Avtech strange traffic going to internet

[cd650 0]

I have recently bought an Avtech DVR, I also have a Juniper netscreen firewall connecting me to the internet. Last week I noticed some strange traffic going to the internet. The DVR seems to do a DNS lookup for google every minute, then do an HTTP connection on port 80. I decided to run a packet sniffer on the traffic and I noticed that the port 80 traffic had a protocol called carrius-rshell contained in it. If you check the internet you will see that this is a remote desktop protocol. Then I noticed that it was doing DNS lookups for a host checkip.dydns.org which resolved to 208.87.33.151. Now this is where it gets even stranger. This IP address is registered to a company called Secure Hosting Ltd based in Bahamas(BS) in region Caribbean and West Indies. I only found that last one earlier today. So at the minute I have set a rule on my firewall allowing it to do the dns lookup and to beable to connect to the 208 address. I also have a packet sniffer running so that I can see what traffic is going to it once it makes contact with it. I will post back once I know. But has anyone else saw anything like this. What would be the point in a standalone DVr contacting google every minute and contacting an ip address in the Bahamas?? Is ther a back door into these things and its registering itself with some third party giving my ip address??

[bpzle 0]

Crazy stuff...

 

I prefer to leave that stuff blank and just install DynDNS updater tool to the desktop of the most frequently used PC on the network. On the DVR for the network I only set the ports, ip, subnet, and gateway and I've never had any problems.

[cctvindo 0]

some of new avtech dvr is only can use dvrdns.cannot use dyndns anymore

[cd650 0]

Yes I know they can be set to use your own DDNS, but I have not set it up. There is a setting in the firmware that I have no access to senting out remote desktop protocols on port 80 to google and doing its own ddns to the west indies. To be honest I find this highly suspiscus. I work in network security, and the only time I see traffic like this would be from a pc with a virus or trojan on it. So whats going on here. Most people with normal routers would never see this traffic and even if they did they could not block it. The only reason that I can block this is because I'm using a Juniper netscreen firewall as well as my normal broadband router.

Now this may or may not have any connection to this. But I have 3 IP addresses located in China keep hitting the DVR's port connecting to the internet. I have seen no actual login attempts yet, but something keeps checking that its there.

[Soundy 1]

Just remember, it's not paranoia if they really are out to get you!

[bpzle 0]

some of new avtech dvr is only can use dvrdns.cannot use dyndns anymore

 

Doesn't matter...

 

I was talking about using a PC to update the WAN IP.This way, all you need to do is forward the ports on the router, and program the IP/ ports on the DVR. No DNS/ DDNS programming required on the DVR itself.

[scorpion 0]

I would like to learn more about this behavior.

 

Note:

Check to see what the settings are for daylight savings time.

 

There is a setting for keeping the time from a server. AVTech is located in Taiwan and China IP addressed would not be out of the norm if it was calling home to AVTech.

 

What does trace route show?

[cd650 0]

Well I have reported this to the company and the distributor over a week ago and I have heard nothing back. That in itself says that they dont want to comment on why this is happening. I came across a hacking book on google that had avtech equipment in it. I dont really want to pay £30- £40 for it so I dont know what it says about hacking it. But my firewall is full of logs because this thing tries to get to the internet by itself 24/7. Still no idea why. Perhaps I'm posting in the wrong fourm, I'll do some posting on the network security and hacking fourms. If I come across anything I'll put it on here.

[rory 0]

Since i am located in the Bahamas AND I am a Bahamian, I feel obligated to respond .. and I also have a cheap Avtech DVR. Also i am in no way saying we dont have a criminal society here .. cause lord knows we do .. sadly .. but In this case I think it is outside of our realm.

 

1st off .. is this from the DVR itself or the network software?

 

As far as the IP stuff goes .. yes there is a company here by that name but it is small time, some off shore hosting thing been around for a few years. As far as I know it is Canadians or Americans that own it, check the domain owners name for that site, it is NOT a Bahamian name. If they were infact hosting something illegal though I am certain our authorities would be interested, but I dont think it is that.

