Never leave the default admin:admin credentials. Use long, complex passwords. If your camera software supports two-factor authentication (2FA), enable it.
Security teams can detect exploitation attempts using the following indicators:
| Indicator Type | Value / Pattern |
| :--- | :--- |
| HTTP Request URI | / or /login containing User-Agent: Mozilla/5.0 (compatible; Googlebot) – but attackers mimic bots. |
| Path traversal attempts | GET /../../etc/passwd or GET /media/../config/motioneye.conf |
| Command injection | POST /settings/save with param motion_control_command = ; wget ... |
| Unusual access source | Single IP accessing multiple /media/*.mp4 files in rapid succession. | inurl viewerframe mode motion install
Splunk/ELK query example:
url="/" AND response_body CONTAINS "viewerframe mode motion install" AND src_ip NOT IN (internal_networks)
In any search engine (Google, Bing, or Shodan), the inurl: operator instructs the search engine to look for the subsequent text exclusively within the URL of a webpage. For example, inurl:admin returns all pages that have the word "admin" in their web address (e.g., example.com/admin/login.php). Never leave the default admin:admin credentials
To understand how this search query functions, it is necessary to break down its components. Google search operators allow users to refine results based on specific text found in the URL or the page content.
The Result:
When combined, inurl viewerframe mode motion searches the entire indexed web for URLs that look something like this:
http://[IP_Address]/viewerframe?mode=motion In any search engine (Google, Bing, or Shodan),
These URLs typically belong to IP cameras that are directly connected to the internet without a firewall or proper password protection. Because the specific URL structure is known to the search engine, Google indexes the video feed interface, making it publicly accessible to anyone who searches for it.
Another audit uncovered a webcam labeled "Nursery Camera" in Brazil. The motion detection mode was set to record clips to a public directory. An attacker could have downloaded weeks of video clips showing the daily routine of a family. The install directory contained the router’s public IP and the internal network layout.