HELP! Lots of Hikvision NVR remote logins (illegal and remote) from outside my network!

Deadeye

Young grasshopper
Joined
Oct 14, 2018
Messages
73
Reaction score
10
Location
Canada
I have a Hikvision DS-7716NI-SP that I had set up for remote access (as I thought my password would be strong enough), but I had alerts set up for any illegal remote access attempt and it just went crazy! So I thought that I would just access it locally and remoted my port forwarding rule on my router, but I'm STILL getting illegal login alerts. I checked the log and someone is still attempting to login to my NVR remotely, even though they really shouldn't even be able to reach it (I have no port forwarding rules enabled on my router to my NVR IP). This is absolutely baffling, and I really wish the logs would show which port number the logins were attempted:
IllegalLogin.jpg

What's even stranger is that after I killed my port forwarding rule, I decided to check on the legitimate login attempts (Operation->Remote:login) and I'm assuming that this log type is SUCCESSFUL remote login attemps, and I noticed it was full of strange IP addresses (not me). Does this mean that my NVR has been compromised? I didn't see anything strange on it (no additional accounts created, etc) but if this means that people are able to access my NVR remotely even though I should have it blocked via my router, I'm screwed. I might as well throw it out.
RemoteLogin.jpg
What's even odder is that there is an IP in that list at 192.168.11.38 (.47, etc) and that looks like it's coming from my internal network, but I don't have anything at 192.168.11.x, all of my devices use 192.168.1.x.

I'm freaking out here thinking that someone has access to my cameras, but I have no way of stopping it.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I'm freaking out here thinking that someone has access to my cameras, but I have no way of stopping it.
Maybe you have UPnP enabled on the router, and the NVR also has UPnP enabled and it's opening the ports by itself.

Suggestion:
First of all - scan your LAN for any inbound access, using one of the many tools that can do this, for example use the full port scan from here (not the UPnP check) : GRC | ShieldsUP! — Internet Vulnerability Profiling  
Check also port 8000, the Hikvision 'command and control' port.
Then, log in to your router and see if UPnP is enabled.
If so, disable it, and reboot the router to clear the existing rules.
Then, log in to the NVR web GUI and see if UPnP is enabled and disable it.
This will be under the Network Configuration pages.
 

Deadeye

Young grasshopper
Joined
Oct 14, 2018
Messages
73
Reaction score
10
Location
Canada
I checked the NVR and my router and UPnP is disabled on both.
I went to that website and ran the "File Sharing", "Common Ports" and "All Service" ports tests and everything shows up as "Stealth". So it appears that my system/network is locked up tight, so I still don't see how all of these attempts are still happening. Since I last posted my first message, I had two other unique external IPs attempt to gain access to my NVR.
 

fullboogie

Getting the hang of it
Joined
Mar 4, 2019
Messages
156
Reaction score
85
Location
Texas
I changed my server port (8000) to something different and the illegal login attempts have ceased.
 

Deadeye

Young grasshopper
Joined
Oct 14, 2018
Messages
73
Reaction score
10
Location
Canada
I changed mine and we'll see what happens. What is that port for anyway? I don't think there is a login on that port, is there? I thought it might be for the hikvision app. Either way, I don't have that port forwarded either, so I have no idea how they would be attempting to login through that port. But at this point, I'll try ANYTHING.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I checked the NVR and my router and UPnP is disabled on both.
I went to that website and ran the "File Sharing", "Common Ports" and "All Service" ports tests and everything shows up as "Stealth". So it appears that my system/network is locked up tight, so I still don't see how all of these attempts are still happening. Since I last posted my first message, I had two other unique external IPs attempt to gain access to my NVR.
Just turning off UPnP won't (generally) disable any ports that already have been opened. Just turns it off from that point forward. Also check directly what ports are open on the router.

