Announcement

Collapse
No announcement yet.

Unathorized user logging in

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Unathorized user logging in

    This morning my logs noted an unknown user logging in and shutting down HS3. The strange part is there appeared to be no username and password, yet the user was authorized. I have only two authorized users and they both have usernames. My logs show this (bottom to top):

    Feb-25 9:18:15 AM Shutdown Application shutdown at 2/25/2017 9:18:15 AM

    Feb-25 9:18:15 AM Warning Request from UI to shutdown

    Feb-25 9:18:15 AM System Application shutdown request from external interface.

    Feb-25 9:18:15 AM System Control Panel Immediate Script: &hs.shutdown()

    Feb-25 9:18:11 AM Web Server Web Server authorized login successful from: 193.138.219.231 User:

    The User is blank and the IP address is from Sweden and not known to me.

    The jon00 whois program showed it was
    Date & Time IP Address i Type User Visits Country Network Name Contact Name Address Server
    2/25/2017 9:18:11 AM 193.138.219.231 WHOIS Source: RIPE

    IP Address: 193.138.219.231
    Country: Sweden
    Network Name: ESAB-IPV4-NET-1
    Owner Name: -
    Contact Name: ESAB NOC
    Address: 31173 Services AB, Scheelegatan 9, SE-212 28 Malmo, Sweden
    Email: noc@31173.se
    Abuse Email: abuse@31173.se
    Phone: +46406181000
    Fax: -
    Authorized Authorized 1 Sweden ESAB-IPV4-NET-1 ESAB NOC 31173 Services AB, Scheeleg... RIPE

    How can a person/bot log into my HS3 server with no username? How can I prevent this?

    #2
    My log shows something very similar. Odd, huh?

    Feb-25 8:25:24 AM Shutdown Application shutdown at 2/25/2017 8:25:24 AM
    Feb-25 8:25:24 AM Warning Request from UI to shutdown
    Feb-25 8:25:24 AM System Application shutdown request from external interface.
    Feb-25 8:25:24 AM System Control Panel Immediate Script: &hs.shutdown()
    Feb-25 8:25:20 AM Web Server Web Server authorized login successful from: 193.138.219.231 User:

    Comment


      #3
      Looks like someone is messing with exposed HS systems and that there's a possible authentication bug. What port do you guys have open to the internet for your HS server? I would not use a standard port on the outside. Pick something obscure and then set the router to forward the external port to 80/443 on the inside.
      HS 3.0.0.548: 1990 Devices 1172 Events
      Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

      Comment


        #4
        Should both HS3 server ports be translated through the router to help prevent this?

        And I assume it isn't necessary to translate the ports to 80/443 as long as the actual HS3 server ports are setup properly in HS3. Am I correct in assuming there is no restriction in HS3 with regards to what ports are used?

        I too have password protection. I'm surprised someone was able to breach that.

        Can access of either one of the two ports allow HS3 to be accessed and shutdown?

        Thank you for the help Al!

        Comment


          #5
          Originally posted by frankc View Post
          Should both HS3 server ports be translated through the router to help prevent this?

          And I assume it isn't necessary to translate the ports to 80/443 as long as the actual HS3 server ports are setup properly in HS3. Am I correct in assuming there is no restriction in HS3 with regards to what ports are used?

          I too have password protection. I'm surprised someone was able to breach that.

          Can access of either one of the two ports allow HS3 to be accessed and shutdown?

          Thank you for the help Al!
          Hi Frank,

          You only need to use one port (80 or 443) to reach the system from the outside, so I would pick one and not forward the other. I find it easier to use the standard ports on the inside so that you don't have to specify the port number in the url every time you access the system internally, but yes, you could use the same ports on both sides. The only restriction on port # is that it can't be in use by something else.

          Cheers
          Al
          HS 3.0.0.548: 1990 Devices 1172 Events
          Z-Wave 3.0.1.262: 126 Nodes on one Z-Net

          Comment


            #6
            Great Advice Al.

            I'll set up HS3 accordingly.

            Thanks,

            Frank

            Comment


              #7
              I had exactly the same "blank" user from the same ip address shutdown my system this afternoon. Whilst I understand that we can tweak ports, how is possible for an HS3 system to be so easily detected from the outside? Is this a security hole that needs looking at?

