I have a firewall device (Firewalla) on my network. I recently updated the firmware on my Amcrest IP camera (IP2M-841) about a week ago. Since doing that, Firewalla has warned me, now twice, that the Amcrest camera is "accessing a malicious site".
The IPs are:
134.249.145.106 (Ukraine) - appears to be a broadband service in Kiev Ukraine, kyivstar.ua.
84.42.59.244 (Russia) - appears to be a broadband service in Moscow, rostelecom.ru.
I got the firmware directly from the Amcrest site. The version is V2.420.AC00.18.R, Build Date: 2020-02-17
Can anyone offer any advice on this?
Amcrest camera accessing questionable IPs
Re: Amcrest camera accessing questionable IPs
It sounds as if your system is compromised at some level, I'm not aware of any legitimate resources that the camera might be trying to access in those countries. I do know that there are embedded users/logons that can be traced back to Guangzhou, Guangdong, China although I don't know the purpose.
If it were me I would disconnect the camera and then do a full system scan of your computer including for rootkits (my choice is a daily full scan by Malwarebytes and Windows Defender).
Having done that and being as satisfied as possible that there is no virus/malware on your computer, I would power up the camera and immediately do a factory reset. Press and hold in the reset button for about 30 seconds until the red light flashes. The camera should now be back to the state it was in when you first received it and needs to be set up again.
I don't need access to my cameras outside my own LAN so in the network setup, having set a static IP adress I go on to specify incorrect addresses for the LAN gateway and DNS servers but that's a personal choice which makes me feel a little safer.
If it were me I would disconnect the camera and then do a full system scan of your computer including for rootkits (my choice is a daily full scan by Malwarebytes and Windows Defender).
Having done that and being as satisfied as possible that there is no virus/malware on your computer, I would power up the camera and immediately do a factory reset. Press and hold in the reset button for about 30 seconds until the red light flashes. The camera should now be back to the state it was in when you first received it and needs to be set up again.
I don't need access to my cameras outside my own LAN so in the network setup, having set a static IP adress I go on to specify incorrect addresses for the LAN gateway and DNS servers but that's a personal choice which makes me feel a little safer.
My AMCREST Cameras:-
2 x IP3M-941B firmware V2.620.00AC00.3.R, Build Date: 2019-12-18
1 x IP2M-841B firmware V2.420.AC00.18.R, Build Date: 2019-08-03
2 x IP3M-941B firmware V2.620.00AC00.3.R, Build Date: 2019-12-18
1 x IP2M-841B firmware V2.420.AC00.18.R, Build Date: 2019-08-03
Re: Amcrest camera accessing questionable IPs
I've been having a look at those IP addresses and there are certainly numerous recent reports on them both as being responsible for port probing (especially 37777) and also brute force attacks etc.
May I ask, are you sure that these were outgoing requests from your system and not instances of your firewall blocking incoming attempts.
p.s. I've just been looking through my firewall logs to see if there was any trace of those IP's and drawn a blank but I see that my iPhone spends a lot of time trying to phone home in China
May I ask, are you sure that these were outgoing requests from your system and not instances of your firewall blocking incoming attempts.
p.s. I've just been looking through my firewall logs to see if there was any trace of those IP's and drawn a blank but I see that my iPhone spends a lot of time trying to phone home in China
My AMCREST Cameras:-
2 x IP3M-941B firmware V2.620.00AC00.3.R, Build Date: 2019-12-18
1 x IP2M-841B firmware V2.420.AC00.18.R, Build Date: 2019-08-03
2 x IP3M-941B firmware V2.620.00AC00.3.R, Build Date: 2019-12-18
1 x IP2M-841B firmware V2.420.AC00.18.R, Build Date: 2019-08-03
-
RalphSlate
- Posts: 17
- Joined: Fri Dec 09, 2016 7:17 pm
Re: Amcrest camera accessing questionable IPs
I am only as sure as what Firewalla tells me. It said that 1.2kb was uploaded to 134.249.145.106 at 8:31am. At the same time, it accessed 2 other IPs - 34.201.172.195, and 54.209.127.50.
Is it possible that a compromised device is somehow using the IP of the camera to go out? That doesn't make a lot of sense to me.
Firewalla reports that the camera is accessing a number of IPs each hour, usually the same each hour. From 12 to 1pm it made these requests:
34.201.172.195 (Amazon AWS)
clock.isc.org (likely for time sync)
54.209.127.50 (Amazon AWS)
p2p.amcrestview.com
34.201.172.195 (Amazon AWS again)
clock.isc.org (likely for time sync)
54.209.127.50 (Amazon AWS again)
clock.isc.org (likely for time sync)
I did have port forwarding on my router set up so I could access the cameras externally (I turned that off this morning), but even after turning it off I'm still seeing access to the Amazon AWS IPs.