The ShieldsUp scanner won't necessarily pick up some odd port unless you specify it. I used to have another online scanner that would run a complete scan but it's paid now and don't find any that work well on a quick search. Might download one to run local directly against your router from outside.
 

fullboogie

Getting the hang of it
Joined
Mar 4, 2019
Messages
156
Reaction score
85
Location
Texas
I changed mine and we'll see what happens. What is that port for anyway? I don't think there is a login on that port, is there? I thought it might be for the hikvision app. Either way, I don't have that port forwarded either, so I have no idea how they would be attempting to login through that port. But at this point, I'll try ANYTHING.
It's the server port. I was getting login attempts from eastern Europe mostly. Changed it to 12345, per the recommendation of someone on this forum, and I've not had one since. If I recall the explanation, it's usually "bots" making these attempts and they usually go for common ports like 8000. Change it to something different (that still works) and it appears to thwart those bot attempts.
 

Will.I.Am

Getting the hang of it
Joined
Mar 17, 2018
Messages
94
Reaction score
40
If you're getting connections to the service port then there has to be a route to that port.

Do you have hikconnect enabled?

If not then the only other way I think it's possible is if port 8000 is forwarded from your router to your nvr. Though those 192.x.x.x addresses that aren't part of your home network are strange.

Do you have any vpn set up? That's the ideal way to view cameras from outside your home network.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I went to that website and ran the "File Sharing", "Common Ports" and "All Service" ports tests and everything shows up as "Stealth". So it appears that my system/network is locked up tight, so I still don't see how all of these attempts are still happening. Since I last posted my first message, I had two other unique external IPs attempt to gain access to my NVR.
It's not logical that there is no inbound access found for the external public IP address your PC is using for the relevant ports yet you still see inbound access attempts.
There are many ways in which common-brand routers can be compromised, to provide a 'foothold' in the local network.
Do you have 'Remote administration' enabled in the router?
You did power-cycle the router?

Are there any other ways in which your network is accessible from the internet?
Do you have any devices that are using a P2P (peer-to-peer) external access, or using torrents or similar, or using a VPN service to hide the network origin?
Do you have a NAS with a 'Cloud' facility enabled such as 'MyQNAPCloud' ?
 

Deadeye

Young grasshopper
Joined
Oct 14, 2018
Messages
73
Reaction score
10
Location
Canada
Sorry for the late udpate. I wanted to give your suggestions a couple of days before I could verify what the issue was, and also we are on baby watch, so we've been spending a lot of time in the hospital.

It's the server port. I was getting login attempts from eastern Europe mostly. Changed it to 12345, per the recommendation of someone on this forum, and I've not had one since. If I recall the explanation, it's usually "bots" making these attempts and they usually go for common ports like 8000. Change it to something different (that still works) and it appears to thwart those bot attempts.
Fullboogie is the winner! I changed my NVR "Server Port" (no idea what this is for) to some random value and the login attempts have completely stopped. What still baffles me is that I have absolutely no rules on my router to allow port 8000 access to my NVR. Does the NVR even have a login interface at that port for these "bots" to even attempt a login? So strange to me.....

Just turning off UPnP won't (generally) disable any ports that already have been opened. Just turns it off from that point forward. Also check directly what ports are open on the router.
The ShieldsUp scanner won't necessarily pick up some odd port unless you specify it. I used to have another online scanner that would run a complete scan but it's paid now and don't find any that work well on a quick search. Might download one to run local directly against your router from outside.
Mike, I have only two ports open most of the time, random ports for WOL and RDP, and since I never endabled UPnP, I have no routes created by it that currently exist. I disabled all of my routes (created by me) while testing, then just re-enabled those two for a few days ago and everything seem calm, so I don't think those are the issue. I did try hitting the NVR ports specifically using SheildsUp and they all came back as secure, so I don't know how these outside systems were able to get through to the NVR.

