While looking at the latest honeypot data for what is happening with Synology devices, I did notice one particular agressive IP connecting to a number of our honeypot IPs. At first, I figured it may just be a new Shodan scan (got tons of them in the honeypot). But when I connected to port 443 using openssl, I saw a rather interesting SSL certificate being sent: $ openssl s_client -connect a.b.c.d:443 CONNECTED(00000003) depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, CN = www.hikvision.com, emailAddress = menghong@hikvision.com verify error:num=18:self signed certificate verify return:1 depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, CN = www.hikvision.com, emailAddress = menghong@hikvision.com verify return:1 GET --- Certificate chain 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/CN=www.hikvision.com/emailAddress=menghong@hikvision.com i:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/CN=www.hikvision.com/emailAddress=menghong@hikvision.com This certificate appears to be associated with a DVR sold in conjunction with security camera systems [1]. Usually these systems run some form of Linux, so I guess it is to expected that given a weak password, these systems get mistaken for a Linux server and exploited just like one. Right now, if I am real lucky I may be able to get a hold of the owner of the DVR, but it looks like a Chinese residential IP so not getting my hopes up too high. [1] http://www.hikvision.com/en/us/index.asp
------ |
Johannes 3693 Posts ISC Handler |
Subscribe |
Mar 28th 2014 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!