Some appears to have hacked theIP2M-841B-V3 I changed my password and they were right back in moving the camera again. I'm on the newest firmware V2.800.0000000.6.R. This was in my young daughters room which angers me a little bit. I don't have any direct port open just using the p2p mode. Digging through the logs I was seeing active connections to these ip's are these all amcrest?
152.32.182.91
152.32.151.167
54.227.28.73
IP2M-841B-V3 Vulnerability
Re: IP2M-841B-V3 Vulnerability
Maybe your camera is auto tracking. Try turning it off.
https://support.amcrest.com/hc/en-us/ar ... 2M-841-V3-
https://support.amcrest.com/hc/en-us/ar ... 2M-841-V3-
Re: IP2M-841B-V3 Vulnerability
Hello and Welcome to the Forum
Out of the 3 IP addresses only one related to the Camera Directly would be the 3rd one. Then the next part is where are you located? The other IP addresses could be as easy as your own connection into the camera from your outside location and even seeing your using P2P to access it from within your own network. With P2P even while on your own network it will access the server and route though there. Plus side to that is you can access it from outside of your own network while away.
Then the next thing was this camera bought new from Amcrest or from a 3rd party?
So it has been long time since I have had Cloud service and things have changed since as well. However I would log into your camera, click on Setup, then click on Storage, Then click Cloud. I am not sure if it will list who has an account attached or not however if there is an account attached then I would Reset the Camera back to Factory (Either way it being there or not I would) Once you have it back to factory setup your camera as you normally have it.
Please note even with your camera being connected to the network for it to playback from local or remote the camera will need to access the internet. It don't mean it is moving any files it makes a connection though..
Would love to see your connection logs from the camera. I am not sure how you have connections from IP's unless your camera is connected to a router that has open port to your camera. Reason I say this is because when I make a connection to my camera on my phone (Using P2P) my logs say I am connected VIA 127.0.0.1 and that is because normally P2P isn't a normal IP route so to log user traffic it just uses the cameras Local Host IP.
I have looked at my logs on my V3 and there is nothing in my logs that have anything outside my normal network IP range other then the 127.0.0.1 as I said before.
What does your camera show for the User?
So here is something I have done for myself so I can track and control what or who is acessing my system. I setup my main P2P access as my user name I use here. So when I look in the logs if I see something outside accessing my system with admin account I know I need to look little deeper. So I don't use ASP often however when I do my cameras a good portion of them are setup using P2P for the program. So I know when I see the admin account on days I have my ASP open I know it was my computer. Trust me it was something that had me worried about in the past when I seen 127.0.0.1 access of log out and in on my cameras. IT was after some time tracking with hand written logs that I relized what was going on and since then I started setting up all Remote access with a different user name for my admin account so I know when there is something not right going on...
I would Personally Reset the camera back to factory. Do this with the little button on the back of the camera. IT is the LED. Press and hold it until it goes red. I wait myself until it goes red and flashes once red. However if you bought it new from Amcrest there shouldn't be any Cloud account attached to the camera but still Reset. Also as Jack said also make sure there is no auto tracking on..
Out of the 3 IP addresses only one related to the Camera Directly would be the 3rd one. Then the next part is where are you located? The other IP addresses could be as easy as your own connection into the camera from your outside location and even seeing your using P2P to access it from within your own network. With P2P even while on your own network it will access the server and route though there. Plus side to that is you can access it from outside of your own network while away.
Then the next thing was this camera bought new from Amcrest or from a 3rd party?
So it has been long time since I have had Cloud service and things have changed since as well. However I would log into your camera, click on Setup, then click on Storage, Then click Cloud. I am not sure if it will list who has an account attached or not however if there is an account attached then I would Reset the Camera back to Factory (Either way it being there or not I would) Once you have it back to factory setup your camera as you normally have it.
Please note even with your camera being connected to the network for it to playback from local or remote the camera will need to access the internet. It don't mean it is moving any files it makes a connection though..
