Important Message from Foscam Digital Technologies Regarding US Sales & Service



We, Foscam.US (aka Foscam Digital Technologies and now Amcrest Technologies), are an independent United States based distributor of "Foscam" branded products. We have been offering telephone support, US local warranty and building the Foscam brand in the US for the past 7 years. However, we are deeply saddened to report that, even after all of this, our overseas suppliers have decided to undercut us and supply to our major customers directly. For this reason, we have no choice but to suspend telephone support for all Foscam branded products. If you have purchased a Foscam camera directly from us or from one of our authorized retailers, technical support is still available via email at support@foscam.us.


For customers who have not purchased from us directly, we advise you to please contact Foscam Shenzhen or the distributor which you have purchased from. In the meantime, we have launched our own new brand of IP cameras called Amcrest, which has superior quality products and full telephone technical support 7 days per week. We hope you can support us in our new venture. For more information, please visit www.Amcrest.com.



Foscam Dialing Out to Suspect Hosts

Users can ask and answer questions regarding Foscam IP Cameras

Moderators: mycam, FOSCAM

Foscam Dialing Out to Suspect Hosts

Postby parsoli » Fri Nov 13, 2015 11:04 am

Wow, to register for this forum, I had to google search for Foscam's location? Why not put HOUSTON in your ABOUT or CONTACT US webpage? Good lord....

Bought a Foscam. Worst decision this year so far and it's November. F8921p. Disabled UPnP, DDNS, P2P, etc....isolated the heck out of it on my LAN. Running latest firmware, etc...rebooted multiple times and ensured all of these lovely services that "Call Home" were disabled.

My firewall captures a ton of data.

Below, you will see that the Foscam is reach out out to no less than 5 different hosts across the globe. One of them referred to as vigothaiclub.info

So, of course, I have had to block this transmission of data as I did not tell Foscam it could call home to anyone. These "pings" to port 10001 hosts over UDP happen a few times every 10-15 seconds. What's also interesting is, these hosts are trying to hit MY firewall from the outside with the same frequency.

I have scoured this forum and find many people referencing the same thing, however Foscam is NOT answering the question about why these hosts are continuously being contacted or trying to make contact with my product which states it allows me to turn off PnP functionality.

I would like an answer Foscom as to why this is occurring.


09:53:48 Packet filter rule #5 UDP
192.168.1.50 : 59950

50.7.176.18 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:53:48 Packet filter rule #5 UDP
192.168.1.50 : 59950

50.7.114.59 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:53:48 Packet filter rule #5 UDP
192.168.1.50 : 59950

23.234.53.67 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:53:48 Packet filter rule #5 UDP
192.168.1.50 : 59950

23.234.53.61 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:53:48 Packet filter rule #5 UDP
192.168.1.50 : 59950

176.58.116.160 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:54:28 Packet filter rule #5 UDP
192.168.1.50 : 59950

50.7.176.18 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:54:28 Packet filter rule #5 UDP
192.168.1.50 : 59950

50.7.114.59 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:54:28 Packet filter rule #5 UDP
192.168.1.50 : 59950

23.234.53.67 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:54:28 Packet filter rule #5 UDP
192.168.1.50 : 59950

23.234.53.61 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
09:54:28 Packet filter rule #5 UDP
192.168.1.50 : 59950

176.58.116.160 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:a
parsoli
 
Posts: 2
Joined: Fri Nov 13, 2015 10:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby rbodom » Sun Nov 15, 2015 11:31 am

I had cut off anything that should have caused the camera to 'phone home', but it still insisted on sending out udp 10001 to several different IPs. My router blocked the incoming responses, so no conversation was actually created, but my firewall was reporting about 16k attempted connections (4k to each of 4 different IPs).

Finally got tired of the 'false positive' firewall reporting on Foscam attempted connections so I added:
iptables -I FORWARD -p udp --dport 10001 -j DROP
to my router. Now any conversation attempting to use udp 10001 cannot get into my network, or out of my network.
rbodom
 
Posts: 12
Joined: Wed Jun 12, 2013 7:54 am

Re: Foscam Dialing Out to Suspect Hosts

Postby parsoli » Mon Dec 07, 2015 8:26 pm

Thanks Don the TheUberOverLord for removing my other post on this subject. Not sure why you considered it double, but hey, you're the Overlord.

What concerns me is why the camera is making these connections and Foscam technical support (both tiers, I only know of two), are denying them. This should be concerning to all Foscam camera users. While blocking all inbound and outbound on ports 10001 helps mask the issue, it's still an issue.

Oh well, looking forward to Don removing this response. Hope you sleep well pal.




