In 2021, a security team auditing a university campus found no live cameras on Shodan. However, running inurl:axis+cgi+mjpg+motion+jpeg+better on Google returned 17 internal Axis 210A cameras whose web interfaces had been crawled five years earlier during a temporary network misconfiguration.
Why were these missed by Shodan? The cameras were behind NAT and hadn't sent a packet to the public internet in years. But Google’s crawler had cached their title tags and anchor text during a two-hour window of exposure. The keyword better appeared in an old departmental homepage linking to "Building 4 North entrance – better angle."
The team used the cached URL structure (/axis-cgi/mjpg/video.cgi?camera=3) to write a script that attempted connection via the university’s VPN. Three cameras were still active and unauthenticated, providing a live feed of a nuclear engineering lab. The vulnerability was fixed within 48 hours. inurl+axis+cgi+mjpg+motion+jpeg+better
import requests from urllib.parse import urljoin
def find_better_streams(base_ip_range): for ip in range(1, 255): test_url = f"http://192.168.1.ip/axis-cgi/mjpg/video.cgi" params = 'resolution': '640x480', 'compression': '20', 'motion': 'on' try: r = requests.get(test_url, params=params, timeout=0.5, auth=('root', 'pass')) if r.status_code == 200 and 'multipart/x-mixed-replace' in r.headers['content-type']: print(f"BETTER STREAM FOUND: test_url?params") except: pass
Most generic searches like inurl:video.cgi or intitle:"Live View" return a flood of false positives—broken links, login pages, or still images. The inurl:axis+cgi+mjpg+motion+jpeg+better string excels for three reasons:
| Search String | Results | False Positives | Use Case |
|---|---|---|---|
| inurl:axis-cgi/mjpg | Moderate | Low (specific to Axis MJPEG) | General discovery |
| inurl:viewerframe?mode= | High | Very High (many brands) | Broad scanning |
| inurl:axis+cgi+mjpg+motion+jpeg+better | Low but curated | Extremely Low | Finding high-quality, actively moving streams | In 2021, a security team auditing a university
The addition of better implicitly targets cameras where the owner (or default config) prioritized quality over bandwidth—meaning these feeds are often left unauthenticated for convenience.