Russians hacking Homeseer?



Are you allowing public access to your instance of HSTOUCH or HS3's management interface or do you only allow access through myhs?

Did you ensure that you have a strong password?

Did you enable ip hack blocking? This blocks sources that have too many failed login attempts.

Are the devices you are connecting to your HSTOUCH server fully patched and protected with Anti-malware/anti-virus? If not, you may have a key-logger that has compromised your HSTOUCH/HS3 Authentication.


Sent from my iPhone using Tapatalk

Given they got rejected, this seem like it is a hacker doing an automated port scan and attempted login once they found a live port. Usually they just ping the most common ports like 80 and RDP(3389), but perhaps they did an exhaustive scan on your network. It's unfortunately quite common these days! Before I moved my HS server off of Port 80 I used to regularly see attempted bursts of 20-30 automated login attempts from hackers.

That said, it could also a sign that you are already compromised internally (which would be very bad), but the good news is that it sounds like whoever connected got rejected, so that suggests that they don't have your credentials or access to your internal network.

Some suggestions:

1. Do a full virus and malware scan with the latest updates. Make sure your OS has the latest updates installed.
2. Move your HS server off of port 80 and HS touch off of 10300. If you need to have open ports for outside services, make sure the open ports are random ones not associated with any particular service and just map them in your firewall to the correct service.
3. Block the most common remote ports (80, 3389, etc.) in your firewall
4. Change your HS user name and password to something that is very strong/unique.
5. Check your firewall log and see if there are any particular IPs that are repeatedly doing port scans or trying to log onto any of your servers. Block those IPs. If your firewall allows it, you may also be able to block entire IP ranges as well, such as the most common Russian IPs (although this will also block legitimate traffic from those IPs).

If all else fails, you may have to do a clean install on your HS machine and every other machine on your network, but hopefully it won't come to that :-)

How do I change HStouch port and the clients. Everything off of 80. Random ports set for outside access. Common bad IP's are blocked. Interesting that they are looking at HSTOUCH. Didn't think it was that common.

Homeseer Touch clients uses default port of 10200.

The port setting is on your touch clients and Homeseer.

I only see the speaker port setting in the HS3 GUI. I don't remember where the setting is now. (looked at the settings ini file and the hstouch ini file and do not see the hstouch ports there)

Thinking it might be hard coded these days using myhomeseer dot com.

That said it doesn't matter these days relating to hacking your stuff.

This stuff happens every day from wherever in the world now for many many years.

Geez it could be your neighbor doing a side trip internet connection from next door.

IE:

The dark web forms a small part of the deep web, the part of the Web not indexed by search engines, although sometimes the term "deep web" is mistakenly used to refer specifically to the dark web. The dark web is also referred to as the free internet space (TOR is an example of this)

The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997

You can though tighten up your stuff as suggested by Bill in post #3 above.

Here went to using VPN and geoblocking software on the firewall.

That said geoblocking today is a big topic relating to the global internet in general....Dxyz if you do and Dxyz if you do not geoblock...

WOW! After responding to this message, I just checked my own HS Log and I see that starting this morning at 6:29AM PST my HS machine has also been getting pinged by the same IP address: 185.154.20.164 and the log-in attempts are cycling through different ports on the same IP.

I would guess that the chances of two different HS servers getting the same unauthorized attempted logins at the same time, so this has to be some kind of systemic HS-centric issue where someone has a list a HS IPs.

My guesses at possible issues:

1. Some kind of Myhs related technical issue, or worse, hack of myHS.
2. I had the homseer DDNS service where you can access your server via xxxx.myhomeseer.com. I know this was supposed to get shut down at some point soon (but it is still active as of now), perhaps this service has been comprimised.

Whatever the case, I am going to escalate this to Homseer ASAP as this would appear to be some kind of systemic issue that could be related to some kind of security compromise of their myhs or myhomeseer services.

This type of activity has to do with open ports on your router. BOTS constantly scan IP addresses and ports looking for an opening. If it is found, a login is attempted.

This is the very reason I closed port 10200 on my router and started using MyHomeseer VPN.

Bob

A little tidbit about a brute force attack...

Brute-force attack

In cryptography, a brute-force attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. Alternatively, the attacker can attempt to guess the key which is typically created from the password using a key derivation function. This is known as an exhaustive key search.

A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt any encrypted data (except for data encrypted in an information-theoretically secure manner). Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier.

When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones.

Brute-force attacks can be made less effective by obfuscating the data to be encoded making it more difficult for an attacker to recognize when the code has been cracked or by making the attacker do more work to test each guess. One of the measures of the strength of an encryption system is how long it would theoretically take an attacker to mount a successful brute-force attack against it.

Brute-force attacks are an application of brute-force search, the general problem-solving technique of enumerating all candidates and checking each one.

Little computers can do math much faster these days given the opportunity...and it's a willy nilly world out there today...

Hi,

same thing hppening here, i will block the ip address right now in my router


185.154.23.217

sems that HS has been breached yesterday, during that outage...?

bart

I am getting the same thing. The address is 185.127.25.198. I am not connected to Myhs.

Thanks,

Ronnie

HI Bob,

I am well aware of port scans, I see them all the time in my firewall logs. However, I have not had my HS Log register a login attempt from an unknown outside IP address in a long time.

From my perspective, what makes this situation different from a random scan is the same outside IP is pinging the same port on two separate HS servers at the same time. This may suggest that rather than a random scan it is an attacker that somehow knows the IP addresses of HS servers. Granted, there's still a good chance it's just a coincidence, but I think its worth highlighting as it could possible be some kind of coordinated HS specific attack.

Hopefully others with the HS Touch ports open can check their logs and see if they have been experiencing similar traffic. [EDIT: I see we have at least two other HS users getting the same message, so that's 4 users all getting attacked by the same IP on the same port at the same time. Sounds less and less like a random scan to me...]

FWIW, I immediately blocked the HS ports (10200 and 10300) and it looks like that has stopped the attempted logins for now. I can't check my firewall logs from work but when I get home I will go through them and see if this was a run-of-the-mill scan or a concerted attack on HS specific ports.

I agree with you about the best way to stop this is just to block all the ports to outside traffic permanently. I kept the HS touch ports open because I like to use HS Touch when I am working outside of my house and out of wifi range, but I may have to rethink that approach in light of recent events ...

Hi Ronnie,

A couple quick questions:

About what time did these login attempts start?
Who is your interest service provider?

FWIW, I blocked access to ports 10200 and 10300 on my firewall/router and that put a stop to these login attemtps.

There was some discussion about adding a line into the config file for HSTouch, I would do a search on the forum's and I think you can bring up that thread.

I agree that it's weird they are attacking 10300 as it's not a common port to scan (that's why I opened it!), suggests to me that this is an HS focused attack.

I also, changed the hstouch ports now, and still monitoring.

MYHS is and was disabled. but i have an registered account. Loooks like the list has been stolen yesterday during the outage..?


the scanning ip is 185.154.23.217 which traces back to china and is a known hacking IP

4 And Counting

So now we have 6 HS servers and counting, all being attacked on the HS touch ports and all by IPs out of Russia/China. Looks like there are several IPs involved now:

185.154.20.164 (myself and rschein)
185.154.23.217 (bart)
185.127.25.198 (Ronnie, ed)
185.154.23.198 (outbackrob)

Given that the attack now involves multiple IPs (it's not uncommon for hackers to switch IPs constantly in an attempt to hide their tracks), I suggest simply blocking ports 10200 and 10300 as opposed to trying ban individual IPs.