Got hacked...Network Security and Port Forwarding question

[woodsie]

I'm getting out of my depth here so bear with me. I recently had someone get on my router and enter in a malicious DNS server (redirected certain URLs to phishing websites) into my DNS settings. My initial suspicion was that it was because my router was exposed to the internet for remote administration and they had simply brute force attacked my password.

A week later, the same thing happened to my father whose router is NOT exposed to the internet for remote administration. The common thread between the two of us is that we both have Hikvision cams set up for remote viewing with port forwarding on the router. My concern is that the ports we opened up gave a hacker a pathway on to our routers to change the DNS settings.

In both cases, I used 8000, 8001, 8002 ect. for Server Ports and 8090, 8091, 8092 ect. for HTTP ports which were then translated to the default ports 8000 and 80 on the cameras at their respective IP address with both TCP and UDP allowed in the rules. On the cameras themselves, I had NAT disabled.

Is this the best way to approach it? Is their an inherent vulnerability I set myself up for here that allowed the hacker on to my router?

A few more details:
- Passwords on the cameras and routers were medium strength. Not super duper but I'd still be impressed if it was as simple as a person or program guessing them. I'd buy that argument on my router, but not on my father's. His was not enabled for remote administration over the internet.
- Geographically, it is unlikely that someone simply got within wifi range, guessed the wifi key, and then got on the network that way. My place is a cabin in the woods and my father is on a farm. The IP address of the spoof DNS servers was European, not that this is a guarantee of anything.

Looking for thoughts and ideas to try and secure myself a little better the next time around.

ETA: One more thing. Tonight I tried enabling auto NAT on my cameras and connecting with HiDDNS and deleting all port forwarding on my router. This works as well. Is this a superior or inferior way of connecting remotely compared to using port forwarding on the router?

 

[fenderman]

@woodsie Exposing your cameras to the internet directly is bad practice. If you go this route you should only be forwarding the media port there is no reason to forward the http port. You should also not use default ports and setup an email notification for an illegal login to the camera. That said this is highly unlikely. What are the chances that you and your father had the same issue - probably greater than winning the lottery. Something else is going on. What model routers are you both using?

 

[woodsie]

@woodsie Exposing your cameras to the internet directly is bad practice. If you go this route you should only be forwarding the media port there is no reason to forward the http port. You should also not use default ports and setup an email notification for an illegal login to the camera. That said this is highly unlikely. What are the chances that you and your father had the same issue - probably greater than winning the lottery. Something else is going on. What model routers are you both using?

Thanks for your reply. By media port are you referring to what Hikvision calls the Server port and is used by iVMS?

What would be a good alternative to directly exposing the cameras to the internet if I want to be able to view them remotely?

We both have ASUS RT-N66U routers. I've been googling around trying to find some specific vulnerabilities with this router but have not been able to find anything definitive and both of our firmwares are up to date.

Thank you for your help. I'm 100% eager to learn better practices for using my cameras securely.

 

[fenderman]

Its the port that is by default 8000..ivms4500 mobile only needs that port.
What firmware version are you running on the Asus?
The best alternative is VPN. The next is using a secure VMS software package running on a pc or at the very least, only expose a single NVR not each camera. Your asus router already has a built in very easy to use VPN, there are other better more secure vpn options as well. Member @nayr can probably give you the best advice here.

 

[woodsie]

Its the port that is by default 8000..ivms4500 mobile only needs that port.
What firmware version are you running on the Asus?
The best alternative is VPN. The next is using a secure VMS software package running on a pc or at the very least, only expose a single NVR not each camera. Your asus router already has a built in very easy to use VPN, there are other better more secure vpn options as well. Member @nayr can probably give you the best advice here.

Thank you for the clarification. I think you make a very good point here regarding only forwarding the server port. If nothing else, I will at least make the change to no longer forwarding the HTTP ports and just using iVMS for remote viewing on my PC.

I'm running 3.0.0.4.376_3861 on the Asus.

I'll have to do some reading on using a VPN. I've never set one up or used one but I'm certain I can figure that out.

 

[copex]

I'll have to do some reading on using a VPN. I've never set one up or used one but I'm certain I can figure that out.

this willl get you started always use a strong passphase

 

[woodsie]

Thank you!

 

[MrFixit]

I'm getting out of my depth here so bear with me. I recently had someone get on my router and enter in a malicious DNS server (redirected certain URLs to phishing websites) into my DNS settings. My initial suspicion was that it was because my router was exposed to the internet for remote administration and they had simply brute force attacked my password.

A week later, the same thing happened to my father whose router is NOT exposed to the internet for remote administration. The common thread between the two of us is that we both have Hikvision cams set up for remote viewing with port forwarding on the router. My concern is that the ports we opened up gave a hacker a pathway on to our routers to change the DNS settings.

In both cases, I used 8000, 8001, 8002 ect. for Server Ports and 8090, 8091, 8092 ect. for HTTP ports which were then translated to the default ports 8000 and 80 on the cameras at their respective IP address with both TCP and UDP allowed in the rules. On the cameras themselves, I had NAT disabled.

Is this the best way to approach it? Is their an inherent vulnerability I set myself up for here that allowed the hacker on to my router?

