BlueIris.exe constantly sending to Amazon AWS ec2 instances

[Pogo]

Uhhh, close the freaking port?

And by what/whose SSL certificate are these connections being made?

[TimG]

With that response from Support, this does look like malware.

FWIW: After noticing foreign IP addresses trying to log in to my BI server a few years ago, I closed the ports, and used OpenVpn for remote access. It was a bear to set up and necessitated you starting OpenVpn on the mobile device too, but it stopped the problem. Today I use ZeroTier instead which does much the same thing. It doesn't take much to set it up, and it doesn't need anything starting on the mobile device. Free too. I also got Home Assistant working remotely with that

[HeneryH]

Yeah, I wonder if some malware is spoofing the sender?

Just thinking out loud since this is something that has never surfaced before on the forums.

[HeneryH]

... noticing foreign IP addresses trying to log in to my BI server a few years ago...

Inbound connection requests are just part of being part of the jungle. I've become numb to them.

[locus101]

I went through and disabled all the cameras and brought them online individually and watched TCPview for external connections. It is related to the last 2 cameras that I installed. They are generic/ONVIF dome ptz cameras I got from Amazon
https://www.amazon.com/gp/product/B0BXS ... =UTF8&th=1

I went through the camera configs and cant find anything that is set to anything external from the network except for NTP.

Strange that the camera is getting BI to start up these transmissions.

[locus101]

Uhhh, close the freaking port?

And by what/whose SSL certificate are these connections being made?

I have blocked those IP address at the fw...keep in mind its primarily outgoing and on port 443. So I cant exactly block that port.

I dont know how to figure that out whose cert they are encrypting on on this side.,,,,must be a system installed cert? If so, I should be able to decrypt with wireshark? However, the servers they are sending to are all self signed

[Pogo]

So I cant exactly block that port.

I'd be locking everything down until you get it sorted out. If you've isolated it to those two cameras, shut the damned things down and contact the seller for an explanation or a possible solution.

[locus101]

Well..I think I fingered it out. I figured out I needed to sniff the packets from the start of the transmission so I could pick up the server certs. They belong to Sentry AI. I have that subscription and it is enabled. Funny thing is, its enabled on all of the cameras...not just the 2. I didnt realize that the processing for Sentry was all offsite. It sure seems like a lot of data being sent out. I will contact Sentry and ask them whats up. Maybe they can shed some light. Ill post back with what he says for reference in case anyone is interested.

[TimG]

We are interested. We haven't seen this before. Good work there

[MikeBwca]

According to BI support, BI shouldnt be sending anything at all to AWS...
...

My mistake. I stand corrected.