Summary (Bottom Line Up Front)
IP address 195.200.16.213 (Netherlands/AS216071) conducted low-volume reconnaissance targeting DVR systems with command injection probes on April 4, 2026 between 13:00-16:00 UTC. Assessment indicates LOW threat severity with automated scanning behavior rather than targeted exploitation. Network defenders should verify DVR device security postures and monitor for follow-on activity.
Activity Timeline
INITIAL REPORT2026-04-04T20:01:14Z
Source: Analyst Manual Entry
IP address 195.200.16.213 (Netherlands/AS216071) conducted low-volume reconnaissance targeting DVR systems with command injection probes on April 4, 2026 between 13:00-16:00 UTC. Assessment indicates LOW threat severity with automated scanning behavior rather than targeted exploitation. Network defenders should verify DVR device security postures and monitor for follow-on activity.
Technical details
- Source: 195.200.16.213 (SERVERS TECH FZCO/Amsterdam)
- Activity Window: 17 events over 3 hours (April 4, 13:00-16:00 UTC)
- Protocols: DAHUA DVR, HTTP, TCP reconnaissance
- Attack Vector: Command injection probes using && operators targeting 3 unique ports
- MITRE Technique: T1059 (Command and Scripting Interpreter)
- Kill Chain Phase: Reconnaissance
- IOCs: Single IP with SSH service exposed (port 22), no reverse DNS resolution
IOCs
IP:195.200.16.213
ASN:216071
COUNTRY:NL
Recommendations
- Audit all DVR and IoT camera systems for default credentials and available firmware updates
- Implement network segmentation to isolate DVR/camera infrastructure from critical systems
- Monitor for HTTP requests containing command injection patterns (&&, ||, ;) targeting DVR endpoints
- Block or restrict access from AS216071 (SERVERS TECH FZCO) if no legitimate business requirements exist
- Enable logging on all DVR systems and establish baseline traffic patterns for anomaly detection