If you're getting connections to the service port then there has to be a route to that port.
Do you have hikconnect enabled?
If not then the only other way I think it's possible is if port 8000 is forwarded from your router to your nvr. Though those 192.x.x.x addresses that aren't part of your home network are strange.
Do you have any vpn set up? That's the ideal way to view cameras from outside your home network.
That's what I thought, but when I was testing this out, I had no routes enabled so it was techically locked down. Yes, I do have hikconnect enabled as that's how I was accessing my NVR using the HikConnect app. But when I disabled all of the NVR ports, I wasn't able to connect with the app anymore, but the login attempts were still happening until I changed the server port on the NVR.
Those other 192.168.11.x addresses are really freaking me out as they seem internal, but I never use .11, just .1
No, I haven't had the time to investigate how to set up a VPN, but I DO want to go down that router for security reasons, and I have read that I can use OpenVPN with DDWRT (which is what I have running on my router), so that is my plan in the future, but I'm not 100% sure I'll still be able to use apps like HikConnect over the VPN or not.

Found multiple hits for one of the IPs in your logs and it mentions port 8000 scanning - look here 51.38.36.213 | OVH SAS | AbuseIPDB
Is all of your network on 192.168.1.X ??
Yeah, everything on my network is using 192.168.1.x addresses, which thankfully rules out any hijacked system (though, I shut down all devices on my network and was still getting intrustion attempts, so that's not it), so I'm not sure how they're able to come from an address like 192.168.11.x.

It's not logical that there is no inbound access found for the external public IP address your PC is using for the relevant ports yet you still see inbound access attempts.
There are many ways in which common-brand routers can be compromised, to provide a 'foothold' in the local network.
Do you have 'Remote administration' enabled in the router?
You did power-cycle the router?
Are there any other ways in which your network is accessible from the internet?
Do you have any devices that are using a P2P (peer-to-peer) external access, or using torrents or similar, or using a VPN service to hide the network origin?
Do you have a NAS with a 'Cloud' facility enabled such as 'MyQNAPCloud' ?
That's what makes this so strange. Port 8000 is locked down, confirmed with ShieldsUp, but when I changed it, the attempts just stopped. I don't get it at all.

Do you have 'Remote administration' enabled in the router? Nope.
You did power-cycle the router? I have the router set up to reboot itself every couple of days.
Are there any other ways in which your network is accessible from the internet? No, just through my router.
Do you have any devices that are using a P2P (peer-to-peer) external access, or using torrents or similar, or using a VPN service to hide the network origin? No to both.
Do you have a NAS with a 'Cloud' facility enabled such as 'MyQNAPCloud' ? No NAS (just a windows file server, but not accessable remotely) or cloud services beyond Dropbox.

I wish I had more information to report back with that had a more satisfactory resolution, but it looks like it was just port 8000 which was magically accessable through my router that had no routes set up for that port.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Another way in would be through your WiFi.
But that would mean a local attacker as opposed to from the internet. Which from the tests you've done and configurations you've checked seems to be secure. Apart from HikConnect.
 

Deadeye

Young grasshopper
Joined
Oct 14, 2018
Messages
73
Reaction score
10
Location
Canada
Another way in would be through your WiFi.
But that would mean a local attacker as opposed to from the internet. Which from the tests you've done and configurations you've checked seems to be secure. Apart from HikConnect.
Yeah, I'm thinking HikConnect is somehow causing this, but with all my ports locked down, I can't see how it would get through. I changed my wifi recently to set up a doorbell camera, so I don't think it's local attacks, especially since I live in a pretty quite, established (older folks) neighbourhood and all of these remote addresses are from everywhere.
 

Will.I.Am

Getting the hang of it
Joined
Mar 17, 2018
Messages
94
Reaction score
40
Funny this should come up now.

I installed a system at my father in law's house last year (initially 5 cameras around the perimeter)

I didn't use the cloud service as I don't trust them.

I ended up getting another camera off a mate in work (that I'd ironically given him because I'd removed it from a site that didn't need it anymore but in the end he never got around to installing it)

I set it all up on the nvr and thought no more about it.
All remote viewing is done through a vpn set up on a pi (which also functions as an nfs server to allow the cameras to record directly to nfs on motion in case someone nicks the nvr)

I set up all the devices to send me email alerts for events, but to be truthful I turned off the notifications on my Gmail account a while back because of the general spam I was getting.