 

Now, I looked up that IP you posted and indeed one site (nwtools.com) does say it is located in the Bahamas, however the actual domain name they have linked to the IP is medialogik.com, which upon further checking is located in Barbados .. far away from my country.

 

Typically our IPs in this country are 206.xxx or 24.xxx etc

now, Avtech is based out of Taiwan but many companies INCLUDING some of the big US brands do have distributor hubs in Barbados (not Bahamas), so that could be why you are seeing something out of that area. I dealt with Extreme CCTV for years, for example, a Canadian company that made high end Infrared Products, you might know as Derwent on the UK side, and they had a hub in Barbados.

 

Other then that I dont know ...

Please let us know if you find anything else out.

[cd650 0]

Sorry I'm not suggesting that it is strange because it resolved to your country. Because I find that because it is looking up the DDNS name it keeps changing, and at the moment the ip is in the states that it resolves to. And it is the DVR itself that is creating the outbound traffic. I have made sure that the ddns settings in the menu are disabled. What would be interesting to know is, who owns the checkip ddns name. Here are a few things I have come across. I am confinced that this is some knid of "I'm here" traffic that it is sending to googles search engine. Meaning if you know the right thing to search for you could find my DVR. Here are a few interesting links. One is about google hacking and dvrs and the other is a hacking book that ists avtech equipment. Now remenber my DVR is doing a google DNS search every 60 seconds 24/7, then it goes to www.google.com on port 80. Then 1 minute later it does it all again. Also it is doing a dns lookup to that checkip DDNS name and doing a port 80 connection to that as well. This is the firmware of the dvr doing this and nothing that I have set.

 

http://videoalberto.wordpress.com/2008/03/05/hack-to-search-and-view-free-live-webcam-with-google-search/

 

 

http://en.wikipedia.org/wiki/Google_hacking

 

http://books.google.co.uk/books?id=bvB1-MmhEjQC&pg=PA336&lpg=PA336&dq=Google+hacking+avtech&source=bl&ots=ejvr3rScwa&sig=uOIqgYpDA9Ac_p-KCgS6L3_Cvto&hl=en&ei=tIb3S77FKZL-0gSVkaHqBw&sa=X&oi=book_result&ct=result&resnum=2&ved=0CB0Q6AEwAQ#v=onepage&q&f=false

[rory 0]

Its okay

 

As for the google thing .. the links are mostly axis based systems ..

The difference betweens those and your is simple.

the Axis cameras you find on google are already on the web .. basically there is a list or page on another webpage/site somewhere that has a link to that IP.

 

With Avtech there is not, typically .. unless maybe you choose to use their DDNS service .. if it exists (ive never tried). In fact I hardly use their DVR anyway, its just a freebee 2nd hand DVR and I will change it the first chance I get for something with good quality video.

 

So yes I can find hundreds infact thousands of Axis demos online to test .. but they all have put them on a webpage somewhere (knowingly or not) whose link is somewhere that google and other search engines can index, in fact there is a webpage (i think) linked from Axis that you can goto to view the sites based on the DDNS names, sort of like a demo for their cameras, if not from them there are other external sites that list them, all that are indexed by search engines (eg. http://www.123-cam.com). In other words, they are not private, the user in almost all cases realizes they can be accessed by anyone. Actually using Axis Mjpeg most dont even need a user or password.

 

For another example, GeoVision DVRs have its own DDNS service as well .. one can also locate tons of Geo DVRs through google or other means, diff is that Geo DVRs normally have a user and password.

 

I understand though this still does not answer the issue at hand

[cd650 0]

Yes thats true about the axis cameras. And there is an option fo me to set a ddns on the avtech which I have disabled because I have the sevice running on my outer router. I would like the company to tell me why the unit is going an http to google using a remote desktop protocol every minute on port 80 and then to a ddns address on port 80. I can assure you that I have nothing set on the unit to do this. This is something happening in the firmware. Why would the firmware be doing this?

This is highly suspect, if I saw something on my company network doing this it would be switched off and sent back to the supplier if they could not offer a firmware with out this feature.