Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

War of the Bots: When DVRs attack NASs

Published: 2014-03-28
Last Updated: 2014-03-28 12:03:18 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

While looking at the latest honeypot data for what is happening with Synology devices, I did notice one particular agressive IP connecting to a number of our honeypot IPs. At first, I figured it may just be a new Shodan scan (got tons of them in the honeypot). But when I connected to port 443 using openssl, I saw a rather interesting SSL certificate being sent:

$ openssl s_client -connect a.b.c.d:443
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, 
CN =, emailAddress =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = ZheJiang, L = HangZhou, O = HIKVISION, OU = DVRNVR, 
CN =, emailAddress =
verify return:1
GET ---
Certificate chain
 0 s:/C=CN/ST=ZheJiang/L=HangZhou/O=HIKVISION/OU=DVRNVR/

This certificate appears to be associated with a DVR sold in conjunction with security camera systems [1]. Usually these systems run some form of Linux, so I guess it is to expected that given a weak password, these systems get mistaken for a Linux server and exploited just like one.

Right now, if I am real lucky I may be able to get a hold of the owner of the DVR, but it looks like a Chinese residential IP so not getting my hopes up too high.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: dvr synology
0 comment(s)
ISC StormCast for Friday, March 28th 2014
Diary Archives