eganson 0 Posted January 14, 2006 We have found an ACTi SED2100R in the field sometimes attempts to connect to www.hinet.net in Taiwan, but not sure exactly why it would _need_ to?? It appears to primarily do this when a user selects the 'system info' button from within the server... any ideas? I blocked the site at the router, and now the sys info won't show (no loss there), but I'm not sure what traffic passes through when it isn't blocked, or what exactly comes in. Only have a tap on the streamers 'talk' side now, just seeing attempts to connect there along with the flawless video streaming. I think it's checking system firmware against their latest revision, but not sure... (don't know where in hinet.net) With recent talk of unsecured axis cameras, maybe another _possible_ risk could be hardware streamers/cameras talking-out from within networks... This doesn't appear to be the case with this device, but maybe something to watch out for. Hardware spyware? Just a thought... how many would notice, if their video works well..? Share this post Link to post Share on other sites
rory 0 Posted January 14, 2006 I imagine, just an idea though, that it is Acti's ISP, and they are hosting a relay or server there that serves a database for the newest firmware, or maybe something else like that. I dont think it could be considered Spyware, as perhaps its a way for the hardware to stay up to date with the latest firmware - eg. Nortons has Auto Live Update set to on by default unless you manually disable it, and so does Windows XP. Though still, there should be a setting to ask you if you want to do that or not automatically, or somewhere you should be able to turn it off at the least. Best bet would be to email them with the info and see what they say ... i have one of their email contacts here, if you like i can shoot them an email about it. Rory Share this post Link to post Share on other sites
eganson 0 Posted January 14, 2006 From what I see in the packets, it just pings hinet.net... the site's all in chinese, two different IP's...(61.219.38.89 & 203.66.88.89) then it proceeds to output the firmware data in html. But why ping somewhere outside as a prerequisite to posting it's own info? (there's no autoupdate feature of any kind) I'll have to ask them about it... Not a spyware at all, just made me wonder about the future possibilities of firmware-based spys, trojans, and hidden 'default' logins... how many of us watch the packet stream that close? Something to keep an eye on with IP based video, since a lot of info can shoot out in a few packets without any effect on the video stream... Share this post Link to post Share on other sites
nextan 0 Posted January 15, 2006 Interesting. What is the firmware version? Just tried 2 of my installed units, don't seem to have such problem, except 1 unit which has DNS setting entries for email/FTP notification (a function in the Streaming Activator software), when system info is requested, it does ping the DNS servers to ensure connectivity. Share this post Link to post Share on other sites
eganson 0 Posted January 17, 2006 The firmware is A1D-V1.01.05-AC, so an update might not hurt. It is running the TZO ddns, but that querys our DNS and then tzo.com... Maybe something left in the firmware from their testing? The only time it does it is on request of 'system info', and won't report it without talking to hinet. I haven't heard back from ACTi yet... Share this post Link to post Share on other sites
eganson 0 Posted January 20, 2006 Looks ugly now that I've seen more packets.. Capturing packets from the streamers talk side, I discovered more attempted connections from this thing now, to sites in Switzerland, Mexico, Hong Kong, New Jersey (USA), Taipei Taiwan... all without affecting the video stream. I have the packet-dumps of streamers output (video stream filtered-out) if anyone else cares to take a look too. Happy to email or post 'em on a web page.. It looks to me like someone's trying to run reverse shell scripts connecting out.... with the streamer giving back http error codes ?? Or is the streamer attempting these against other networks? /awstats/awstats.pl?configdir=| echo;echo%............... /cgi-bin/awstats.pl?............(many atempts & ports) CACTI RCE exploits... /cacti/graph_image.php............... XML RPC RCE exploits... /xmlrpc.php............... /blog/xmlrpc.php...... /blog/xmlsrv/xmlrpc.php....... (many attempts & ports) What I've caught are saying '404 not found on server' when the ACTi SED 2100R speaks... if the rain ever stops I'll go tap the streamers listen side and see what's coming in... Share this post Link to post Share on other sites
