Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 236 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS XGS how to forensic and stay safe?

Dennis Wauer

Hi there,

A customer contacted us yesterday and reported that his surveillance camera was suddenly no longer accessible via the iOS / Android app. According to the customer, the camera was connected to the router via LAN and previously connected via WLAN.

It was a Ctronics CTIPC-285C PTZ surveillance camera. The camera has three cables to work with.

  • 1x RJ45
  • 1x power
  • 1x reset button

He also had an LTE router ZTE Telekom Speedbox 2 4G from Deutsche Telekom with a ZTE modem inside, as well as a notebook from his girlfriend with Windows 8, where he don't know the admin password.

We connected the camera to the power and then connected it to the LTE router via LAN. There was no light on the RJ45 Port at the camera, IR lights are not working - but the device was moving so there was power. Then we connected the notebook to the LTE router, and that didn't work also together. He was able to connect to the LTE router via WLAN without any problems. So the router had a problem with the LAN port, but WLAN does work.

Solution here was:

LTE router restarted, Windows 8 network adapter troubleshooting, DHCP server or IP address could not be retrieved correctly. Notebook and LTE router worked.

We couldn't get the surveillance camera to work. The reset button did nothing. We then took the surveillance camera with us to our office and connected power and LAN to our SOPHOS PoE switch, which is connected to a SOPHOS XGs. Suddenly the camera moved and even IR lights went on. I was thinking maybe its because PoE - but the Switch doesn't gave power.

After it sounded like the neighbors were watching a comedy film, I unplugged the DSL cable from the DSL module to make sure nothing undesirable will happening, sometimes offline is enough. We tried to scan the network completely with NMAP to determine if the camera is online and which ports are open.

The port scan felt like it was taking a long time, so we canceled the process and switched off the SOPHOS devices(XGS, Switch, APX120). Later we wanted to start the SOPHOS XGS with the APX120 again, according to Sophos Central there was an update for the APX120 ready which it would like to install. Since then I only get a yellow light on the APX120, maybe the update went wrong?

We couldn't get the surveillance camera to work. Via LAN or WLAN, it just didn't work. What can you assume about the device? Is it to be assumed here that the firmware could have been modified or that middle wear could be integrated?

How would a IT forensics in this case do? Maybe: SOPHOS XGS offline, block all traffic and then look at the log viewer to see which connections were blocked? Or how would you go about it?

Currently, according to NMAP:

The SOPHOS XGs runs under the IP 10.0.0.1

Command: nmap -T4 -A -v 10.0.0.1-255
Output:


Scanning 10.0.0.1 (SOPHOS XGs)
PORT STATE SERVICE VERSION
22/tcp open ssh Linksys WRT45G modified dropbear sshd (protocol 2.0)
25/tcp open smtp
53/tcp open domain?
443/tcp open ssl/https xxxx
3128/tcp open squid-http
4444/tcp open ssl/krb524
8090/tcp open ssl/ops messaging

Scanning 10.0.0.2 - My workstation
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
902/tcp open ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
912/tcp open vmware-auth VMware Authentication Daemon 1.0 (Uses VNC, SOAP)
3389/tcp open ssl/ms-wbt-server?
5000/tcp open ssl/upnp?
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Command: nmap -T4 -A -v 10.0.1.1-255
Output:


Scanning 10.0.1.1 - - I dont know?
The same open ports as the IP 10.0.0.1

Scanning 10.0.1.255 - I dont know?
PORT STATE SERVICE VERSION
25/tcp open smtp
443/tcp open ssl/https xxxx
4444/tcp open ssl/krb524?
8090/tcp open ops messaging?

Running (JUST GUESSING): Google Android 7.X (97%), Linux 3.X (97%), Blue Coat embedded (97%), OneAccess embedded (95%), Polycom pSOS 1.X (95%), Wyse ThinOS 5.X (95%), AVtech embedded (89%)
OS CPE: cpe:/o:google:android:7.1.2 cpe:/o:linux:linux_kernel:3.10 cpe:/h:bluecoat:packetshaper cpe:/h:oneaccess:1641 cpe:/o:polycom:psos: 1.0.4 cpe://o:wyse:thinos:5.2
Aggressive OS guesses: Android 7.1.2 (Linux 3.10) (97%), Blue Coat PacketShaper appliance (97%), OneAccess 1641 router (95%), Polycom MGC-25 videoconferencing system (pSOS 1.0.4) (95%) , Wyse ThinOS 5.2 (95%), AVtech Room Alert 26W environmental monitor (89%)
No exact OS matches for host (test conditions non-ideal).



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Good day and thank you for reaching out to Sophos Community and hope you are well. 

    In my humble opinion, it seems it might be worth the check if something in the camera's hardware/sofware is broken and can function normally before going further into details that it might have been compromised. You mentioned that even a "reset" would not work, so I think it might be worth checking or if this camera can operate first. 

    Then once it is up and running you can run the camera in the network behind the FW and may enable features such as ATP, IPS to see if the camera is compromised and is connecting to a C2C server/s etc, update the camera's firmware, strengthen camera's password, setup MFAs when possible etc. 

    Hope this helps. Have a nice day and thank you for choosing Sophos. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • 0

    Hello there,

    Good day and thank you for reaching out to Sophos Community and hope you are well. 

    In my humble opinion, it seems it might be worth the check if something in the camera's hardware/sofware is broken and can function normally before going further into details that it might have been compromised. You mentioned that even a "reset" would not work, so I think it might be worth checking or if this camera can operate first. 

    Then once it is up and running you can run the camera in the network behind the FW and may enable features such as ATP, IPS to see if the camera is compromised and is connecting to a C2C server/s etc, update the camera's firmware, strengthen camera's password, setup MFAs when possible etc. 

    Hope this helps. Have a nice day and thank you for choosing Sophos. 

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
No Data
Unfiltered HTML