              Comment


                #8
                Originally posted by Lio View Post
                I had exactly the same "blank" user from the same ip address shutdown my system this afternoon. Whilst I understand that we can tweak ports, how is possible for an HS3 system to be so easily detected from the outside? Is this a security hole that needs looking at?
                Yes. I don't open any ports forwarded to my HS server, because I saw attempts even with an obscure port. MyHs works fine and eliminates exploits here. Regardless, the ability to get around user authentication should be a priority for HST to fix.

                Comment


                  #9
                  It's a bit worrying really because the executed commands seem to imply someone with reasonable knowledge of HS to execute an immediate script command and to execute a rather specific one.

                  I wonder whether someone who hosts their own plugins may have been jeopardised? I know I host mine and of course anyone who does probably has access to the apache or similar web logs, in there you would find IP addresses of peoples HS servers as even if you don't download a plugin from them but host the icon every time someone checks the updater it will get the icon and log it. Unsure how someone would get the username/password from there but really basic HTTP authentication is not really that strong. That would be my guess as to how to directly find and target a HS system, I wonder if there is a correlation if everyone who has seen this has gone into the updater recently???

                  Comment


                    #10
                    OK, I have the same thing, but mine occurred outside of the log parameters. So, unknown hacker IP.....
                    Last edited by ewkearns; February 25, 2017, 04:33 PM.
                    HomeSeer Version: HS3 Pro Edition 4.2.6.0
                    Operating System: Microsoft Windows 10 Pro - Desktop

                    Enabled Plug-Ins
                    AK Google Calendar 3.0.0.45,AK Smart Device 3.0.0.6,AK Weather 4.0.1.77,AmbientWeather 3.0.1.9,Big5 1.38.0.0,BLBackup 2.0.63.0,BLGData 3.0.55.0,BLLock 3.0.38.0,BLPlex 2.0.22.0,BLUPS 2.0.26.0,Device History 3.2.0.2,EasyTrigger 3.0.0.74,HSBuddy 3.25.614.1,mcsMQTT 5.21.4.1,MeiHarmonyHub 3.1.0.22,NetCAM 3.0.0.14,PHLocation 3.0.1.109,Restart 1.0.0.7,SDJ-Health 3.1.0.3,SDJ-VStat 3.1.0.7,TPLinkSmartHome 19.10.7.1,UltraCID3 3.0.6681.34300,UltraSighthoundVideo3 3.0.5960.36744,,Z-Wave 3.0.2.0

                    Comment


                      #11
                      I have the same shutdown from the same IP address on both my Development and Production systems.

                      This is scary. I am going to lock down external access for now.

                      Regards,
                      Vector

                      Comment


                        #12
                        @mrhappy, Good call. www.31173.se is a data service center and who knows if someone with knowledge of HS is involved there as well, gained access there or had their system stored there and they've been hacked.

                        I am curious if the people that have been affected are on similar systems, hardware or software. Do all the affected systems have a common plug-in in use? Can someone at HS search their database of users for people with .se? I don't know if that would be thousands or just a handful.

                        Were the systems restarted or just shutdown? Most people might not notice a restart, but a shutdown will stand out.

                        Comment


                          #13
                          Originally posted by racerfern View Post
                          @mrhappy, Good call. www.31173.se is a data service center and who knows if someone with knowledge of HS is involved there as well, gained access there or had their system stored there and they've been hacked.

                          I am curious if the people that have been affected are on similar systems, hardware or software. Do all the affected systems have a common plug-in in use? Can someone at HS search their database of users for people with .se? I don't know if that would be thousands or just a handful.

                          Were the systems restarted or just shutdown? Most people might not notice a restart, but a shutdown will stand out.
                          The two log entries posted show an immediate script executed for shutdown.

                          Comment


                            #14
                            It seems in all cases, HS3 was shut down. I use port forwarding with an obscure port number. But even with that, there are only two usernames that have access to my system and no entry is not one of them. Seems really strange.

                            Comment


                              #15
                              I was concerned to avoid any repeat of this afternoon's experience and so I thought I would temporarily disable outside access to me system. However, I seem to have disabled all access to the web-interface, even from my LAN! I have no idea how to connect to my system anymore! What options do I have?

                              Comment

                              Working...
                              X