• March 28, 2024, 01:51:02 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Pages: [1] 2

Author Topic: myDlink security vulnerability  (Read 15110 times)

MichaelH1

  • Level 2 Member
  • **
  • Posts: 25
myDlink security vulnerability
« on: July 05, 2016, 01:59:55 PM »

Hi all -

Recently my router started informing me that there have been many attempts (I'm not sure if they were successful or not) at accessing my three DLink cameras.

I have three DCS-942L cameras, firmware 1.25, registered to my myDlink account.  My cameras have IP addresses 192.168.1.102, .103, and .104.

I have a Netgear R7000 router.

A few days ago my router started emailing me log files with lots of entries saying there were attempts to access my cameras.  I did not access my cameras remotely during this timeframe.  The log entries looked like:
[LAN access from remote] from 185.35.62.241:60663 to 192.168.1.102:8001, Tuesday, Jul 05,2016 11:27:17

Does anyone know if there were any changes or hackers who broke into myDlink.com?  Could someone have gained access to myDlink, and therefore have gained access to all our cameras that are registered in myDlink?

I tried changing the passwords for my myDlink account, as well as for my cameras, but the remote access attempts continued.

Thanks everyone!

Mike
Logged

RYAT3

  • Level 10 Member
  • *****
  • Posts: 2254
Re: myDlink security vulnerability
« Reply #1 on: July 05, 2016, 02:04:01 PM »

You should set some very long strong passwords.

If you have time when you can, try to unplug your modem for as long as you can. A day or more? Hopefully you will get a new IP address from your cable company.

Is there a log in those cameras f/w to show if any were successful?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: myDlink security vulnerability
« Reply #2 on: July 05, 2016, 02:04:41 PM »

Link>Welcome!

  • What Hardware version is your DCS? Look at the sticker behind or under the camera.
  • Link>What Firmware version is currently loaded? Found on the DCSs web page under status.
  • What region are you located?


Who is the IP address from? 185.35.62.241

Test cameras with uPnP and uPnP Port Forwarding both enabled on ALL cameras: DCS Cloud (L) Series Camera Configuration and Mydlink.com
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

RYAT3

  • Level 10 Member
  • *****
  • Posts: 2254
Re: myDlink security vulnerability
« Reply #3 on: July 05, 2016, 02:07:20 PM »

I googled it.  It's a known bad actor on the internet.

I'd block as many of those ip's in the router.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: myDlink security vulnerability
« Reply #4 on: July 05, 2016, 02:12:27 PM »

Might ask the ISP to help if they can block as well.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

MichaelH1

  • Level 2 Member
  • **
  • Posts: 25
Re: myDlink security vulnerability
« Reply #5 on: July 05, 2016, 05:30:40 PM »

Hi all - Thanks for your quick replies and good suggestions.

My DCS-942L cameras are h/w version A4 running firmware version 1.26, Firmware Build Number 5601, Agent Version 2.0.19-b06n, and I am in the US.  My passwords are strong.

uPnP was enabled but uPnP Port Forwarding was not.  I turned on uPnP Port Forwarding also (although I wasn't sure what to set the ports to).  After the Port Forwarding was turned on there have been continued attempts to access the cameras.

There are numerous IP addresses trying to access my cameras, also 23.239.31.230:44308, 31.214.137.82:59604, 80.82.78.85:40218, 93.174.93.94:54372, 123.59.55.92:40154, 125.125.180.221:38315, 185.98.87.95:57136, 211.137.167.30:6000, 216.243.31.2:48931, and more.  There are too many to continuously monitor and block (and I don't see a way to block IP addresses on my Netgear R7000 router).

Thanks, all.

