Dahua Backdoor Uncovered

Roman said:
Well just for giggles I figured I would go home and log onto my router and see if I could find any outbound connections so I viewed my "active connections" log under my WAN section and cam across two of my IP addressed cameras connecting to various outside addresses....not sure what this is all about? Any assistance would be appreciated...

dahua%20cam_zpsh1usj1oe.jpg
Click to expand...

114.55.152.165:9084 was what I found in my firewall logs. It stopped smacking its head on the firewall when I disabled the cloud service. Haven't seen anything like the other address yet
 
SyconsciousAu said:
114.55.152.165:9084 was what I found in my firewall logs. It stopped smacking its head on the firewall when I disabled the cloud service. Haven't seen anything like the other address yet
Click to expand...

if you changed the dns to nothing or your internal stuff you won't see it again, I dunno why the other one is there, that usually happens when machines try to get an IP and there is no DHCP server to hand one out, they auto generate a 169.254.x.x address.
 
  • Like
Reactions: Hound Dog 911
I had DMZ on in my router. It's now off. I guess it drew attention to my ip address I guess and my router showed a few dos attacks since shutting down the security issue. Just curious if you would have your provider assign a new ip or just let the router do its thing hoping they stop?
 
Hound Dog 911 said:
I had DMZ on in my router. It's now off. I guess it drew attention to my ip address I guess and my router showed a few dos attacks since shutting down the security issue. Just curious if you would have your provider assign a new ip or just let the router do its thing hoping they stop?
Click to expand...
generally cutting power to the modem for a bit will get you a new ip..but it really wont make much difference.
 
  • Like
Reactions: Hound Dog 911
Not sure if reolink will care, this is what my firewall picks up, it is not every time, I will look at daily log and not see any info just home, and then next day I will see these IPs again:
A4Rsyjf.png
 
do you have PNP/EzViz/NTP/EMAIL enabled on the camera? because none of my dahua's make any attempt to reach the internet..

Did you buy a hacked Chinese domestic model? they call home by default, you need to use @cor35vet's firmware and trust that he didnt leave his own backdoor
 
  • Like
Reactions: Hound Dog 911 and fenderman
I got to looking at my router. Don't have any of the UPNP, DMZ, DNS or port forwarding enabled. But went to the security and system log. Security log is spitting out new entry every 5 seconds. I unplugged every device in the house (NVR, cut off all computers, Tablets, shut down my smartphone) except this laptop. Still chugging out entries. Anybody know what these mean? I deleted my public IP from the picture of security log. Anything I left that I shouldn't post?
 

Attachments

  • Router Security Log.jpg
    Router Security Log.jpg
    476.4 KB · Views: 47
The common outbound destination is :
Code: 
NetRange: 209.10.120.0 - 209.10.120.255
CIDR: 209.10.120.0/24
NetName: QTS-209-10-120-0-24
NetHandle: NET-209-10-120-0-1
Parent: QTS-209-10-0-0-16 (NET-209-10-0-0-1)
NetType: Reassigned
OriginAS: AS20141
Customer: AVG Exploit Prevention Labs, Inc. (C05877816)
RegDate: 2015-08-20
Updated: 2015-08-20
Ref: https://whois.arin.net/rest/net/NET-209-10-120-0-1
Do you have AVG AV on the laptop?
 
  • Like
Reactions: Bryan
Yes..got AVG...and I started looking through the IPs.. a lot are Google, the 31.13.65.7 and similar were Facebook, one was Taiwan and another from India. If the ACK is zero...does that mean it's safe (no contact)? How concerned should I be? The blank IPs are my Public WAN address.
 
Last edited:
If you started looking at the outbound chatter that a regular Windows PC conducts even when you are not using it - you'd be gobsmacked.
You need only be concerned if a destination was linked to bad things on the internet such as a C&C server but you're unlikely to spot that by manual inspection.
You'd only really know that if the output was subject to automated inspection, such as an IPS system.
 
TL1096r said:
Great thread, but is there a way we can get a thread together to make a DIY/posts with suggestions how to secure your camera / block / search for IPs that could be sending information out from your camera?

It will go a long way as there are more newbies than experts.

My main concern is how to block and secure my IP camera on the home network due to my firewall picking up China IPs communicating with the reolink software, I cannot seem to block it without shutting down the software.
Click to expand...
reolink cameras?
Read my posts in this thread. Blocking a pair of ports (outgoing and incoming) will stop the communications.
 
I just wanted to post back and say since I changed one cams dns settings to point to a non-existent address (1.0.0.1) it is not communicating with the China ip any longer. Instead in the logs it just lists the cam's ip address and then the destination address of that non-existent ip I changed it to and the status is "syn_sent" instead of "established" which is leading me to believe it is not getting outbound any longer.

I still am going to pursue custom FW entires to stop all outbound communication but for now this is a good temp fix in my mind.
 
Roman said:
I just wanted to post back and say since I changed one cams dns settings to point to a non-existent address (1.0.0.1) it is not communicating with the China ip any longer. Instead in the logs it just lists the cam's ip address and then the destination address of that non-existent ip I changed it to and the status is "syn_sent" instead of "established" which is leading me to believe it is not getting outbound any longer.

I still am going to pursue custom FW entires to stop all outbound communication but for now this is a good temp fix in my mind.
Click to expand...

as long as you don't see an SYN/ACK after the SYN, you are good to go lol.
 
You must log in or register to reply here.
Top Bottom