Suspect outbound traffic from all my v2 cameras

I have three v2 cams all of which are attempting outbound connections to 216.244.65.2 at the rate of 13-14 times per minute per camera. I block these at my router firewall so it spams my firewall log something fierce.

Can someone tell me why these cams are trying reach 216.244.65.2 which is a Wowrack instance in a Seattle data center owned by what appears to be a Russian national?

Alienvault shows previous malicious activity on this IP: https://otx.alienvault.com/indicator/ip/216.244.65.2

WHOIS output below:
% whois 216.244.65.2
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer: whois.arin.net

inetnum: 216.0.0.0 - 216.255.255.255
organisation: ARIN
status: ALLOCATED

whois: whois.arin.net

changed: 1998-04
source: IANA

whois.arin.net

NetRange: 216.244.65.0 - 216.244.65.7
CIDR: 216.244.65.0/29
NetName: 216-244-65-0-0-DMITRYMURASHOV
NetHandle: NET-216-244-65-0-1
Parent: WOW-IPV4-NET3 (NET-216-244-64-0-1)
NetType: Reassigned
OriginAS:
Customer: Dmitry Murashov (C04913485)
RegDate: 2014-03-21
Updated: 2014-03-21
Ref: https://rdap.arin.net/registry/ip/216.244.65.0

CustName: Dmitry Murashov
Address: Kostjakova street, 17-1-87
City: Moscow
StateProv:
PostalCode: 127422
Country: RU
RegDate: 2014-03-21
Updated: 2014-03-27
Ref: https://rdap.arin.net/registry/entity/C04913485

OrgAbuseHandle: WAT1-ARIN
OrgAbuseName: Wowrack Abuse Team
OrgAbusePhone: +1-206-522-4402
OrgAbuseEmail: abuse@wowrack.com
OrgAbuseRef: https://rdap.arin.net/registry/entity/WAT1-ARIN

OrgTechHandle: WOWRA1-ARIN
OrgTechName: Wowrack NOC
OrgTechPhone: +1-206-522-4402
OrgTechEmail: noc@wowrack.com
OrgTechRef: https://rdap.arin.net/registry/entity/WOWRA1-ARIN

OrgNOCHandle: WOWRA-ARIN
OrgNOCName: Wowrack Hostmaster
OrgNOCPhone: +1-206-522-4402
OrgNOCEmail: hostmaster@wowrack.com
OrgNOCRef: https://rdap.arin.net/registry/entity/WOWRA-ARIN

1 Like

Wow! Another post said China was connecting to his cams. Maybe this is why the cams are so cheap?

They answered it here:

2 Likes

That’s quite a long read, but in the end I didn’t find Wyze final say about this…
Sorry, I’m not very familiar on navigating reddit, so maybe I’ve miss the conclusion.

From @WyzeTao in the comments:

Here is an update tonight. This is a new server added by our P2P service provider recently. It is not any malicious server. My previous server check was based on an older server version that was why I didn’t find an IP match.

The server is physically located in Seattle, WA. Currently it is leased by our provider as a P2P connection server. This is confirmed by our service provider over phone. For some reason, some IP lookup websites resolve the IP as in Seattle and some resolve as in Russia. For example:

https://dnschecker.org/ip-location.php resolves as in Seattle

https://www.ip2location.com/demo/216.244.65.2 resolves as in Seattle

https://whatismyipaddress.com/ip/216.244.65.2 resolves as in Russia

We are asking the cloud service provider why the IP resolves into different locations. Our guess is that IP location record was changed once and the record was not populated. This info is to be confirmed by the cloud service provider.

1 Like

Good to know. Thanks for the update.

there’s others in Canada as well. I’m seeing traffic recently to Dedicated.com and OVH Hosting, as well as IANA. OVH in my experience has a reputation for some dodgy activity. I’m using Firewalla Gold as my router, if anyone is curious, that’s what the traffic data is from. Amazing device.

2 Likes

Amazing. I am glad I am using a secondary router for my cam network.

I have been keeping an eye on it, and the Dedicated.com server appears to be utilized for cloud video storage to some extent, as I found after blocking at the domain level (causes dns resolution and subsequent allow/block per rules) that I was getting a bunch of errors trying to view uploaded events.