Important Message from Foscam Digital Technologies Regarding US Sales & Service

Foscam.US (aka Foscam Digital Technologies and now Amcrest Technologies) is an independent United States based distributor of "Foscam" branded products. We have been offering telephone support, US local warranty and building the Foscam brand in the US for the past 7 years. Based on our experiences with Foscam and feedback from end users we have launched our own new and improved line of wireless IP cameras and security systems under the Amcrest brand. Working in partnership with the second largest security camera manufacturer in the world, Amcrest was founded with a deep commitment to end-user privacy and security, highly reliable software and hardware as well a seamless and intuitive user experience. For more information, please visit www.Amcrest.com

If you are having trouble with your Foscam cameras, we sincerely apologize for this inconvenience and would love to help. For technical support, response to inquiries and for obtaining replacements for any Foscam IP Cameras or NVR products, please reach out to tech@foscam.com or call 1-844-344-1113.

If you are interested in exchanging your Foscam camera for an Amcrest camera, we can offer you a massive loyalty discount, even if you are out of warranty. Please send an email to support@amcrest.com, sales@amcrest.com or call 1-888-212-7538

If you are subscribed to Foscam Cloud (www.foscamcloud.com), please contact cloud@foscam.us for support.

If you currently use the manufacturer's cloud service (www.myfoscam.com or linked in any way to www.foscam.com), you will need to contact them directly for support, at www.myfoscam.com.


Foscam Dialing Out to Suspect Hosts

Users can ask and answer questions regarding Foscam IP Cameras

Moderators: mycam, FOSCAM

Re: Foscam Dialing Out to Suspect Hosts

Postby olddawgpowers » Tue Dec 15, 2015 12:05 pm

I would also like to know how to view a NAT Table? I have a TP Link C9 router, but don't see anything showing that kind of information.
olddawgpowers
 
Posts: 10
Joined: Tue Dec 24, 2013 11:21 am

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Dec 15, 2015 12:57 pm

VidSurCT wrote:Very informative posts, thank you gentlemen. What hardware/software are you using to generate the NAT tables? How did you first notice the dialing home? My home LAN is pretty locked down as far as incoming traffic, but I don't see anyway to monitor "outgoing".


The NAT table is generated by the router and can be seen by logging onto the router. I have a Q1000 Action Tech Router. The NAT table shows the LAN address source address with port number translated to the WAN address destination with port number.

I noticed the dialing home (for a better term) because of a warning message on the router modem status page that excessive RAM was being used and to check the LAN for viruses. I then noticed the high number of sessions on just the addresses for the cameras. I turned the cameras off and the traffic would decrease and RAM message go away.

My router does have some advanced programming options. In the cameras I had already turned off or made sure it was turned off most of the options mentioned above (DDNS, UPnP, PPPoE, Email Server, but was still getting lots of unwanted sessions. I just turned off P2P and that helped a lot too but still did not resolve the issue. I use Blue Iris for the centralized Security system but that does not have anything to do with the cameras.

I noticed repeated unwanted sessions coming from the cameras from port 59932 to 10001 on every WAN ip address that was giving me problems. I enabled advanced firewall functions on the router and turned off the above ports for both in and out traffic. I now don't see any of the NAT issues in the table. I did not disable the ports normally used for internet traffic or the ports used for time synchronization, which I recall was 123. I also disabled the port (can't remember number) the cameras were contacting for Google DNS. My ISP provides DNS and I left those ports open.

So in essence I am now blocking incoming and outgoing traffic at the router level. IP filtering at the router or even using the camera filtering option did not work. Disabling the ports using the router has worked.

Unfortunately, the cameras are still trying to establish these connections to my knowledge. Thus the root cause of the problem still exists and is causing high network overhead. As soon as I turn off the advanced router filtering the cameras open new unwanted sessions.

I opened up a problem with Foscam tech support over a week ago but never received a reply except to acknowledge the was ticket opened. Very disappointing.

I opened a trouble ticket with my ISP which is CTL but they don't support the advanced programming on the router.

I downloaded Sharkwire network analysis software and see if it can monitor the cameras traffic. I really don't have much free time to learn this program. I was a Cisco network engineer/Check Point firewall engineer long ago. My network skills are rusty but it is coming back. These cameras were purchased in the last year. I upgraded the firmware to the latest on those cameras that can be easily moved to make an Ethernet connection. Other new cameras are mounted up 3 stories above the ground and a real pain to access to upgrade.