Is it possible that a compromised device is somehow using the IP of the camera to go out? That doesn't make a lot of sense to me.
Firewalla reports that the camera is accessing a number of IPs each hour, usually the same each hour. From 12 to 1pm it made these requests:
34.201.172.195 (Amazon AWS)
clock.isc.org (likely for time sync)
54.209.127.50 (Amazon AWS)
p2p.amcrestview.com
34.201.172.195 (Amazon AWS again)
clock.isc.org (likely for time sync)
54.209.127.50 (Amazon AWS again)
clock.isc.org (likely for time sync)
I did have port forwarding on my router set up so I could access the cameras externally (I turned that off this morning), but even after turning it off I'm still seeing access to the Amazon AWS IPs.
Re: Amcrest camera accessing questionable IPs
I wonder are you using V3 or the normal 841? Because the AWS is a Amazon service that Amcrest uses as so does so other IP cameras that offer Cloud or other based services that Amazon Web Services has to offer... This can be some face Detection and some other things they have to offer some are based on their server to run the system... Another thing is if you have P2P I know there are odd areas for Servers a over the world the 2 Ip from first post might be a P2P wait but if there was some data transfer then I am not sure to be honest...
Be Safe.
Re: Amcrest camera accessing questionable IPs
I have to say that I'm not an expert on this matter so I can only tell you what I would do.
I'd ignore the last batch of IP's you mention, I think they are legitimate. Amazon resources for instance might be used for storage of your cameras's recordings, calls to Amcrest may be for DDNS if you're using P2P for instance and clock.isc.org is self explanatory.
I would be very worried about what had been uploaded to the first IP's and I would immediately set about changing the passwords to every online resource that I use, banking, social media etc. etc.
In the past, security systems, once hacked have been used to then gain access to other resources connected to a LAN so I would suggest doing multiple full scans of your computer in different ways such as doing "offline" checks i.e. at system boot time before Windows is loaded, in safe mode and using online checkers such as TrendMicros Housecall.
Consider whether your router has been compromised, a couple of years ago my Netgear router was attacked and hacked and I never managed to restore it to a 'safe' state.
I'm a worrier by nature and tend to go OTT on these things so I'd be looking at a full fresh install of Windows.
For me it would probably be more than a week before I even got around to looking at sorting the camera out but hopefully the factory reset will resolve that. Good luck with it at any rate
.
I'd ignore the last batch of IP's you mention, I think they are legitimate. Amazon resources for instance might be used for storage of your cameras's recordings, calls to Amcrest may be for DDNS if you're using P2P for instance and clock.isc.org is self explanatory.
I would be very worried about what had been uploaded to the first IP's and I would immediately set about changing the passwords to every online resource that I use, banking, social media etc. etc.
In the past, security systems, once hacked have been used to then gain access to other resources connected to a LAN so I would suggest doing multiple full scans of your computer in different ways such as doing "offline" checks i.e. at system boot time before Windows is loaded, in safe mode and using online checkers such as TrendMicros Housecall.
Consider whether your router has been compromised, a couple of years ago my Netgear router was attacked and hacked and I never managed to restore it to a 'safe' state.
I'm a worrier by nature and tend to go OTT on these things so I'd be looking at a full fresh install of Windows.
For me it would probably be more than a week before I even got around to looking at sorting the camera out but hopefully the factory reset will resolve that. Good luck with it at any rate
.My AMCREST Cameras:-
2 x IP3M-941B firmware V2.620.00AC00.3.R, Build Date: 2019-12-18
1 x IP2M-841B firmware V2.420.AC00.18.R, Build Date: 2019-08-03
2 x IP3M-941B firmware V2.620.00AC00.3.R, Build Date: 2019-12-18
1 x IP2M-841B firmware V2.420.AC00.18.R, Build Date: 2019-08-03
Re: Amcrest camera accessing questionable IPs
You should probably file a report: www.ftc.gov/complaintRalphSlate wrote: ↑Wed May 27, 2020 8:07 am I have a firewall device (Firewalla) on my network. I recently updated the firmware on my Amcrest IP camera (IP2M-841) about a week ago. Since doing that, Firewalla has warned me, now twice, that the Amcrest camera is "accessing a malicious site".
The IPs are:
134.249.145.106 (Ukraine) - appears to be a broadband service in Kiev Ukraine, kyivstar.ua.
84.42.59.244 (Russia) - appears to be a broadband service in Moscow, rostelecom.ru.
I got the firmware directly from the Amcrest site. The version is V2.420.AC00.18.R, Build Date: 2020-02-17