Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Unidentified Scanning Activity SANS ISC InfoSec Forums

Special Webcast: What you need to know about the crypt32.dll vulnerability. Register Now

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Unidentified Scanning Activity

Over the two weeks, my honeypot has captured a new scan. According for the URL targeted and some research, this might be used to identify Dahua[1] or HiSilicon[2] digital video recorder (DVR) product. So for I have only seen this activity against port 80 and the scans for this activity looks like this:

20190907-090937: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-093912: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-094441: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-100443: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115225: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-115630: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'
20190907-122646: data 'GET ../../mnt/custom/ProductDefinition HTTP\r\n\r\n'

If you are seeing this kind of activity and are able to help identify the product targeted or confirm it is one of the 2 I listed, leave a comment on our page. I did find an exploit against HiSilicon DVR released last year searching for the same URL[3].

Update 1

I received the following update via Twitter:

GreyNoise Intelligence (@GreyNoiselO) has observed a very large spike in compromised Mirai-infected devices around the Internet bruteforcing DVR/IP camera devices using the NETsurveillance ActiveX plugin. This activity is originating from roughly 7% of total Mirai infects tracked by GreyNoise.

@MasafumiNegishi has observed the following port being scanned for the same activity: TCP: 80, 81, 82, 83, 85, 88, 8000, 8080, 8081, 9090 and being another moobot variant has been scanning Hisilicon DVR device on 80/tcp since August 29. Both moobot variants share same C2.


Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu


451 Posts
ISC Handler

I see this traffic on my logs. The service running is I will try to find further information. Hope it may help.


Sign Up for Free or Log In to start participating in the conversation!