10-20-2017 01:24 PM - edited 10-20-2017 01:44 PM
In the last month or so we have seen lots of network vulnerability scanning for the following 3 Threat IDs coming from all over the world.
- MVPower DVR TV Shell Unauthenticated Command Execution Vulnerability(30426)
- WebUI mainfile.php Arbitrary Command Injection Vulnerability(38836)
- Wireless IP Camera Pre-Auth Info Leak Vulnerability(33556)
We don't have products that would be vulnerable to these threats. A single scanning interval seems to always look for only these 3 threats all within a few seconds, coming from the same source IP, and attacking the same destination IP. Then several hours later plus or minus a few hours (seems random), another scan interval occurs, but with a different source IP (and likely different region), and attacking a different destination IP from the last time it occurred. Then it repeats.
Our action for these attacks is "reset-both". Should we be doing some thing different?
We find it strange that this is coming from several regions around the world. Are they all part of the same hacking group?
Has anyone else also seen this same pattern?