Would love to see your connection logs from the camera. I am not sure how you have connections from IP's unless your camera is connected to a router that has open port to your camera. Reason I say this is because when I make a connection to my camera on my phone (Using P2P) my logs say I am connected VIA 127.0.0.1 and that is because normally P2P isn't a normal IP route so to log user traffic it just uses the cameras Local Host IP.
I have looked at my logs on my V3 and there is nothing in my logs that have anything outside my normal network IP range other then the 127.0.0.1 as I said before.
What does your camera show for the User?
So here is something I have done for myself so I can track and control what or who is acessing my system. I setup my main P2P access as my user name I use here. So when I look in the logs if I see something outside accessing my system with admin account I know I need to look little deeper. So I don't use ASP often however when I do my cameras a good portion of them are setup using P2P for the program. So I know when I see the admin account on days I have my ASP open I know it was my computer. Trust me it was something that had me worried about in the past when I seen 127.0.0.1 access of log out and in on my cameras. IT was after some time tracking with hand written logs that I relized what was going on and since then I started setting up all Remote access with a different user name for my admin account so I know when there is something not right going on...
I would Personally Reset the camera back to factory. Do this with the little button on the back of the camera. IT is the LED. Press and hold it until it goes red. I wait myself until it goes red and flashes once red. However if you bought it new from Amcrest there shouldn't be any Cloud account attached to the camera but still Reset. Also as Jack said also make sure there is no auto tracking on..
Be Safe.
Re: IP2M-841B-V3 Vulnerability
Didn't even know this thing had a autotracking feature I'm hoping that was it. My logs do show a couple loopback IP 127.0.0.1 connections that day. Working on setting up a syslog server for my router just to have a little more piece of mind on it.
Located in NC did a search on those others came up as Reston VA. Camera was bought on amazon from amcrest.
The logs grabbed were from my router showing active connections. Here's the one I grabbed when I noticed it was moving again. I wasn't connected at all when I ran this.
admin@ubnt:~$ sudo conntrack -L -s 192.168.1.167
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8815 src=152.32.182.91 dst=(My Public IP) sport=8815 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8813 src=152.32.182.91 dst=(My Public IP) sport=8813 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8810 src=152.32.182.91 dst=(My Public IP) sport=8810 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8812 src=152.32.182.91 dst=(My Public IP) sport=8812 dport=65277 mark=0 use=1
udp 17 179 src=192.168.1.167 dst=152.32.151.167 sport=54498 dport=8802 src=152.32.151.167 dst=(My Public IP) sport=8802 dport=54498 [ASSURED] mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8811 src=152.32.182.91 dst=(My Public IP) sport=8811 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8814 src=152.32.182.91 dst=(My Public IP) sport=8814 dport=65277 mark=0 use=1
Located in NC did a search on those others came up as Reston VA. Camera was bought on amazon from amcrest.
The logs grabbed were from my router showing active connections. Here's the one I grabbed when I noticed it was moving again. I wasn't connected at all when I ran this.
admin@ubnt:~$ sudo conntrack -L -s 192.168.1.167
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8815 src=152.32.182.91 dst=(My Public IP) sport=8815 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8813 src=152.32.182.91 dst=(My Public IP) sport=8813 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8810 src=152.32.182.91 dst=(My Public IP) sport=8810 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8812 src=152.32.182.91 dst=(My Public IP) sport=8812 dport=65277 mark=0 use=1
udp 17 179 src=192.168.1.167 dst=152.32.151.167 sport=54498 dport=8802 src=152.32.151.167 dst=(My Public IP) sport=8802 dport=54498 [ASSURED] mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8811 src=152.32.182.91 dst=(My Public IP) sport=8811 dport=65277 mark=0 use=1
udp 17 10 src=192.168.1.167 dst=152.32.182.91 sport=65277 dport=8814 src=152.32.182.91 dst=(My Public IP) sport=8814 dport=65277 mark=0 use=1
Re: IP2M-841B-V3 Vulnerability
Well a Log server is ok but there is just TMI there that may or may not be related to the Camera. So then within a Syslog one would need to then access the camera or device on the IP it is tracking to and see what info it might show in there.. From the log of a 841v3 this is from mine only showing first 12 lines.. However just so your aware your camera will reach out on a few different servers and after someone turns off P2P if they didn't want it calling home it can still take up to a few hours for the Traffic to stop. Ip address that are active on the camera only showing 2 in the text because the NVR IP is lower in the logs and one way you know if don't remember the IP of your Recorder is it shows an ip and then says DVRIP. The address showing is from my main computer and the app via P2P..
