Recently I noticed in my Blue Iris (security NVR software running on Windows 7) that I had numerous unknown logins from off-shore IP addresses (all over the world). The logs indicated that they were logging in using my main credentials.
After changing both the username and password, within a few hours, they were back in again. Clearly something was exposing my brand new creds.
I am using my VERA Plus to send wget HTTP commands to my BI server. That get command contains credentials in the URL string:
Notice that the URL is a local LAN IP (not an exterior WAN address).
So I once again changed my main UN and PW, but this time, created a new one for the VP (something I should have done in the beginning). The new username was VERA.
Within a few hours, I had this:
10 6/22/2017 6:19:15 PM Server Connected: 22.214.171.124
10 6/22/2017 6:19:16 PM VERA 126.96.36.199: Login
10 6/22/2017 6:19:51 PM Server Connected: 188.8.131.52
10 6/22/2017 6:19:51 PM VERA 184.108.40.206: Login
No more logins on my main credentials. Only on those that I use in the LUUP code (which is fired by my PLEG scripts).
I have no clue how an outsider would be able to view this credential-contianing URL given that it’s local - unless it’s being pushed to them by something on the VP, in the MIOS servers, or somewhere else in that chain.
Given that the intrusions are using ONLY the credentials that are in that string - and none of the other credentials used on the BlueIris server, I have to believe the compromise is somewhere in the VERA system.
Any ideas how to best resolve this? For now, I have disabled the VERA credentials on my BI machine, but that’s really crippled my system.