19:24:12 Packet filter rule #5 UDP
192.168.1.50 : 59950

50.7.114.59 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b




19:24:12 Packet filter rule #5 UDP
192.168.1.50 : 59950

23.234.53.67 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b




19:24:12 Packet filter rule #5 UDP
192.168.1.50 : 59950

23.234.53.61 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b




19:24:12 Packet filter rule #5 UDP
192.168.1.50 : 59950

176.58.116.160 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b




19:24:12 Packet filter rule #5 UDP
192.168.1.50 : 59950

50.7.176.18 : 10001

len=88 ttl=63 tos=0x00 srcmac=e8:ab:fa:52:12:23 dstmac=00:50:56:8f:c0:1b
parsoli
 
Posts: 2
Joined: Fri Nov 13, 2015 10:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby TheUberOverLord » Mon Dec 07, 2015 8:38 pm

parsoli wrote:Thanks Don the TheUberOverLord for removing my other post on this subject. Not sure why you considered it double, but hey, you're the Overlord.

Your "duplicate" post was character for character the same as the one here. I compared the two posts. Side by side and determined they were exactly the same and had no differences in post content. Which was why that "duplicate" post was deleted.

If everyone did the same. There would be double the amount of posts in the forum, but only 50 percent of those posts, would be different from each other.

Please email tech@foscam.com with your IP Camera settings that are disabled. Telling them you still see what you do.

They have stated to me, that if all your settings like DDNS, p2p, time syncing with a remote time server and UPnP are truly disabled? That you should not be seeing what you say you are.

This is why they wish to work directly with you to isolate why you are seeing what you are. When they say you should not be seeing what you are. If all the proper camera settings are disabled.

Don
TheUberOverLord
 
Posts: 13091
Joined: Fri Jun 22, 2012 11:52 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Dec 08, 2015 10:31 am

In the above comments the uberlord stated:

"They have stated to me, that if all your settings like DDNS, p2p, time syncing with a remote time server and UPnP are truly disabled? That you should not be seeing what you say you are."

Is there any update on this problem since it was originally posted in mid November? I am not concerned with turning off remote time server but do all of the above services also need to be turned off?

My question is why are these servers being contacted in the first place? A couple of the sites were Alibaba? Is marketing usage information being supplied to them or something?
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby TheUberOverLord » Tue Dec 08, 2015 12:09 pm

drooler wrote:In the above comments the uberlord stated:

"They have stated to me, that if all your settings like DDNS, p2p, time syncing with a remote time server and UPnP are truly disabled? That you should not be seeing what you say you are."

Is there any update on this problem since it was originally posted in mid November? I am not concerned with turning off remote time server but do all of the above services also need to be turned off?

My question is why are these servers being contacted in the first place? A couple of the sites were Alibaba? Is marketing usage information being supplied to them or something?

Please see this:

foscam-dialing-out-to-suspect-hosts-t17699.html#p69889

Note: Your other post here was deleted because it was a duplicate post.

Don
TheUberOverLord
 
Posts: 13091
Joined: Fri Jun 22, 2012 11:52 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Tue Dec 08, 2015 1:18 pm

TheUberOverLord wrote:
drooler wrote:In the above comments the uberlord stated:

"They have stated to me, that if all your settings like DDNS, p2p, time syncing with a remote time server and UPnP are truly disabled? That you should not be seeing what you say you are."

Is there any update on this problem since it was originally posted in mid November? I am not concerned with turning off remote time server but do all of the above services also need to be turned off?

My question is why are these servers being contacted in the first place? A couple of the sites were Alibaba? Is marketing usage information being supplied to them or something?

Please see this:

foscam-dialing-out-to-suspect-hosts-t17699.html#p69889

Note: Your other post here was deleted because it was a duplicate post.

Don


Don:

I checked my cameras and DDNS, UPnp, were already disabled. P2P is enabled. I noticed the email server was enabled so disabled it on both cameras. Most of the many open ports disappeared on the NAT table except for the University of Colorado for time synchronization. Interesting, none of the ports/IP addresses now point to the many overseas servers. I will probably turn off the NIST option just to see what happens later but I am not curtained with that function.

I have only one other open port (10001) remaining that I can not explain. It is address 23.234.53.67 and is registered to Host space Network LLC in Rowland Height, CA. Any idea what it is used for?
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby TheUberOverLord » Tue Dec 08, 2015 2:20 pm

drooler wrote:
TheUberOverLord wrote:
drooler wrote:In the above comments the uberlord stated:

"They have stated to me, that if all your settings like DDNS, p2p, time syncing with a remote time server and UPnP are truly disabled? That you should not be seeing what you say you are."