A few more details:
- Passwords on the cameras and routers were medium strength. Not super duper but I'd still be impressed if it was as simple as a person or program guessing them. I'd buy that argument on my router, but not on my father's. His was not enabled for remote administration over the internet.
- Geographically, it is unlikely that someone simply got within wifi range, guessed the wifi key, and then got on the network that way. My place is a cabin in the woods and my father is on a farm. The IP address of the spoof DNS servers was European, not that this is a guarantee of anything.

Looking for thoughts and ideas to try and secure myself a little better the next time around.

ETA: One more thing. Tonight I tried enabling auto NAT on my cameras and connecting with HiDDNS and deleting all port forwarding on my router. This works as well. Is this a superior or inferior way of connecting remotely compared to using port forwarding on the router?

This is going to sound like a stupid question but are you absolutely sure the router DNS was changed on you and not some kind of virus and or malware on both your computers that where redirecting you? When was the last you scanned your computer with something like Malware Bytes to make sure your not infected?? Also is UPnP enabled on your routers? If it is a highly suggest do a factory reset of the router (simplest) and before connecting it to the anything on your network other then a known uninfected computer or the internet disable UPnP or if you know what your doing you can disable UPnP then go into port forwarding and delete anything that does not belong there. Also make sure your router firmware is up to date, I would do this first before resetting the router. You need to find out what caused this to happen or it will happen again, I have a feeling it was nothing to do with the cameras but that's just a gut feeling. You can run a scan with this tool from GRC https://www.grc.com/su/upnp-rejected.htm to see if UPnP is on and exposed to the internet then take my above advice to fix it.

 

[woodsie]

This is going to sound like a stupid question but are you absolutely sure the router DNS was changed on you and not some kind of virus and or malware on both your computers that where redirecting you? When was the last you scanned your computer with something like Malware Bytes to make sure your not infected?? Also is UPnP enabled on your routers? If it is a highly suggest do a factory reset of the router (simplest) and before connecting it to the anything on your network other then a known uninfected computer or the internet disable UPnP or if you know what your doing you can disable UPnP then go into port forwarding and delete anything that does not belong there. Also make sure your router firmware is up to date, I would do this first before resetting the router. You need to find out what caused this to happen or it will happen again, I have a feeling it was nothing to do with the cameras but that's just a gut feeling. You can run a scan with this tool from GRC https://www.grc.com/su/upnp-rejected.htm to see if UPnP is on and exposed to the internet then take my above advice to fix it.

Thank you for your post. I am absolutely sure the router DNS settings were changed. I logged on to my router and could visually confirm that the DNS settings were changed from "Automatic" to the IP address of a DNS server that appeared to reside somewhere in Europe.

That does not rule out Malware, but when I changed the DNS settings back to automatic (or 8.8.8.8 or 8.8.4.4) then the computer immediately began serving up non-spoofed pages. After making that test and confirming that the DNS settings were the factor, I then reset my router to factory settings and increased the security of my username and password. I also updated my router's firmware at that time so it is current.

I will check into performing a Malware scan. That is a good point whether that is the issue or not. I will also check my UPnP settings with the tool you suggested. Thank you very much for the link.

Thank you for your ideas.

 

[MrFixit]

Thank you for your post. I am absolutely sure the router DNS settings were changed. I logged on to my router and could visually confirm that the DNS settings were changed from "Automatic" to the IP address of a DNS server that appeared to reside somewhere in Europe.

That does not rule out Malware, but when I changed the DNS settings back to automatic (or 8.8.8.8 or 8.8.4.4) then the computer immediately began serving up non-spoofed pages. After making that test and confirming that the DNS settings were the factor, I then reset my router to factory settings and increased the security of my username and password. I also updated my router's firmware at that time so it is current.

I will check into performing a Malware scan. That is a good point whether that is the issue or not. I will also check my UPnP settings with the tool you suggested. Thank you very much for the link.

Thank you for your ideas.

You are very welcome. I am sure there is something else going on here and I feel confident the cameras had nothing to do with the DNS being changed. I have been dealing with this stuff since 1991 and I have never seen this be the cause of cameras. Also what are you using for real-time virus & malware scanning? you need to have both or your at risk of something happening. Also u mentioned google DNS servers, Do you have Virus & Malware scanning at the edge of your network aka your gateway/router? Google is great for speedy DNS but does not provide any scanning for threats like OpenDNS does and even then your not fully protected like you would be using a commercial grade firewall/router like Sophos/Untangle as examples so if ur using an off the shelf big box store router such as the ones found at Best Buy, Staples, Ect. You should consider changing you client DNS setting to something with more filtering then GoogleDNS provides like OpenDNS, Symantec or many others. I suggest OpenDNS because it gives a nice balance of security and performance.

The best practice is on your WAN connection to the internet leave all the setting set to automatic or DHCP if you don't have a static IP from your service provider, You always want your service providers DNS settings on the WAN side of things but on your LAN side you want to change what your computers are using for DNS so in the DHCP setting for your LAN put the DNS setting you want to use for all your computers on the LAN, This is best practice. Here is the link for OpenDNS: https://www.opendns.com/home-internet-security/opendns-ip-addresses/ This is free for the basic protection/better then nothing and they also have a payed version as well. There is also Norton Connect: https://dns.norton.com/configureRouter.html you can try. I did not find Norton to have good performance but like anything else your mileage will vary, Give these both a try and see what you like best but for god sake you need some kind of scanning at the gateway.

Hope this info helps....