Dahua Backdoor Uncovered

[Roman]

Guess I better start getting proficient with adding firewall rules on my router to stop these outbound connections.

 

[hmjgriffon]

Guess I better start getting proficient with adding firewall rules on my router to stop these outbound connections.

I believe the cameras are set up to use google for dns by default, change it to the IP of your router, or change it to nothing and just hit the cams by IP only. the automatic private IP is generated by devices that can't contact a dhcp server so dunno why you are seeing that. the last one is the one you want to worry about, though it could be a harmless connection back to dahua, who knows.

 

[hmjgriffon]

FYI on my firewall I have a table called ip_cams with the IP's of all of my cams and one simple firewall rule:

block out log quick on egress from <ip_cams>

boom, no internet for them, backdoor closed.

 

[Arjun]

That Google DNS caught me by surprise, lol

I believe the cameras are set up to use google for dns by default, change it to the IP of your router, or change it to nothing and just hit the cams by IP only. the automatic private IP is generated by devices that can't contact a dhcp server so dunno why you are seeing that. the last one is the one you want to worry about, though it could be a harmless connection back to dahua, who knows.

 

[Hound Dog 911]

I got into my router log this morning and I had a bunch of hits in the log from Vietnam and different places. I shut down a few settings and now can't access the cameras from the bi app unless I'm on the network. Should that be secure enough until I setup more secure means? I did turn on VPN.

 

[Hound Dog 911]

Also, should I change all of my important passwords? I already changed my banking.

 

[Roman]

I believe the cameras are set up to use google for dns by default, change it to the IP of your router, or change it to nothing and just hit the cams by IP only. the automatic private IP is generated by devices that can't contact a dhcp server so dunno why you are seeing that. the last one is the one you want to worry about, though it could be a harmless connection back to dahua, who knows.

Yeah the one camera that I posted that was reaching out to google dns I logged into last night and removed the all dns settings...even though the settings were not set to google dns...go figure (they were set to my local ISP's dns Comcast). Anyway, I removed the settings so now hopefully that will take care of that particular camera.

I also was able to log into my router and click on the specific IP of the camera in question and select "block internet access". I checked my logs this morning and I do not see a connection from that IP to china any longer. Looks like this may be a temporary work around but I want a more solid block so I am going to work on FW rules next.

 

[Roman]

I got into my router log this morning and I had a bunch of hits in the log from Vietnam and different places. I shut down a few settings and now can't access the cameras from the bi app unless I'm on the network. Should that be secure enough until I setup more secure means? I did turn on VPN.

Just because you can't reach your cams from out to in doesn't mean the cams can't contact Vietnam and different places from in to out if you know what I mean. In my case I had a cam that seemed to making an outbound connection to a Chinese IP as you can see from an earlier post. Best course of action in my mind is seeing if you can remove everything from the internal camera settings but the IP itself (like DNS, and Default gateway) that way it doesn't have a "path" to get outbound. But a lot of cams will not let you remove the default gateway....been there tried that. So you may have to go into router and see if there is someway you can block "outbound" connections. All this is just IMHO...YMMV

 

[Roman]

Also, should I change all of my important passwords? I already changed my banking.

Probably good practice to change all passwords every so often anyway. Whether or not people actually do that is another subject...hell you have people that don't even change default passwords on wireless routers when they first install them.

 

[Hound Dog 911]

It's listed as Lan access from remote. 100's of them.

 

[Roman]

It's listed as Lan access from remote. 100's of them.

I still would go down the line starting with my router and turn off UPnP, port forwards, etc. Then go to each camera and turn off all that stuff individually to (including any cloud service stuff P2P, etc). That way you use a VPN whenever you want to connect to your cams or BI. Most modern routers the OpenVPN server is pretty straight forward to set up.

After all that is done you prob want to dig a little deeper and see what can be done on the router end to block ALL communication from and to the cams from outside your network...whether that be an option (in my case an ASUS router) "Block internet access" or take it a step further and explore putting in permanent FW rules.

 

[Hound Dog 911]

Ever since I restarted everything, shut down access from the outside (I think) things appear normal. Even had a Dose attack. I'll monitor the log for anything strange. How can I check to be sure my BI server is clear? All of the hits were to that ip address for BI.

 

[Hound Dog 911]

I believe everything was shut down in the cams by default. Only thing enabled is Bonjour.

 

[Hound Dog 911]

I did shut down UPnP the other day on the router. Will double check.

 

[Hound Dog 911]

I also unchecked Default DMZ server in the router. I couldn't remote view without it checked.

 

[slowhandfan]

Wish I knew how to hack so I could test my own cameras before Dahua and other mfgs finally figure out and then get around to telling us which ones are affected before they get hacked and used for a DOS or something.
...Or I could get around to learning how to do the VPN thing I guess....but having (white hat) hacking skills would be cool.

I know very little about networking but using @nayr VPN for Noob post as well as the Easy WIndows Guide for OpenVP I was able to get it set up. Easy_Windows_Guide – OpenVPN Community

Start a new thread if you decide to set up OpenVPN and I'll be glad to help if I am able. I set mine up on the PC I'm using for Blue Iris. There are a couple of issues / mistakes in the guide and example files that caused me issues such as a mismatch between the commands and file names or parameters you set for encryption level.

 

[Hound Dog 911]

I changed all kinds of passwords this morning. I guess we will see if anything strange shows up in the log. Everything was a direct access to the BI server. I didn't know what some of the devices were connected to my wireless router so reset that password also. Insane people don't have something better to do with their time than to hack people's property. I kept the list of ip's that were in my log. I take full blame for being naive.

 

[Camit]

You guys are sweating this too much all you need to do is make sure services like upnp are turned off.. don't port forward any ports and when your connecting to the cameras remote make sure you use a vpn.

 

[Hound Dog 911]

I had over 100 Lan access from remote in just the last day or so. Plus some kind of DoS attack entry.

 

[Roman]

You guys are sweating this too much all you need to do is make sure services like upnp are turned off.. don't port forward any ports and when your connecting to the cameras remote make sure you use a vpn.

And I think you are "underestimating" this too much! I do not want my IP cams to be network devices across the net to distribute malware to me or anyone else or to have some peeping in on my cams!