Vera - Smarter Home Control Forum

Advanced => Security => Topic started by: wirefall on February 23, 2016, 06:26:48 pm

Title: VeraPlus trying default passwords against other devices on network
Post by: wirefall on February 23, 2016, 06:26:48 pm
This is likely related to the thread "Vera Lite scanning localnet port 80" http://forum.micasaverde.com/index.php/topic,36235.0.html as it appears to be camera related.

While reviewing logs to troubleshoot a VeraPlus device that has full Internet connectivity, but refuses to register itself as online with the Vera portal, I found some connection error messages that I expected to find, such as the following:

01   02/23/16 15:13:42.563   FileUtils::ReadURL 0/resp:404 user: pass: size 87 https://vera-us-oem-device11.mios.com/device/device/device/<SNIP>/plugins response: ERROR:Invalid request, allowed:device/x/localdevices, device/x/name, device/x/ergyconf
01   02/23/16 15:13:43.395   FileUtils::ReadURL 0/resp:404 user: pass: size 87 https://vera-us-oem-device12.mios.com/device/device/device/<SNIP>/plugins response: ERROR:Invalid request, allowed:device/x/localdevices, device/x/name, device/x/ergyconf
02   02/23/16 15:13:43.396   RAServerSync::SyncPluginsMMS alt 0 response 404 url https://vera-us-oem-device12.mios.com/device/device/device/<SNIP>/plugins with 3 bytes
01   02/23/16 15:13:43.396   RAServerSync::SyncPluginsMMS failed

But then I saw this...

01   02/23/16 15:29:24.100   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/cgi-bin/get_status.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.110   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/get_status.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.113   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/get_status.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.116   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.119   FileUtils::ReadURL 7/resp:0 user:admin pass:admin size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.122   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.126   FileUtils::ReadURL 7/resp:0 user:admin pass:admin size 1 http://10.10.40.52/common/info.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.130   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/check_user.cgi?user=test&pwd=test response:  <0x772b8520>
01   02/23/16 15:29:24.137   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/top.htm response:  <0x772b8520>
01   02/23/16 15:29:24.140   FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/top.htm response:  <0x772b8520>
01   02/23/16 15:29:24.144   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/cgi-bin/CGIProxy.fcgi response:  <0x772b8520>
01   02/23/16 15:29:24.147   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/index.html response:  <0x772b8520>
01   02/23/16 15:29:24.151   FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/index.html response:  <0x772b8520>
01   02/23/16 15:29:24.153   FileUtils::ReadURL 7/resp:0 user:dceadmin pass:dcepass size 1 http://10.10.40.52/index.html response:  <0x772b8520>
01   02/23/16 15:29:24.161   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response:  <0x772b8520>
01   02/23/16 15:29:24.164   FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response:  <0x772b8520>
01   02/23/16 15:29:24.167   FileUtils::ReadURL 7/resp:0 user:dceadmin pass:dcepass size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response:  <0x772b8520>
01   02/23/16 15:29:24.171   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/pages/camera_login.php?login=true response:  <0x772b8520>
01   02/23/16 15:29:24.175   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.180   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response:  <0x772b8520>
01   02/23/16 15:29:24.187   FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response:  <0x772b8520>

The username/password combo dceadmin/dcepass is default for Panasonic IP Cameras, which are supported by the Vera controllers, but I don't expect something on my network to perform a dictionary attack against my other devices (the above is a tablet that has never been used to connect to the VeraPlus). Talk about sending a security practitioner through the roof!
Title: Re: VeraPlus trying default passwords against other devices on network
Post by: sebby on March 13, 2016, 01:31:03 pm
I am seeing the same thing, did you ever figure out what was happening?
Title: Re: VeraPlus trying default passwords against other devices on network
Post by: BOFH on March 13, 2016, 01:43:41 pm
Under Settings -> Net & Wi-Fi, uncheck Auto detect devices on my home network and that behavior should stop.

I use a *nix box as a gateway/firewall and it detected the 'attack' and send me a notification. I've not seen anymore of this since I  switched of the above 'feature'.

I believe older Vera's also perform at least part of this checking in UI7. I've always switched it off as my Camera's go via Blue Iris and as such it's a waste of bandwidth and it'll pop up camera's it has found I already have it access via BI. ;)
Title: Re: VeraPlus trying default passwords against other devices on network
Post by: sebby on March 14, 2016, 10:11:55 am
after a couple of days of running like this, i can confirm that the ReadURL errors do go away by doing this, but i am still seeing the "RAServerSync::SyncPluginsMMS failed " errors. 
Title: VeraPlus trying default passwords against other devices on network
Post by: LindsiWains on November 14, 2016, 02:32:35 pm
Hi Pals,

 I need help in devleoping a great excel sheet  to use
  for logging core device event on our network , eg Core Servers,
  Firewall, Web Security Appliances.