Mike

Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: myDlink security vulnerability
« Reply #6 on: July 05, 2016, 05:39:15 PM »

Hmm, I'm wondering if you either temporarily turn OFF the cameras for a while or remove them from the MDL account and see if you still get notifications after you turn ON the cameras after being powered off for a while.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

RYAT3

  • Level 10 Member
  • *****
  • Posts: 2254
Re: myDlink security vulnerability
« Reply #7 on: July 05, 2016, 05:46:45 PM »


There are numerous IP addresses trying to access my cameras, also 23.239.31.230:44308, 31.214.137.82:59604, 80.82.78.85:40218, 93.174.93.94:54372, 123.59.55.92:40154, 125.125.180.221:38315, 185.98.87.95:57136, 211.137.167.30:6000, 216.243.31.2:48931, and more.  There are too many to continuously monitor and block (and I don't see a way to block IP addresses on my Netgear R7000 router).

The user manual is here, and it doesn't really explain it.


http://www.downloads.netgear.com/files/GDC/R7000/R7000_UM.pdf


This how to is better:

http://kb.netgear.com/app/answers/detail/a_id/8219/~/how-to-setup-inbound%2Foutbound-firewall-rules-on-netgear-modem-router%2Fgateways?cid=wmt_netgear_organic


Just put those addresses in:  123.59.*.*   (* should match anything coming from there).

Logged

MichaelH1

  • Level 2 Member
  • **
  • Posts: 25
Re: myDlink security vulnerability
« Reply #8 on: July 05, 2016, 08:31:32 PM »

Thanks, ryat3, for all your good suggestions.

The Netgear router has a feature to "Block sites containing these keywords or domain names", and I entered some of the IP addresses.  I also turned off the cameras for awhile.  I will check the logs in a few hours and see what happens!

Mike
Logged

MichaelH1

  • Level 2 Member
  • **
  • Posts: 25
Re: myDlink security vulnerability
« Reply #9 on: July 06, 2016, 08:38:07 AM »

Fyi, some more info ...

I turned off my cameras for a few hours.  I also blocked access in my router from some of the IPs addresses.  During this period, the log shows continued attempts to access the cameras, including from the IPs which were blocked.  Obviously, since the cameras were powered off, the access attempts were not successful.  I looked at the router log entries for valid and successful accesses to the cameras when the cameras were on, and unfortunately the Netgear logs don't differentiate between successful and unsuccessful attempts, so I don't know whether these systems trying to access my cameras succeeded or not.

The next test I will try will be to power off my modem for a few days, which should result in a new IP address being issued to me.  Possibly the previous leasor of my IP address was doing a lot of peer-to-peer activity?  I will be able to do this test over the weekend.

But there remains the possibility that the dlink server, which has the IP addresses of all the cameras registered on it, was hacked and there are attempts to access our cameras.

Thanks, everyone.
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: myDlink security vulnerability
« Reply #10 on: July 06, 2016, 09:35:21 AM »

Yes Power OFF the ISP modem for a few minutes then back on. Check to see if the router gets a new IP address. I would have the ISP help you get a new one if it doesn't. I highly doubt that someone the the MDL services has been hacked. They keep a close eye on that system. If the access is still coming in with the cameras OFF, then there trying to gain access using the current WAN ISP IP address that your router is getting via the modem. Lets see if that IP address can be changed.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

MichaelH1

  • Level 2 Member
  • **
  • Posts: 25
Re: myDlink security vulnerability
« Reply #11 on: July 19, 2016, 03:05:56 PM »

Hi all -

I turned off my modem and router for a few days.  When I turned them back on I was issued a different IP address.

There were still attempts to access my cameras that were not initiated by me, from various IP addresses.

