Abyss web server - trying to record my screen - anyone know what the device is and does?

evolusic

VioletChepil

hi @evolusic
Thanks for this screenshot. Hopefully we can help. How do you know they were trying to record your screen?
@Marc @kltaylor @Pixelpopper @Hronos @Crowgrandfather - any ideas about what this device may be? 
I'll take a look around too.

VioletChepil

I've found this online: https://aprelium.com/abyssws/ 

Anyone have any ideas about what this would be used for? 

Abyss Web Server is a compact web server available for Windows, Mac OS X/macOS, and Linux operating systems.

Despite its small footprint, it supports HTTP/1.1, secure SSL/TLS connections (HTTPS), automated provisioning and renewal of free certificates from Let's Encrypt® (ACME v2), IPv6, on-the-fly HTTP compression, dynamic content generation through CGI/FastCGI scripts, ISAPI extensions, native ASP.NET, HTTP/HTTPS/WebSocket reverse proxying, eXtended Side Includes (XSSI), custom error pages, password protection, IP address control, anti-leeching, bandwidth throttling, and log rotation.

It also features an automatic antihacking system as well as a multilingual remote web management interface that makes its configuration as easy as browsing a web site.

VioletChepil

@evolusic - I've just modified the title of this discussion a bit to try and get more help with it from anyone familiar with Abyss web server. 

Crowgrandfather

zyxel.com is a serious of network security appliances apparently. I'd never heard of them before but their website has a bunch of products listed including things like managed switches, routers, and firewalls.

There's really not much to go on with this post. Can we get a MAC address and an IP address?

And a description of what you were observing that made you assess this device was recording your screen?

Marc

If you have the IP address of the device, http to it over that port.  Example, from your web browser type in http://a.b.x.y:9999 where Abxy is the actual IP address.  That might tell you what it is. 

Hronos

Yes, Zyxel is a brand of networking gear, I suppose @evolusic router it's from that brand, and that service could be a way the router/brand manage "remote management", because "lb130" could be a custom host, pointing to it's public IP address... if you do not use that, you should disable it at the router and close/block the port from been access from outside your network.

Crowgrandfather

https://community.fing.com/discussion/comment/7788#Comment_7788

It's not open from the outside. I checked. My best guess is that it's a webpage for the router admin interface.

[Deleted User]

@evolusic - zyxel, as previously mentioned, produce numerous security devices. Do you have any on your network i.e. security cameras as they run a server to send/capture images (my Wi-fi Camera uses a web server). Also if you have any other security sensors connected to your network that could be what you’re seeing. Are you getting a message to tell you that the server is trying to do a screen capture, if you are then that would be very suspicious.
download and run “malwarebytes” on your computers (All of them) to ensure you haven’t picked up any malware.

Prootwadl

I'm quite familiar with Abyss. I've been using it internally at my work to host a DokuWki instance for documentation, and I've also used it to serve a number of other web pages, handle some basic Perl and PHP stuff, etc. It's a very nice little server, runs under windows and Linux, and has a nice GUI for administration.

It's a relatively harmless piece of software. A small, lightweight, and fairly capable web server.

Prootwadl

An additional comment.

The Abyss web server doesn't have any screen recording functionality. It simply presents web pages, and will also handle certain things like Perl and PHP if you've got pages with embedded code. But it doesn't do anything at all like screen scraping.

If something like that is occurring, it would be a function of your browser or perhaps something on the site that the Abyss server is presenting to your browser.

The server itself isn't responsible for what various server or client side scripts are doing as such, at least outside of normal security considerations. Like Apache and other similar pieces of software, it provides a script execution environment, but it does not directly provide or execute the code. That would be the site author and the underlying script engine respectively.

VioletChepil

Wow thanks a lot all!
Let us know @evolusic

evolusic

Wow so thank you what a response ! I do appreciate it . To further explain the screen recording incident ,I sat down at my iMac and when I logged in immediately a message said “sh” Is asking to record your screen I said no and while I’ve had weird stuff happen I was never concerned now I am looking back at all the odd things and like a hypochondriac on web MD I started looking at hacking stories and seeing the worst case scenario. I don’t know what I’m looking at and an activty monitor screen can be a dangerous thing to a person in a panic with all the Nefarious sounding words like daemon, syslogd ,spindump,trustd,sysextd,ath......so that’s a AMPDevicesagent......these things are most likely normal but why do half of them end in “d” user root means? UHG .....so basically I need to learn ......a lot and not freak out ....I have malware bytes and use it , I don’t know anyone contact wise “sh” but it also occurred to me I have a problem with someone hopping on my iPhones hot spot ......may be a neighbor prying or something ? I do appreciate the answers and direction a lot so I’ll ask just one more and if I get an answer it will most likely be the most important ! Where can a 40 yr old average technical ability person learn about the actual workings of our digital world ? Like languages terms and knowing what’s actually possible and can and does happen? Hope you have a good day everyone!

VioletChepil

Thanks @evolusic - maybe we should start up another thread.
What are some Key signs that your mobile is being hacked? And then I can facilitate some experts to add their input for you. What do you think?

webwolf

I just installed a new tp-link IP camera, it uses that port and web server. Do you have such a device installed?

It would ask for screen recording access on your mobile because the camera itself can record. I know it's a bit fluffy but I've disabled such permissions before and the camera stopped displaying on my mobile / crashing the app!

[Deleted User]

webwolf said:

I just installed a new tp-link IP camera, it uses that port and web server. Do you have such a device installed?

It would ask for screen recording access on your mobile because the camera itself can record. I know it's a bit fluffy but I've disabled such permissions before and the camera stopped displaying on my mobile / crashing the app!

If you are installing a camera then it’s highly likely that the issue is one of terminology rather than a security risk. The fact that you’ve lost all functionality suggested that the app & camera need the permissions you’ve disabled to enable them to operate correctly. A quick “google” for your camera/issues should provide the information you need. I know some system messages can be quite alarming but you should expect warnings  when installing a new device and it’s associated software.

webwolf

https://community.fing.com/discussion/comment/15079#Comment_15079

Agreed, I think Android (Google) (assuming it's Android in the OPs issue) should resolve this in the OS. Recording the screen and displaying video from a recording device has a huge discrepancy. The hardwares functional requirements may be the same which explains the high level permission requirements but presents a real issue for laymen not understanding the apparent risks or lack of.

I see this a lot where people are complaining that an app shouldn't need access to xyz permissions but it's mainly an issue with terminology and a lack of granularity in the permissions of Android.

My question was more to the op to see if they did actually have an IP camera installed as I have. I only installed it recently and noticed it showed up in fing with no details at all. Elimination would indicate that it's the IP camera and running that hosting software.

IoTs are a nightmare... They always seem to have cloud connectivity and no option to disable it and Strange permission requests but no obvious explanation in the app description or manual to specify why exactly it needs those permissions.

PS: just noticed in the last response from the op it's an iMac. I don't know Apple very well but I'm assuming they operate fairly closely to the model that Android use with permissions. There's such a long way to go to secure end user devices at the operating system level and provide more useful feedback of events...