Is there any update on this problem since it was originally posted in mid November? I am not concerned with turning off remote time server but do all of the above services also need to be turned off?

My question is why are these servers being contacted in the first place? A couple of the sites were Alibaba? Is marketing usage information being supplied to them or something?

Please see this:

foscam-dialing-out-to-suspect-hosts-t17699.html#p69889

Note: Your other post here was deleted because it was a duplicate post.

Don


Don:

I checked my cameras and DDNS, UPnp, were already disabled. P2P is enabled. I noticed the email server was enabled so disabled it on both cameras. Most of the many open ports disappeared on the NAT table except for the University of Colorado for time synchronization. Interesting, none of the ports/IP addresses now point to the many overseas servers. I will probably turn off the NIST option just to see what happens later but I am not curtained with that function.

I have only one other open port (10001) remaining that I can not explain. It is address 23.234.53.67 and is registered to Host space Network LLC in Rowland Height, CA. Any idea what it is used for?

It's best to follow what I said here and provide for review what camera settings you have disabled for your camera. Directly with Foscam tech support ("The manufacturer") as they have asked be done in a case like yours:

foscam-dialing-out-to-suspect-hosts-t17699.html#p69889

Don
TheUberOverLord
 
Posts: 13091
Joined: Fri Jun 22, 2012 11:52 pm

Re: Foscam Dialing Out to Suspect Hosts

Postby drooler » Thu Dec 10, 2015 1:34 pm

Thanks Don for your reply. I did some more testing last night and this morning. I wanted to post my analysis so far for other people that might be having this issue. Here is what was sent to tech support a little while ago:

I have been monitoring the NAT table since posting my server issue on the forum on Monday. I disconnected the two cameras last night and dumped the NAT table this morning after all of the sessions timed out overnight. Only this PC that I am writing on showed up in the NAT table. I turned off essentially all of devices on the network.

So I then just turned on one of the cameras, the F19821P V2. The versions running are: SFV = 1.4.1.9, AFV = 2.14.1.10, PIV = 3.1.0.10

Please note all of my cameras were directly purchased from your site. I also have older cameras (MJPEG) which are not having any issues with flooding the network with sessions.

Within 5 minutes the NAT table was filled with translations to sites all over the world. This is a partial list of locations via information I looked up on IP lookup:

Chicago, ILL - FDCservers.net
London
Austrailia - Omniconnect pty ltd
Netherlands - VIA club
California - Defender (more than one IP address contacted)
Germany - FDC servers.net
China - Telecom S. Chuan Data Center
UK
Singapore - Amazon Web Services
Tokyo - Amazon Web Services
Dublin - Amazon Web Services
Mountain View, CA - Google
UK - Liso3-160.members.linode.com

I even noticed one of the other sites was in China at the FOSCAM manufacturing site.

I did not turn on the other camera F19804P (which also has current software) to keep the NAT table purposely small. LOL.

I checked services in both cameras. DDNS, UPnP, PPoE are not enabled. I disabled the Email server function yesterday morning but no change in symptoms. I still have the Nist time function enabled which establishes a session with the University of Colorado - which is OK.

I even tried to stop the problem by setting up IP filtering in both cameras for every address in question. No success. I then tried blocking the same addresses in the CTL Q1000 DSL router. No success. I then removed my changes to IP filtering to set the cameras and router back to the normal configuration since IP filtering not help.

It appears to me the cameras are establishing sessions and the router/camera filtering will not restrict outbound traffic. As far as I can tell my router does not have an option to restrict outbound traffic.

I am very concerned that the Cameras OS has been corrupted.

I decided to turn these cameras off until you can advise me of the cause. I also installed network traffic analysis software last night. I have not yet had an opportunity to review the tool yet.

I hope you can answer me quickly on this matter. It seems like a big security issue as other people are opening inquires on the forum. I notice many of the same IP addresses are noted in other inquires.

I can also email screen shots of the NAT table if you wish.

Thanks in advance.
drooler
 
Posts: 44
Joined: Tue Dec 08, 2015 9:55 am

Re: Foscam Dialing Out to Suspect Hosts

Postby VidSurCT » Tue Dec 15, 2015 10:28 am

Very informative posts, thank you gentlemen. What hardware/software are you using to generate the NAT tables? How did you first notice the dialing home? My home LAN is pretty locked down as far as incoming traffic, but I don't see anyway to monitor "outgoing".
VidSurCT
 
Posts: 2
Joined: Tue Dec 15, 2015 10:23 am

Next

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 1 guest