I have copies of the NAT tables saved and intend on contacting an author that has written about Foscam security issues. Maybe he can be of some help. What is happening with these cameras is very odd to me and worries me the camera software is compromised or is programed to contact these remote destinations. Got me.
Last edited by drooler on Tue Dec 15, 2015 5:23 pm, edited 1 time in total.
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Dec 15, 2015 1:45 pm

olddawgpowers wrote:I would also like to know how to view a NAT Table? I have a TP Link C9 router, but don't see anything showing that kind of information.


My Qwest Q1000 router can be logged onto as an administrator.

Under the Modem Status page there are several sub pages you can click on. The NAT table page shows the LAN to WAN translation table. You can also click on the Modem Table page which shows the number of sessions by device on the LAN. For example before setting up the port filtering a H.264 camera would have perhaps 20 sessions established. I could then look at the NAT table and see several remote destination addresses in session. I then used this url to find out who the destination address was registered too: http://whatismyipaddress.com/ip-lookup

After implementing port filtering on the router, I now only have 1 or 2 sessions per camera. Those are established to legitimate locations like the University of Colorado for time synchronization because I left that option enabled on the cameras.

You should be able to search on the internet for a manual that shows screen pages of options for your router. I would also suggest if you got the router from your ISP looking at their support page for the manual.

The NAT table does not show me what traffic is being filtered (rejected) from the camera to the router since there is not a translation to the WAN. That is why I plan to use the network monitor software to actually look at the camera traffic generated at the camera network interface level.

Are we having fun yet?

Got to run.
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby olddawgpowers » Tue Dec 15, 2015 5:22 pm

My TP-Link C9 doesn't appear to have the option in the router. The only thing that shows in the System Log is the DHCP connections. Maybe I am missing something?
olddawgpowers
 
Posts: 10
Joined: Tue Dec 24, 2013 11:21 am

Re: Foscam Dialing Out to Suspect Hosts

Postby VidSurCT » Tue Dec 15, 2015 11:54 pm

Thanks for the replies. My Uverse router/modem is limited. I am able to lock down my wifi devices by MAC and close all INCOMING ports. I just can't see outgoing info. Uverse combines the modem/router/wifi in one unit. I definitely preferred the old school setup where the modem was separate and you supplied the router.

My main concern is that I read that foscam Dyndns services remain active even if disabled after setup---Until your IP address changes. I forgot about this until I stumbled upon this forum, which re-ignited my concern. My other "simpler" ip cameras don't have the communication capabilities of the foscams as they are not designed to be used as a standalone IP camera. I only have a few foscams left in my system (most replaced with commercial grade POE) but still, security of my system is important. And those little foscams with their Pan/tilt, two way audio, wifi, and price are hard to throw away. But if they are dialing out and the DynDns is still active due to no ip change, isn't that a security issue? Hopefully the same does not apply to disabling UPNP. I have always worried about back end access to my foscams even with the necessary security precautions taken (passwords, upnp disabled, dyndns disabled, etc).
VidSurCT
 
Posts: 2
Joined: Tue Dec 15, 2015 10:23 am

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Wed Dec 16, 2015 11:58 am

VidSurCT wrote:Thanks for the replies. My Uverse router/modem is limited. I am able to lock down my wifi devices by MAC and close all INCOMING ports. I just can't see outgoing info. Uverse combines the modem/router/wifi in one unit. I definitely preferred the old school setup where the modem was separate and you supplied the router.

My main concern is that I read that foscam Dyndns services remain active even if disabled after setup---Until your IP address changes. I forgot about this until I stumbled upon this forum, which re-ignited my concern. My other "simpler" ip cameras don't have the communication capabilities of the foscams as they are not designed to be used as a standalone IP camera. I only have a few foscams left in my system (most replaced with commercial grade POE) but still, security of my system is important. And those little foscams with their Pan/tilt, two way audio, wifi, and price are hard to throw away. But if they are dialing out and the DynDns is still active due to no ip change, isn't that a security issue? Hopefully the same does not apply to disabling UPNP. I have always worried about back end access to my foscams even with the necessary security precautions taken (passwords, upnp disabled, dyndns disabled, etc).


I received an initial reply from tech support. They suggested I work with my ISP to block all of the destination addresses and that they are not aware of any similar problems . IMO, the problem is from the cameras but until I can get Sharkwire network monitoring software up and running to trap packets and look at what is happening. I have copies of the NAT tables when the problem was happening. Besides, other users are complaining about the same ports causing problems which are not used any common services I could find. That is why it was easy to block those ports via the router without stopping needed services.