I logged in last night and found literally hundreds of illegal logins on that camera.

I know for a fact the network is secure because I set it up myself.
I checked out the camera and found that it still had the cloud service (it was actually the ezviz one) enabled.


The thing you need to remember about cloud viewing services like that is that they will bypass the vast majority of firewalls because it is an OUTBOUND connection from the camera to the server that opens the way for people to try and log in. Most firewalls will only block incoming traffic that didn't originate from a request on your own network.

And the funny thing is, a number of those illegal logins came from "local" ip addresses that weren't call at all - 192.168.0.x addresses when that's not the subnet of the network.


Long story short, get rid of hikconnect asap.

It is honestly a breeze to set up a vpn. If your router can't create its own server, pivpn on a raspberry pi is a wrapper for openvpn that takes out most of the hard work.

And until then, yeah, running hikconnect on a non standard port is at least a small step. Most of these attacks are automated and directed at standard ports, but you still can't beat a vpn. And personally I just don't trust my images and devices relying on someone else's servers to stay secure and available.
 

fullboogie

Getting the hang of it
Joined
Mar 4, 2019
Messages
156
Reaction score
85
Location
Texas
Fullboogie is the winner! I changed my NVR "Server Port" (no idea what this is for) to some random value and the login attempts have completely stopped. What still baffles me is that I have absolutely no rules on my router to allow port 8000 access to my NVR. Does the NVR even have a login interface at that port for these "bots" to even attempt a login? So strange to me.....
Glad it worked for you man. I can't take credit as it was someone else on this forum who made the suggestion. But I can say that my system has been running for 5 months since I made the port change and in reviewing my logs last night, I've not had one single illegal login attempt.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
Port 8000 is well known as the Hikvision 'command and control' port and as such is a prime target for attempts on Hikvision devices.
Whilst it's certainly the case that changing that port does reduce the number of attacks it's worth remembering that it's still 'security by obscurity' and not a fully secure solution.

It's very interesting what @Will.I.Am recounted about HikConnect and reminding us about how it works. Maybe it's been hacked. Again.
 

Deadeye

Young grasshopper
Joined
Oct 14, 2018
Messages
73
Reaction score
10
Location
Canada
I didn't use the cloud service as I don't trust them.

I checked out the camera and found that it still had the cloud service (it was actually the ezviz one) enabled.

The thing you need to remember about cloud viewing services like that is that they will bypass the vast majority of firewalls because it is an OUTBOUND connection from the camera to the server that opens the way for people to try and log in. Most firewalls will only block incoming traffic that didn't originate from a request on your own network.

And the funny thing is, a number of those illegal logins came from "local" ip addresses that weren't call at all - 192.168.0.x addresses when that's not the subnet of the network.

Long story short, get rid of hikconnect asap.

It is honestly a breeze to set up a vpn. If your router can't create its own server, pivpn on a raspberry pi is a wrapper for openvpn that takes out most of the hard work.

And until then, yeah, running hikconnect on a non standard port is at least a small step. Most of these attacks are automated and directed at standard ports, but you still can't beat a vpn. And personally I just don't trust my images and devices relying on someone else's servers to stay secure and available.
Yeah, I don't trust cloud services either, that's why I just wanted to use my own NVR and access it remotely from my phone. But how can they possibly bypass router firewalls? How is that actually possible? Even if the original request came from inside the network, wouldn't the firewall still block any incoming traffic?

If I get rid of HikConnect, how can I view my feeds and recording remotely on my phone? I'm getting so close to just building a new PC and getting BlueIris. A lot more expensive, but then I don't think I would have all these issues (I think I'd be able to block IPs if they attempt to login too many times, etc).

Yeah, everyone says it's easy, but I just need to spend the time to do the research to learn how because I honestly don't know much about VPNs. I just know that DDWRT does support it, which is one of the reasons why I flashed my router with it.