I turned off my cameras and checked my router log file, and even while the cameras are off there are attempts to access them.  My cameras have IP addresses 192.168.1.102, 103, and 104.  Here are some entries from the router log file for a few hours:

[LAN access from remote] from 210.14.67.119:6000 to 192.168.1.104:443, Tuesday, Jul 19,2016 01:04:34
[LAN access from remote] from 213.128.81.66:61234 to 192.168.1.104:443, Tuesday, Jul 19,2016 01:14:49
[LAN access from remote] from 169.229.3.91:39340 to 192.168.1.103:443, Tuesday, Jul 19,2016 01:28:12
[LAN access from remote] from 216.243.31.2:38846 to 192.168.1.103:443, Tuesday, Jul 19,2016 01:48:18
[LAN access from remote] from 71.6.216.43:80 to 192.168.1.103:443, Tuesday, Jul 19,2016 02:24:40
[LAN access from remote] from 106.186.113.132:43439 to 192.168.1.104:554, Tuesday, Jul 19,2016 02:34:38
[LAN access from remote] from 186.103.198.226:41404 to 192.168.1.102:8001, Tuesday, Jul 19,2016 02:37:14
[LAN access from remote] from 184.105.139.98:60639 to 192.168.1.103:443, Tuesday, Jul 19,2016 02:50:56
[LAN access from remote] from 187.161.158.239:56566 to 192.168.1.103:443, Tuesday, Jul 19,2016 03:24:17
[LAN access from remote] from 187.161.158.239:41458 to 192.168.1.104:443, Tuesday, Jul 19,2016 03:24:18
[LAN access from remote] from 93.174.93.94:46149 to 192.168.1.102:8001, Tuesday, Jul 19,2016 04:00:32
[LAN access from remote] from 139.162.37.147:44873 to 192.168.1.104:554, Tuesday, Jul 19,2016 05:12:00
[LAN access from remote] from 93.174.93.94:46149 to 192.168.1.104:443, Tuesday, Jul 19,2016 05:43:51
[LAN access from remote] from 198.55.103.144:3786 to 192.168.1.103:443, Tuesday, Jul 19,2016 05:48:22
[LAN access from remote] from 198.55.103.144:2515 to 192.168.1.103:443, Tuesday, Jul 19,2016 05:48:29
[LAN access from remote] from 198.55.103.144:1551 to 192.168.1.103:443, Tuesday, Jul 19,2016 05:48:37
[LAN access from remote] from 198.55.103.144:4402 to 192.168.1.103:443, Tuesday, Jul 19,2016 05:48:44
[LAN access from remote] from 198.55.103.144:2405 to 192.168.1.103:443, Tuesday, Jul 19,2016 05:48:52
[LAN access from remote] from 198.55.103.144:1050 to 192.168.1.103:443, Tuesday, Jul 19,2016 05:48:59
[LAN access from remote] from 45.79.106.170:37496 to 192.168.1.103:443, Tuesday, Jul 19,2016 06:42:56
[LAN access from remote] from 106.186.20.183:35491 to 192.168.1.103:8002, Tuesday, Jul 19,2016 06:47:26
[LAN access from remote] from 163.172.35.213:48214 to 192.168.1.103:443, Tuesday, Jul 19,2016 07:19:20
[LAN access from remote] from 180.97.106.162:37882 to 192.168.1.102:8001, Tuesday, Jul 19,2016 10:14:00
[LAN access from remote] from 185.137.219.199:45439 to 192.168.1.103:443, Tuesday, Jul 19,2016 10:35:38
[LAN access from remote] from 104.156.228.177:49023 to 192.168.1.104:443, Tuesday, Jul 19,2016 11:09:01
[LAN access from remote] from 216.243.31.2:49219 to 192.168.1.102:8001, Tuesday, Jul 19,2016 11:42:58
[LAN access from remote] from 169.229.3.91:54253 to 192.168.1.102:8001, Tuesday, Jul 19,2016 11:50:03

Since my IP address changed I registered my cameras only with http://mydlink.com/.  I changed my camera passwords.

Would mydlink.com continuously try to access my cameras without me initiating a request?  Why would it do that?  Why are the requests coming from so many different IP addresses?  Could someone have broken into mydlink.com and stolen the access credentials of the cameras registered there?

If anyone has some insight into this please let me know.

Thanks!

