MalwareBytes reporting ChannelsDVR IP as compromised

Channels DVR Server
#1

What's up with this?

Malwarebytes

-Log Details-
Protection Event Date: 12/6/21
Protection Event Time: 11:23 AM
Log File: d5f74b4c-56b0-11ec-bf3d-0433c23428fc.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.48242
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1348)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\ProgramData\ChannelsDVR\latest\channels-dvr.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
Domain:
IP Address: 212.83.134.143
Port: 8089
Type: Inbound
File: C:\ProgramData\ChannelsDVR\latest\channels-dvr.exe

(end)

#2

I don't recognize this IP. It says it's from France.

#3

That looks like someone tried to exploit Channels but it got blocked.

#4

Is this a normal path and EXE?

C:\ProgramData\ChannelsDVR\latest\channels-dvr.exe

#5

The EXE details...

image
image363Ă—525 17.5 KB

#6

Yes that's all normal.

#7

All this is saying is someone tried to make an inbound connection. The DVR would have rejected it because they're not logged in, but your firewall caught it first because it's a foreign IP.

2 Likes
#8

Makes sense, thanks!!!

#9

Yeah I am getting this too.

-Log Details-
Protection Event Date: 12/7/21
Protection Event Time: 9:13 AM
Log File: 37c1bde8-5770-11ec-b3cd-98eecb48ed8c.json

-Software Information-
Version: 4.4.11.149
Components Version: 1.0.1513
Update Package Version: 1.0.48284
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1348)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\ProgramData\ChannelsDVR\latest\channels-dvr.exe, Blocked, -1, -1, 0.0.0, ,

-Website Data-
Category: Compromised
Domain:
IP Address: 212.83.134.143
Port: 8089
Type: Inbound
File: C:\ProgramData\ChannelsDVR\latest\channels-dvr.exe

(end)

#10

What is interesting to me is this is coming from the same IP

1 Like
#11

I believe one of our community members has been scanning the public internet to try and find DVR servers exposed to the internet… wouldn’t be shocked if these are related.

#12

This looks like the IP has been categorized as suspicious and therefore blocked. My Ubiquiti UDM-P has long flagged some of the Channels IP addresses as high risk. I do not know if both share a common source threat/reputation feed, i.e. Webroot.

#13

I think it is the category lookup rather than the direction of traffic that is specifically dropping the packet? I could very much be mis-reading though.