Port 8000 is well known as the Hikvision 'command and control' port and as such is a prime target for attempts on Hikvision devices.
Whilst it's certainly the case that changing that port does reduce the number of attacks it's worth remembering that it's still 'security by obscurity' and not a fully secure solution.

It's very interesting what @Will.I.Am recounted about HikConnect and reminding us about how it works. Maybe it's been hacked. Again.
That would explain why my HikConnect app no longer works when I changed it. But I still don't get how it was accessable from the outside when I don't have any routes for 8000?

I like Hikvision hardware, but I'm kind of paranoid about any possible chinese backdoors that they might have included (a la Huawei).
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
the bypass works because the request is coming from your internal network and connecting to their cloud. Many services have gone that route because it does defeat any firewalling. For example, you can have your Ubiquiti network gear talk to the Ubiquiti cloud and access your gear from anywhere to administer it. That's the same type of setup. The gear connects to the cloud and your phone also connects to their cloud and voila you have remote access.

The bottom line is: if you don't want your cameras having internet access, remove it completely. Put it on a segmented VLAN protected by firewall rules, or a separate network altogether. Like any good network design, these things take thought and planning - the days of just plugging into the router are over.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
The thing you need to remember about cloud viewing services like that is that they will bypass the vast majority of firewalls because it is an OUTBOUND connection from the camera to the server that opens the way for people to try and log in. Most firewalls will only block incoming traffic that didn't originate from a request on your own network.
But I still don't get how it was accessable from the outside when I don't have any routes for 8000?
Firewalls are almost invariably 'stateful'.
This means that they maintain a state table of active connections such that traffic can flow 2 ways along an established and maintained connection.
If you think about it - when you visit your average website - you establish an outbound connection to it, and the website sends you data, via the connection that the browser has already established outbound.
It does mean, though, that the outbound connection would need to have been compromised and subverted for potential attackers to be able to make use of it, unless the destination itself, or how it was resolved, is malicious.
 

Will.I.Am

Getting the hang of it
Joined
Mar 17, 2018
Messages
94
Reaction score
40
Yeah, I don't trust cloud services either, that's why I just wanted to use my own NVR and access it remotely from my phone. But how can they possibly bypass router firewalls? How is that actually possible? Even if the original request came from inside the network, wouldn't the firewall still block any incoming traffic?

If I get rid of HikConnect, how can I view my feeds and recording remotely on my phone? I'm getting so close to just building a new PC and getting BlueIris. A lot more expensive, but then I don't think I would have all these issues (I think I'd be able to block IPs if they attempt to login too many times, etc).

Yeah, everyone says it's easy, but I just need to spend the time to do the research to learn how because I honestly don't know much about VPNs. I just know that DDWRT does support it, which is one of the reasons why I flashed my router with it.




That would explain why my HikConnect app no longer works when I changed it. But I still don't get how it was accessable from the outside when I don't have any routes for 8000?

I like Hikvision hardware, but I'm kind of paranoid about any possible chinese backdoors that they might have included (a la Huawei).
Any "cloud" connection, which includes anything where you create an account online that allows you to remotely view or access equipment or files on your network is a back door.

As mentioned above, that service creates a permanent connection between your device and an external server. If someone knows how to use that connection then they've got a route.
I haven't used hikconnect much but I know there's a device unique identifier that you enter into the hikconnect website, along with a username and password (maybe just a password actually) that is different to your nvr login.
But iirc, once that device is registered to you, no one else can take it, you have to give individual accounts access to your devices.
So it looks like it's not the hikconnect service itself they're trying to use to access your stuff, but that connection is still there and still open, on port 8000 (or 12345 now). I'm no network expert so I've no idea how they do it, but I know that there are certain communications that are easy to hijack and essentially either get the content or change the content in some way.

Any connection to another server is another chink in the armour.
A closed home network with one open port for a vpn connection is by far the safest way to access your home network, apart from closing off all ports and just viewing it locally.
 
Top