Mike

Logged

MichaelH1

  • Level 2 Member
  • **
  • Posts: 25
Re: myDlink security vulnerability
« Reply #12 on: July 19, 2016, 07:18:21 PM »

Here's some additional info which calls into question the security of mydlink.com.

I changed the static IP addresses of my cameras.  I viewed the live images through mydlink.com.  My router logs showed a lot of accesses to these new IPs.  But there continued to be attempts to access the old IPs.  These access attempts obviously no longer came from mydlink.com since it knew the new, correct IPs.  This means that other systems somehow obtained the IP addresses of my cameras. 

Mike
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 49923
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: myDlink security vulnerability
« Reply #13 on: July 20, 2016, 07:21:29 AM »

The first IP address indicates someone from China is trying to access the cameras:
http://whois.domaintools.com/210.14.67.119
P Location    China China Shanghai Science & Technology Network Communication Co. Ltd.
ASN    China AS17621 CNCGROUP-SH China Unicom Shanghai network, CN (registered Jan 18, 2001)
Whois Server    whois.apnic.net
IP Address    210.14.67.119
inetnum:        210.14.64.0 - 210.14.95.255
netname:        SVA
descr:          Science & Technology Network Communication Co., Ltd.
descr:          1F,No.757,Yi Shan Road,Shanghai
country:        CN
admin-c:        YD287-AP
tech-c:         MY467-AP
status:         ALLOCATED PORTABLE
mnt-by:         MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
mnt-lower:      MAINT-CNNIC-AP
mnt-routes:     MAINT-CN-STNC
changed:         20090708
changed:         20151202
source:         APNIC

irt:            IRT-CNNIC-CN
address:        Beijing, China
e-mail:         
abuse-mailbox: 
admin-c:        IP50-AP
tech-c:         IP50-AP
auth:           # Filtered
remarks:        Please note that CNNIC is not an ISP and is not
remarks:        empowered to investigate complaints of network abuse.
remarks:        Please contact the tech-c or admin-c of the network.
mnt-by:         MAINT-CNNIC-AP
changed:         20110428
source:         APNIC

person:         Minyang Yang
nic-hdl:        MY467-AP
e-mail:         
address:        1099 Huansha Road, Hangzhou, Zhejiang
phone:          +86-0571-54977788
fax-no:         +86-0571-54977789
country:        cn
changed:         20090603
mnt-by:         MAINT-CNNIC-AP
source:         APNIC

person:         Yucheng Deng
nic-hdl:        YD287-AP
e-mail:         
address:        1099 Huansha Road, Hangzhou, Zhejiang
phone:          +86-0571-54977788
fax-no:         +86-0571-54977789
country:        cn
changed:         20090603
mnt-by:         MAINT-CNNIC-AP
source:         APNIC


You may want to first, go thru the list of external IPs and add them to your modem or routers blocking feature if it has one.
Ask your ISP for help in blocking these IPs and how these users maybe tracking and following you.
Use the domaintools web site to find out where IPs originate from.
Logged
Cable: 1Gb/50Mb>NetGear CM1200>DIR-882>HP 24pt Gb Switch. COVR-1202/2202/3902,DIR-2660/80,3xDGL-4500s,DIR-LX1870,857,835,827,815,890L,880L,868L,836L,810L,685,657,3x655s,645,628,601,DNR-202L,DNS-345,DCS-933L,936L,960L and 8000LH.

RYAT3

  • Level 10 Member
  • *****
  • Posts: 2254
Re: myDlink security vulnerability
« Reply #14 on: October 10, 2016, 07:56:02 PM »

Here's some additional info which calls into question the security of mydlink.com.

I changed the static IP addresses of my cameras.  I viewed the live images through mydlink.com.  My router logs showed a lot of accesses to these new IPs.  But there continued to be attempts to access the old IPs.  These access attempts obviously no longer came from mydlink.com since it knew the new, correct IPs.  This means that other systems somehow obtained the IP addresses of my cameras. 

Mike

Is this still happening? What have you done since?
Logged
Pages: [1] 2