP 144.76.59.84 - Destination 192.xxx.xxx.xxx:80 - status established.

If I were to guess, I would say one or more of the cameras was attempting to Phone Home, do an auto check for firmware updates, etc. However, before it did that it attempted to "ping" its home to see if it could connect in the first place. IP: 144.76.59.84 <-> https:// www. cfos. de/ en-us/ index.htm

-----------------
As said above read, "How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk".

Make sure to add firewall rules on your router that basically says anything coming from {each internal camera IP} going to WAN drop all.
2nd rule, anything coming from WAN {Internet} with a destination of {Cameras/BI IP Address} drop and log all.

If you can not put the cameras and BI on a separate network, pick a section in your network range and put them all in that section {i.e. 192.168.1.230-192.168.1.245, make the BI something like the 192.168.1.230} On each camera, point it's "Default Gateway IP" to your BI workstation/VM as this will make the camera think your BI workstation/VM is your router and its path to the Internet {i.e. Camera 1: IP 192.168.1.231; Sub: 255.255.255.0; Gateway: 192.168.1.230 - Camera 2: IP 192.168.1.232...}. This will make putting the firewall rules in your router a little bit easier.

Router Firewall:
Cameras IP 230 Out:
Source: 192.168.1.230 Destination: WAN Drop All

Camera IP 230 In:
Source: WAN Destination: 192.168.1.230 Drop&Log All

Camera IP 231, ... 245

Finally, as said above read, "How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk". Then re-read, "How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk" as you will miss something the first time.
Good Luck.
 
Top