Author Topic: VeraPlus trying default passwords against other devices on network  (Read 2275 times)

Offline wirefall

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
This is likely related to the thread "Vera Lite scanning localnet port 80" http://forum.micasaverde.com/index.php/topic,36235.0.html as it appears to be camera related.

While reviewing logs to troubleshoot a VeraPlus device that has full Internet connectivity, but refuses to register itself as online with the Vera portal, I found some connection error messages that I expected to find, such as the following:

01   02/23/16 15:13:42.563   FileUtils::ReadURL 0/resp:404 user: pass: size 87 https://vera-us-oem-device11.mios.com/device/device/device/<SNIP>/plugins response: ERROR:Invalid request, allowed:device/x/localdevices, device/x/name, device/x/ergyconf
01   02/23/16 15:13:43.395   FileUtils::ReadURL 0/resp:404 user: pass: size 87 https://vera-us-oem-device12.mios.com/device/device/device/<SNIP>/plugins response: ERROR:Invalid request, allowed:device/x/localdevices, device/x/name, device/x/ergyconf
02   02/23/16 15:13:43.396   RAServerSync::SyncPluginsMMS alt 0 response 404 url https://vera-us-oem-device12.mios.com/device/device/device/<SNIP>/plugins with 3 bytes
01   02/23/16 15:13:43.396   RAServerSync::SyncPluginsMMS failed

But then I saw this...

01   02/23/16 15:29:24.100   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/cgi-bin/get_status.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.110   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/get_status.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.113   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/get_status.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.116   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.119   FileUtils::ReadURL 7/resp:0 user:admin pass:admin size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.122   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.126   FileUtils::ReadURL 7/resp:0 user:admin pass:admin size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.130   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/check_user.cgi?user=test&pwd=test response:  <0x772b8520>
01   02/23/16 15:29:24.137   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/top.htm response:  <0x772b8520>
01   02/23/16 15:29:24.140   FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/top.htm response:  <0x772b8520>
01   02/23/16 15:29:24.144   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/cgi-bin/CGIProxy.fcgi response:  <0x772b8520>
01   02/23/16 15:29:24.147   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/index.html response:  <0x772b8520>
01   02/23/16 15:29:24.151   FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/index.html response:  <0x772b8520>
01   02/23/16 15:29:24.153   FileUtils::ReadURL 7/resp:0 user:dceadmin pass:dcepass size 1 http://10.10.40.52/index.html response:  <0x772b8520>
01   02/23/16 15:29:24.161   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response:  <0x772b8520>
01   02/23/16 15:29:24.164   FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response:  <0x772b8520>
01   02/23/16 15:29:24.167   FileUtils::ReadURL 7/resp:0 user:dceadmin pass:dcepass size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response:  <0x772b8520>
01   02/23/16 15:29:24.171   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/pages/camera_login.php?login=true response:  <0x772b8520>
01   02/23/16 15:29:24.175   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.180   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.187   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response:  <0x772b8520>

The username/password combo dceadmin/dcepass is default for Panasonic IP Cameras, which are supported by the Vera controllers, but I don't expect something on my network to perform a dictionary attack against my other devices (the above is a tablet that has never been used to connect to the VeraPlus). Talk about sending a security practitioner through the roof!

Online sebby

  • Full Member
  • ***
  • Posts: 198
  • Karma: +6/-3
Re: VeraPlus trying default passwords against other devices on network
« Reply #1 on: March 13, 2016, 01:31:03 pm »
I am seeing the same thing, did you ever figure out what was happening?

Offline BOFH

  • Sr. Hero Member
  • ******
  • Posts: 2410
  • Karma: +112/-139
Re: VeraPlus trying default passwords against other devices on network
« Reply #2 on: March 13, 2016, 01:43:41 pm »
Under Settings -> Net & Wi-Fi, uncheck Auto detect devices on my home network and that behavior should stop.

I use a *nix box as a gateway/firewall and it detected the 'attack' and send me a notification. I've not seen anymore of this since I  switched of the above 'feature'.

I believe older Vera's also perform at least part of this checking in UI7. I've always switched it off as my Camera's go via Blue Iris and as such it's a waste of bandwidth and it'll pop up camera's it has found I already have it access via BI. ;)
« Last Edit: March 13, 2016, 01:45:59 pm by BOFH »
Vera3 UI5 UI7 Edge Plus
Trane TZEMT400AB32 | Schlage BE369 FE599 | GE 45601 45602 45603 45604 45606 45609 45631 | Intermatic HA01C HA03C HA05C HA07C CA600 CA3000 | Aeon DSC06106 | Telguard GDC1 | Foscam FI8910W FI8905W FI9821W | D-Link 930L | Wanscam JW0011 | ZModo ZPIBH13W

Online sebby

  • Full Member
  • ***
  • Posts: 198
  • Karma: +6/-3
Re: VeraPlus trying default passwords against other devices on network
« Reply #3 on: March 14, 2016, 10:11:55 am »
after a couple of days of running like this, i can confirm that the ReadURL errors do go away by doing this, but i am still seeing the "RAServerSync::SyncPluginsMMS failed " errors. 

Offline LindsiWains

  • Jr. Member
  • **
  • Posts: 79
  • Karma: +0/-40
VeraPlus trying default passwords against other devices on network
« Reply #4 on: November 14, 2016, 02:32:35 pm »
Hi Pals,

 I need help in devleoping a great excel sheet  to use
  for logging core device event on our network , eg Core Servers,
  Firewall, Web Security Appliances.