The Vera Community forums have moved!
Advanced => Security => Topic started by: wirefall on February 23, 2016, 06:26:48 pm
-
This is likely related to the thread "Vera Lite scanning localnet port 80" http://forum.micasaverde.com/index.php/topic,36235.0.html as it appears to be camera related.
While reviewing logs to troubleshoot a VeraPlus device that has full Internet connectivity, but refuses to register itself as online with the Vera portal, I found some connection error messages that I expected to find, such as the following:
01 02/23/16 15:13:42.563 FileUtils::ReadURL 0/resp:404 user: pass: size 87 https://vera-us-oem-device11.mios.com/device/device/device/<SNIP>/plugins response: ERROR:Invalid request, allowed:device/x/localdevices, device/x/name, device/x/ergyconf
01 02/23/16 15:13:43.395 FileUtils::ReadURL 0/resp:404 user: pass: size 87 https://vera-us-oem-device12.mios.com/device/device/device/<SNIP>/plugins response: ERROR:Invalid request, allowed:device/x/localdevices, device/x/name, device/x/ergyconf
02 02/23/16 15:13:43.396 RAServerSync::SyncPluginsMMS alt 0 response 404 url https://vera-us-oem-device12.mios.com/device/device/device/<SNIP>/plugins with 3 bytes
01 02/23/16 15:13:43.396 RAServerSync::SyncPluginsMMS failed
But then I saw this...
01 02/23/16 15:29:24.100 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/cgi-bin/get_status.cgi response: <0x772b8520>
01 02/23/16 15:29:24.110 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/get_status.cgi response: <0x772b8520>
01 02/23/16 15:29:24.113 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/get_status.cgi response: <0x772b8520>
01 02/23/16 15:29:24.116 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/common/info.cgi response: <0x772b8520>
01 02/23/16 15:29:24.119 FileUtils::ReadURL 7/resp:0 user:admin pass:admin size 1 http://10.10.40.52/common/info.cgi response: <0x772b8520>
01 02/23/16 15:29:24.122 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/common/info.cgi response: <0x772b8520>
01 02/23/16 15:29:24.126 FileUtils::ReadURL 7/resp:0 user:admin pass:admin size 1 http://10.10.40.52/common/info.cgi response: <0x772b8520>
01 02/23/16 15:29:24.130 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/check_user.cgi?user=test&pwd=test response: <0x772b8520>
01 02/23/16 15:29:24.137 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/top.htm response: <0x772b8520>
01 02/23/16 15:29:24.140 FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/top.htm response: <0x772b8520>
01 02/23/16 15:29:24.144 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/cgi-bin/CGIProxy.fcgi response: <0x772b8520>
01 02/23/16 15:29:24.147 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/index.html response: <0x772b8520>
01 02/23/16 15:29:24.151 FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/index.html response: <0x772b8520>
01 02/23/16 15:29:24.153 FileUtils::ReadURL 7/resp:0 user:dceadmin pass:dcepass size 1 http://10.10.40.52/index.html response: <0x772b8520>
01 02/23/16 15:29:24.161 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response: <0x772b8520>
01 02/23/16 15:29:24.164 FileUtils::ReadURL 7/resp:0 user:admin pass: size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response: <0x772b8520>
01 02/23/16 15:29:24.167 FileUtils::ReadURL 7/resp:0 user:dceadmin pass:dcepass size 1 http://10.10.40.52/CgiTagMenu?page=Top&Language=0 response: <0x772b8520>
01 02/23/16 15:29:24.171 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/pages/camera_login.php?login=true response: <0x772b8520>
01 02/23/16 15:29:24.175 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response: <0x772b8520>
01 02/23/16 15:29:24.180 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response: <0x772b8520>
01 02/23/16 15:29:24.187 FileUtils::ReadURL 7/resp:0 user: pass: size 1 http://10.10.40.52/util/query.cgi response: <0x772b8520>
The username/password combo dceadmin/dcepass is default for Panasonic IP Cameras, which are supported by the Vera controllers, but I don't expect something on my network to perform a dictionary attack against my other devices (the above is a tablet that has never been used to connect to the VeraPlus). Talk about sending a security practitioner through the roof!
-
I am seeing the same thing, did you ever figure out what was happening?
-
Under Settings -> Net & Wi-Fi, uncheck Auto detect devices on my home network and that behavior should stop.
I use a *nix box as a gateway/firewall and it detected the 'attack' and send me a notification. I've not seen anymore of this since I switched of the above 'feature'.
I believe older Vera's also perform at least part of this checking in UI7. I've always switched it off as my Camera's go via Blue Iris and as such it's a waste of bandwidth and it'll pop up camera's it has found I already have it access via BI. ;)
-
after a couple of days of running like this, i can confirm that the ReadURL errors do go away by doing this, but i am still seeing the "RAServerSync::SyncPluginsMMS failed " errors.
-
Hi Pals,
I need help in devleoping a great excel sheet to use
for logging core device event on our network , eg Core Servers,
Firewall, Web Security Appliances.