I will be buying POE cameras from now on considering you are not suppose to upgrade software via wireless. I have some cameras that are up 3 stories and it is now snowing here. LOL. I also upgraded via ISP to a static IP address to avoid DNS/IP change issues for $10 a month. I could have used an outside source to update DNS but it was just as expensive. I use BI software and only have one device that accesses the software so it is easy to track log ins. I did try IP filtering in both the camera and router but it only blocks incoming traffic not outgoing. My router also allows me to block traffic by port numbers for both in or out sessions and that DID work on the ports that were associated with the undesired destination servers I looked up. The port numbers I blocked were source 55932 (camera) and destination (remote server) 10001.

I have been checking my NAT table after blocking and not one translation from any of the cameras is present in the router list. This is good because the camera is now just communicating with my LAN so the filtering to the WAN on above ports is working. The exception is occasionally the cameras establish sessions with NIST for time synchronization, which is OK and it shows up in the NAT table. My router RAM has decreased from 83 percent down to 62 percent and the LAN virus warning message is gone.

So my next step will be to wait for tech supports reply. I also plan to get Sharkwire up and running. I may also contact some security engineers to look at the traffic. I am also going to buy another router to break up the network with cameras on one side with BI webserver and my private network on the other. In essence, set up a DMZ. The new router will have more advanced programming too. I will let you know what tech support's reply is. Regards.
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby dannyo » Mon Dec 21, 2015 1:28 am

Any news from tech support on your issue? My FI9803P does the same.
My router allows me to view logs that show web activity along with sytem logs, etc. Yes my FI9821W V2 dest port 123 (time only) Fi9803P goes out on port 10001 to various ip's and port 123 for NTP.......
I've blocked outbound port 10001 and checked my logs, router blocks it...
My resource log show's that cpu utilization and low mem usage/utilization for the outbound request by the camera every few seconds......
I read somewhere in this forum that port 10001 is used by the cams with a "P" designation using that port for the P2P scan function....not sure though, Nice if Foscam could post something about it as I'm sure all others are doing the same.
dannyo
 
Posts: 225
Joined: Tue Jan 08, 2013 11:22 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Dec 22, 2015 2:51 pm

dannyo wrote:Any news from tech support on your issue? My FI9803P does the same.
My router allows me to view logs that show web activity along with sytem logs, etc. Yes my FI9821W V2 dest port 123 (time only) Fi9803P goes out on port 10001 to various ip's and port 123 for NTP.......
I've blocked outbound port 10001 and checked my logs, router blocks it...
My resource log show's that cpu utilization and low mem usage/utilization for the outbound request by the camera every few seconds......
I read somewhere in this forum that port 10001 is used by the cams with a "P" designation using that port for the P2P scan function....not sure though, Nice if Foscam could post something about it as I'm sure all others are doing the same.


You may want to read this thread too, if not already done.

post70264.html#p70264
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby jpiszcz » Sat Dec 26, 2015 7:24 am

Hi,

Also seeing the same thing, confirmed P2P, DynDNS all other services are disabled and it is still reaching out to these hosts (see image). Was curious if anyone heard anything from Foscam?

Justin.
jpiszcz
 
Posts: 5
Joined: Wed Jul 27, 2011 5:32 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby hokie21 » Sat Dec 26, 2015 10:59 pm

I turned P2P off and stopped seeing any messages to these addresses:
Code: Select all
23.234.53.61
23.234.53.67
176.58.116.160     li503-160.members.linode.com
50.7.176.18          vigothaiclub.info
50.7.114.59 
168.1.83.89          59.53.01a8.ip4.static.sl-reverse.com
50.7.44.82            vpnbaron.com
50.7.124.48


It is interesting to note that the UDP messages to each of the above addresses are identical. When allowed to communicate, each of the above addresses returned an identical message to my camera. Communication seemed to happen every 40 seconds.


I am still seeing messages to these addresses:
Code: Select all
50.19.254.134    ec2-50-19-254-134.compute-1.amazonaws.com (https connection)
74.125.31.99    (http)
46.137.188.54     m3.iotcplatform.com (http connection)
46.137.188.54     ec2-46-137-188-54.eu-west-1.compute.amazonaws.com (http connection)


Other reports of similar issues with other products: https://thecomputerperson.wordpress.com/2015/05/03/compromised-or-suspicious-swann-dvr-traffic/ and
http://www.thewolfofit.net/wolf/wtf-were-they-thinking/ip-cameras-thanks-for-the-hack-jack/
hokie21
 
Posts: 2
Joined: Sat Dec 26, 2015 10:26 pm

PreviousNext

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 7 guests