Announcement

Collapse
No announcement yet.

Russians hacking Homeseer?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #76
    Originally posted by BillBurn View Post
    Thanks for the update and its good to know that the HSTouch protocol is proprietary. It does seem like whoever was doing this was unable to actually do anything other than establish a basic connection.



    I have to disagree with you on this. We now have reports from 10+ users that they all started getting attacked on the same obscure port at the same time by the same IP blocks. There is almost no chance that random scans from the same block of IPs on the billions of addressable IPs just happen to target the same obscure port (most random scans wouldn't even include 10200) at the same time on a widely dispersed set of IPs that all share a common trait, ie HS servers. If it was port 80 or 21, maybe it's a possibility, but 10200, no chance.

    Giving the simultaneous timing, the common focus, and the common attack IPs, this looks very much like a focused attack a pre-assembled list of IPs. That doesn't necessarily mean that myHS or Homeseer has been compromised as the attack list could have built up over a period of time by random scans, but it seems very likely that this was not a random scan, but a focused attack based a pre-assembled list of servers that had 10200 open.

    I know its tempting to dismiss this as random, but you guys might want to consider the possibility that someone is specifically targeting your user base/servers and trying to find specific vulnerabilities that they can exploit. Maybe they are trying to compromise a very high value target that is running an instance of HS ... who knows.

    Net, net, you might want to consider posting a reminder to the broader user base about best practices for firewall and port configuration. Can't hurt in general, and seems like a prudent response in light of recent events.
    Far more likely the port number was just added to the (long) list of open ports and the botnets now scan it as well. Could also be a new script someone wrote. Not surprising since since IOT is such a hot topic nowadays.

    It's really all Mark's fault for making Homeseer more recognizable as a valid automation product

    Z

    EDIT: Actually on reflection, it's got to be a new script since it's coming from just one IP address, not a botnet. Maybe an ex-Homeseer customer.??

    Comment


      #77
      The default port for Homeseer isn't a secret, it's in the help file. My guess is they are randomly scanning ip addresses looking for that port so they know who is running Homeseer for targeted attacks. Probably one of Trumps Russian employees looking for Hilary emails. I recommend changing the default port and wearing a tinfoil hat.
      https://forums.homeseer.com/forum/de...plifier-plugin

      Comment


        #78
        Mentioned earlier about the SSH compromising.

        I watched it for a while and the virus (or whatever) built a bot. Initially creating services that I did not install and new cron jobs just to replicate to other Internet connected computers. The self autonomously almost AI bot became whole in less than 4 hours, installed and searching to replicate itself.

        This AI like bot really is very simple with only one job already prewritten in operational base. While it is inert; it learns to take care of itself and replicate to continue it's lineage just fine these days.

        There is really no blame going to any specific country other than the country of the Internet; free internet and not free internet.

        This was done on a very appliance like linux box; where typically you do not see what is happening on it. IE: like many new media wireless players or IP cams or whatever appliances (100% of them utilize a linux kernel and OS base in firmware).

        There are people around the world that cannot see the free internet or news outside of their country...such that there are deliberate efforts in place to provide secure tunnels of access to the internet here in the US so those folks can enjoy our internet freedom. And vice versa is happening here.

        Most folks do not enjoy reading or listening bland news with no sensationalism (and a bit of fiction these days).

        The nefarious mechanisms in place today have been around for many years now and always known by mostly everybody working IT since the inception of the Internet. The news has always been publicized but mostly has been ignored; well cuz it's boring and folks really never think that it will happen to them. But is it really not a personal thing; it is just using "things" on your home network that talk to the Internet...

        Mostly the tit for tat everything lately is due child like behavior similar to when a 3 year old gets their toys taken away because of mis behavior and mostly the three year old cries (alligator tears) because they know they were wrong and still want to justify their behavior.
        Last edited by Pete; July 12, 2017, 11:44 AM.
        - Pete

        Auto mator
        Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
        Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
        HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

        HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
        HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

        X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

        Comment


          #79
          Originally posted by happnatious1 View Post
          The default port for Homeseer isn't a secret, it's in the help file. My guess is they are randomly scanning ip addresses looking for that port so they know who is running Homeseer for targeted attacks. Probably one of Trumps Russian employees looking for Hilary emails. I recommend changing the default port and wearing a tinfoil hat.
          I just spit up my coffee reading this... thanks for the laugh

          Comment


            #80
            Originally posted by vasrc View Post
            Far more likely the port number was just added to the (long) list of open ports and the botnets now scan it as well. Could also be a new script someone wrote. Not surprising since since IOT is such a hot topic nowadays.

            It's really all Mark's fault for making Homeseer more recognizable as a valid automation product

            Z

            EDIT: Actually on reflection, it's got to be a new script since it's coming from just one IP address, not a botnet. Maybe an ex-Homeseer customer.??
            It's very likely not random scans. Even if 10200 was added to the some hacker scan list, there are billions of IPs in the IPv4 address space that would take days to scan even with a massive botnet. Chance of 10+ IPs getting randomly scanned on the same port within minutes of each other is basically zero.

            Too many IPs on a non-standard port at the same time from a small subset of attack IPs. It's highly likely to be a targeted attack based on a pre-assembled list of IPs. How that list was assembled is an open question.

            That said, as has been pointed out, its pretty easy to defeat these attacks by either A) closing the ports B) only accessing HS remotely via a VPN.

            Still if I were HS, I would be cross-referencing the attack IPs to all my own internal logs to make sure that these same IPs aren't attempting to compromise their internal systems.

            Comment


              #81
              Just realised I am seeing these connection attempts too. There's been about 45 in the last 2 days. Mostly from one Russian address, but some from France and a couple of random ones too.

              I just modified my port forwarding to listen on a high random external port and route to 10200 on the HS3 box.

              Mostly I use myhs for connectivity now, but use DDNS when myhs is down. One day I'll get to a VPN.
              cheeryfool

              Comment


                #82
                Out of curiosity what is the legality of setting up a honey pot loaded with cyber bombs. Sounds like a fun experiment. I could set up a virtual machine on my server on its own vlan and when one of these clowns tries to hack in I just forward them to that and see what happens. Put a bunch of files and folders on there marked credit cards or launch codes and see what piques their interest.
                https://forums.homeseer.com/forum/de...plifier-plugin

                Comment


                  #83
                  I'm seeing attempts from 185.127.27.142. I don't use MyHS. Disabled port access.

                  Comment


                    #84
                    Originally posted by BillBurn View Post
                    It's very likely not random scans. Even if 10200 was added to the some hacker scan list, there are billions of IPs in the IPv4 address space that would take days to scan even with a massive botnet.
                    I'm not certain that is true anymore. I once noticed a fair amount of ssh attempts on my home server from an ip that belonged to the University of Michigan. When I wget'ed their IP, I received the following ... (http://researchscan288.eecs.umich.edu/)

                    Why am I receiving connection attempts from this machine?

                    These connections are part of a long-term computer science research project that has been conducted by the University of Michigan since 2013. This research involves making a small number of harmless connection attempts to every publicly accessible computer worldwide each day. This allows scientists to measure the global Internet and analyze trends in technology deployment and security.
                    As part of this research, every public IP address receives a handful of packets per day on a selection of common ports. These consist of standard connection attempts followed by RFC-compliant protocol handshakes with responsive hosts. We never attempt to exploit security problems, guess passwords, or change device configurations. We only receive data that is publicly visible to anyone who connects to a particular address and port.
                    AS this intrigued me, a little bit of research lead me to their ZMAP whitepaper, it has the following (https://zmap.io/paper.pdf) ....
                    We performed a series of experiments to characterize the
                    performance of ZMap. Under our test setup, we find
                    that a complete scan of the public IPv4 address space
                    takes approximately 44 minutes on an entry-level server
                    with a gigabit Ethernet connection. We estimate that
                    a single-packet scan can detect approximately 98% of
                    instantaneously listening hosts, and we measure a 1300 x
                    performance improvement over Nmap for Internet-wide
                    scanning, with equivalent coverage.
                    We performed the following measurements on an HP
                    ProLiant DL120 G7 with a Xeon E3-1230 3.2 GHz pro-
                    cessor and 4 GB of memory running a stock install of
                    Ubuntu 12.04.1 LTS and the 3.2.0-32-generic Linux ker-
                    nel.
                    ZMAP is offered as a free open source download.

                    With the increase in IoT devices, I'm not surprised that HS's default application ports are being targeted.
                    Len


                    HomeSeer Version: HS3 Pro Edition 3.0.0.435
                    Linux version: Linux homeseer Ubuntu 16.04 x86_64
                    Number of Devices: 633
                    Number of Events: 773

                    Enabled Plug-Ins
                    2.0.54.0: BLBackup
                    2.0.40.0: BLLAN
                    3.0.0.48: EasyTrigger
                    30.0.0.36: RFXCOM
                    3.0.6.2: SDJ-Health
                    3.0.0.87: weatherXML
                    3.0.1.190: Z-Wave

                    Comment


                      #85
                      Thinking thru this.... so if MyHS was not compromised, how do they know the IP addresses of HS users? Maybe they were able to get at the web logs for the vanilla www.homeseer.com site. The IP addresses are stored in there. Not always the same as the HS location but those addresses would be a great start for scanning 10200 to see if it is open. It might even be this forum that is the source of disclosed IP addresses. The web log for it would contain a lot of IPs.

                      Either way, it does seem logical to me that the source of the IP leaks (if there was one) has to be some site that many of us use.

                      Just a thought.

                      Comment


                        #86
                        It looks like 10200 sees some intermittent activity

                        https://www.speedguide.net/port.php?port=10200
                        Attached Files
                        DSteiNeuro

                        HS3Pro

                        MSI Cubi Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz, 2201 Mhz, 2 Core(s), 4 Logical Processor(s) 16GB DDRl RAM

                        Enabled Plug-Ins
                        BLRussound, BLSpeech, HSTouch Server, JowiHue, MyQ, Nest, Rain8, Squeezebox, Ultra1Wire3, UltraGCIR3, Vista Alarm, X10,Z-Wave

                        Comment


                          #87
                          Russians, they always get the blame, probably some kid at an American University.

                          Let us not over react, changing ports at this point solves the problem.

                          I held back from mentioning Trunp and CIA when it comes to illegal enterprise. Amazingly The FBI has never been implicated, they must have been better at covering tracks.
                          sigpic
                          A founder member of "The HA Pioneer Group" otherwise known as the "Old farts club!"

                          Comment


                            #88
                            Russians hacking Homeseer?

                            Port scans are common on the public Internet. It happens more than most would assume. Additionally, ports between 1024 and 49151 are registered to specific applications/services. Port 10200 isn't technically registered to the HSTOUCH service (https://www.speedguide.net/port.php?port=10200).
                            While it is possible that someone is targeting HSTOUCH users I don't know that there is enough evidence to suggest that this is the case.
                            It is always good practice to ask, is it really necessary to make a service publicly accessible? Personally, I don't need HSTOUCH outside my house very often. I am fortunate, I built my own PFSENSE firewall from a mini pc with dual NICs about a year and a half ago. I have an IDS hosted on PFsense configured to protect my network by creating rules around the source/destination/type of traffic. I block access to my public WAN to known lists of blacklisted and spam IP sources using pfblocker (based on a recommendation from @Pete). I use a web proxy to filter traffic and A/V scan traffic into/out of my network. I also use openDNS to filter (at a very basic level) suspicious DNS calls. My network is highly secure.

                            I have a VPN connection setup to my house. I was happy using it to get access to my stuff. A problem arose because my wife and kids wanted to use our network attached services (HSTOUCH, and my HTPC service "Emby") from outside the home. Teaching them to use the VPN first wasn't optimal.

                            I opted instead to stand up publish the content securely to the public Internet using publicly trusted SSL certificates. Again my Batman utility belt of a firewall came in handy. I stood up a reverse proxy that protects my internal resources and provides access to the outside. I also have a let's encrypt acme client that automatically manages my SSL certificates and restarts the reverse proxy automatically to import renewed certificates. When security requirements change I have to touch one location (the reverse proxy) and all my services are updated. I only had to open 1 port for HTTPS requests. I ran into a little trouble with HSTOUCH since it uses a non-standard communication protocol that apparently handles its own encryption. It doesn't support or need SSL encryption. I ended up setting it up as a TCP proxy and it is up and running. I have a few remaining items that need to be cleared up to finish the config.

                            My next step will be to implement client certificate authentication. If I can get this to work, no connection will be allowed into my reverse proxy unless the end point offers the appropriate client certificate. The best part is that this would all be handled on the backend, my family would never notice.



                            Sent from my iPhone using Tapatalk
                            Last edited by Kerat; July 12, 2017, 05:48 PM.

                            Comment


                              #89
                              Just noticed this attempted login


                              Jul-13 01:06:41 * Web Server Got data but was not PUT or GET, from: 122.228.208.111 Data: CONNECT www.linode.com:443 HTTP/1.1
                              Jul-13 01:06:35 * Web Server Got data but was not PUT or GET, from: 122.228.208.111 Data: CONNECT www.linode.com:443 HTTP/1.1
                              Jul-13 01:06:29 * Web Server Got data but was not PUT or GET, from: 122.228.208.111 Data: CONNECT www.linode.com:443 HTTP/1.1

                              Comment


                                #90
                                Originally posted by rprade View Post
                                I know you were addressing Pete...

                                I built my own pfSense appliance using a Sophos XG Intel appliance. It is the same as this, http://www.ebay.com/itm/Sophos-XG-In...kAAOSwUKxYhWc6 but I bought mine bare from an Amazon vendor. I added RAM and an SSD and installed pfSense from their latest build.

                                I first tried a Ubiquiti Edgerouter, but it was really limited. You couldn't easily add an IP reservation without having the device connected. It didn't work with NAT reflection (loopback) and it was too locked down.

                                I switched to this pfSense solution and couldn't be happier. It is an appliance - it just sits there and works. Configuration is a breeze, expandibility is amazing and the resources are plentiful. It has a number of choices for VPN solutions and supports several DDNS providers.

                                There are a number of similar appliances you can install pfSense on and they offer some canned solutions of their own. The appliance I built ended up costing me a little less than the one in the link above, but is about half the price and more powerful than the SG-2440 from Netgate (pfSense). It runs at about 8-10 watts.

                                I even built a pfSense VM running under Hyper-v, then restored the configuration from my appliance to it. I just needed to assign the server NICs to it and it was up and running. Then I parked the VM and went back to the appliance. Now I have a backup plan in case the appliance fails.

                                It will run on virtually any hardware with at least 2 NICs.

                                In my opinion, there may be equal solutions to pfSense, but none are better. We were running a Nighthawk R7000 before the switch to the pfSense appliance and 3 Ubiquiti UAP-AC-Pro access points. Every aspect of my network is faster, more reliable and easier to configure. Best move we have made.
                                @rprade

                                Ok, I'm ready for this to be my next big project. pfSense looks good from all that I have seen. The appliance you referenced on eBay looks nice too. I'm a windows guy so an appliance might shield me from a steep learning curve. My last technical involvement with unix was AIX and HP-UX probably 20 years ago. Not really interested in investing the time to get back up to speed.

                                I did read that after ver 2.3 of pfSense, it will only run on some types of hardware. From what I could tell, it is basically that you have to run 64 bit. In regards to making sure any hardware purchase would support future versions, do you have any input?

                                Is there a proper sub forum on HS to discuss pfSense?

                                Comment

                                Working...
                                X