Now about the camera being on Auto Track, It don't come up with it setup that way. It would have to be turned on. You can see it in the picture below just above the Reset Default on the page.
1 admin 2022-04-03 17:51:01 Set Time {"Address":"10.0.0.119","Before":"04-03-2022 05:51:01","Type":"Web3.0"}
2 admin 2022-04-03 17:50:58 Login {"Address":"10.0.0.119","Type":"Web3.0"}
3 admin 2022-04-03 14:47:45 Logout {"Address":"10.0.0.119"}
4 admin 2022-04-03 14:38:45 Set Time {"Address":"10.0.0.119","Before":"04-03-2022 02:38:45","Type":"Web3.0"}
5 admin 2022-04-03 14:38:43 Login {"Address":"10.0.0.119","Type":"Web3.0"}
6 admin 2022-04-03 13:33:32 Logout {"Address":"10.0.0.119"}
7 revo2maxx 2022-04-03 13:27:12 Logout {"Address":"127.0.0.1"}
8 revo2maxx 2022-04-03 13:16:57 Logout {"Address":"127.0.0.1"}
9 revo2maxx 2022-04-03 12:49:15 Logout {"Address":"127.0.0.1"}
10 revo2maxx 2022-04-03 12:49:14 Logout {"Address":"127.0.0.1"}
11 admin 2022-04-03 12:37:34 Set Time {"Address":"10.0.0.119","Before":"04-03-2022 12:37:34","Type":"Web3.0"}
12 admin 2022-04-03 12:37:32 Login {"Address":"10.0.0.119","Type":"Web3.0"}
Now about the camera being on Auto Track, It don't come up with it setup that way. It would have to be turned on. You can see it in the picture below just above the Reset Default on the page.
1 admin 2022-04-03 17:51:01 Set Time {"Address":"10.0.0.119","Before":"04-03-2022 05:51:01","Type":"Web3.0"}
2 admin 2022-04-03 17:50:58 Login {"Address":"10.0.0.119","Type":"Web3.0"}
3 admin 2022-04-03 14:47:45 Logout {"Address":"10.0.0.119"}
4 admin 2022-04-03 14:38:45 Set Time {"Address":"10.0.0.119","Before":"04-03-2022 02:38:45","Type":"Web3.0"}
5 admin 2022-04-03 14:38:43 Login {"Address":"10.0.0.119","Type":"Web3.0"}
6 admin 2022-04-03 13:33:32 Logout {"Address":"10.0.0.119"}
7 revo2maxx 2022-04-03 13:27:12 Logout {"Address":"127.0.0.1"}
8 revo2maxx 2022-04-03 13:16:57 Logout {"Address":"127.0.0.1"}
9 revo2maxx 2022-04-03 12:49:15 Logout {"Address":"127.0.0.1"}
10 revo2maxx 2022-04-03 12:49:14 Logout {"Address":"127.0.0.1"}
11 admin 2022-04-03 12:37:34 Set Time {"Address":"10.0.0.119","Before":"04-03-2022 12:37:34","Type":"Web3.0"}
12 admin 2022-04-03 12:37:32 Login {"Address":"10.0.0.119","Type":"Web3.0"}
- Screenshot (2246).png (152.69 KiB) Viewed 857 times
Be Safe.
Re: IP2M-841B-V3 Vulnerability
Yeah I'm thinking my kid hit it playing with my wifes phone now. I just happened to see those other IP's when I ran a track on the connection inside my router. Googling shows there owned by hk ucloud which is probably the p2p tracker amcrest uses. The log inside the camera only shows 127.0.0.1 and my local ip.