Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Unidentified Scanning Activity - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unidentified Scanning Activity

Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:

20190907-090937: 192.168.25.9:80-XXX.190.6.228:48968 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-093912: 192.168.25.9:80-XXX.188.126.243:36847 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-094441: 192.168.25.9:80-XXX.189.237.44:44343 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-100443: 192.168.25.9:80-XXX.188.40.103:35067 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115225: 192.168.25.9:80-XXX.177.116.123:40904 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115630: 192.168.25.9:80-XX.186.174.54:57636 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-122646: 192.168.25.9:80-XXX.189.27.141:38624 data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'

If you are seeing this kind of activity and are able to help identify the product targeted or confirm it is one of the 2 I listed, leave a comment on our page. I did find an exploit against HiSilicon DVR released last year searching for the same URL[3].

Update 1

I received the following update via Twitter:

GreyNoise Intelligence (@GreyNoiselO) has observed a very large spike in compromised Mirai-infected devices around the Internet bruteforcing DVR/IP camera devices using the NETsurveillance ActiveX plugin. This activity is originating from roughly 7% of total Mirai infects tracked by GreyNoise.

@MasafumiNegishi has observed the following port being scanned for the same activity: TCP: 80, 81, 82, 83, 85, 88, 8000, 8080, 8081, 9090 and being another moobot variant has been scanning Hisilicon DVR device on 80/tcp since August 29. Both moobot variants share same C2.

[1] https://www.dahuasecurity.com/
[2] http://www.hisilicon.com
[3] https://www.exploit-db.com/exploits/44004

-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

443 Posts
ISC Handler
Hi,

I see this traffic on my logs. The service running is http://hdl.handle.net/. I will try to find further information. Hope it may help.

Thanks
Anonymous

Sign Up for Free or Log In to start participating in the conversation!