Blog

Archive for September 7th, 2019

Unidentified Scanning Activity, (Sat, Sep 7th)

Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:

20190907-090937: 192.168.25.9:80-XXX.190.6.228:48968 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’
20190907-093912: 192.168.25.9:80-XXX.188.126.243:36847 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’
20190907-094441: 192.168.25.9:80-XXX.189.237.44:44343 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’
20190907-100443: 192.168.25.9:80-XXX.188.40.103:35067 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’
20190907-115225: 192.168.25.9:80-XXX.177.116.123:40904 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’
20190907-115630: 192.168.25.9:80-XX.186.174.54:57636 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’
20190907-122646: 192.168.25.9:80-XXX.189.27.141:38624 data ‘GET ../../mnt/custom/ProductDefinition HTTPrnrn’

If you are seeing this kind of activity and are able to help identify the product targeted or confirm it is one of the 2 I listed, leave a comment on our page. I did find an exploit against HiSilicon DVR released last year searching for the same URL[3].

[1] https://www.dahuasecurity.com/
[2] http://www.hisilicon.com
[3] https://www.exploit-db.com/exploits/44004

———–
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →