Welcome to WebmasterWorld Guest from 35.172.100.232

Forum Moderators: Ocean10000

URI: ./ ./ mnt/ custom/ ProductDefinition

DVR remote code execution

     
3:15 am on Sep 8, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2055
votes: 2


Spaces added to Subject to pass muster weren't enough. So picture this:

dotdot/dotdot/mnt/custom/ProductDefinition

Not a bot or spider per se but now that I've seen hundreds of those in a week I thought I'd mention it. The URI first appeared on Aug. 30th with no UA at all, and always Apache-flagged as a 400 error because of "erroneous characters after protocol string".

The majority of the hits are singles, but some number up to five in six minutes, and getting worse. Plus multiple same-Host static addresses suggest some ISPs may be affected. To date, most addresses have been in South America.

I've blocked slashdot patterns forever, but in case you don't, you might want to start -- and check your DVR brand. Here's more info about the exploit's possible origin(s) and actual existence:

"Unidentified Scanning Activity" [isc.sans.edu...]

"HiSilicon DVR Devices - Remote Code Execution" [exploit-db.com...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members