Hack attempts right now!

nxindy

n3wb
Joined
Jun 27, 2021
Messages
17
Reaction score
11
Location
Indiana
An LTS installation was already hacked once. Now they are at it again. It's a 4 hour round trip for me to the venue. It's an LTN8616-P16. About twenty illegal login attempts from the same IP address, (supposedly a Verizon phone customer by whois) in the last 24 hours. They don't seem to be getting in yet. After the last attack I was able to find upgraded firmware going from 3.4.96 to NVRK_V4.30.005_210222. I did not find it from LTS Us, it was on LTS Australia. I wonder if that is stopping them and the backdoors are no longer in this version of firmware? But I was looking for IP filtering in this version and it's not there. I have some Dahua venues and their software has the IP Right function that has stopped all the problems through filtering. There does seem to be a V4.40xx available, but it actually has an earlier date, so I don't know if applyiing that will be any more help. I don't mind getting used to Illegal login alerts if their not getting in, but I'd like to filter someway. I know Port Forwarding is not optimum for security and I'm researching options. But I'm hoping this site can possibly provide some answers that LTS doesn't. Mainly I guess is "Have these later firmware versions addressed the brute force or backdoor issues or not? Thanks for any help here.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
Port forwarding will make it easier to hack. NVRs can be notorious for security breaches as firmware is rarely updated.

Set up a VPN that puts you back onto your network. Not a paid VPN that hides your IP for porn and illegal streaming LOL.

OpenVPN is what most of us use, but there are a few others.


 

nxindy

n3wb
Joined
Jun 27, 2021
Messages
17
Reaction score
11
Location
Indiana
Thanks wittaj, I'm aware of that and trying to learn how to apply it. Some other points: They keep trying the admin account. Most of the attempts are about one hour apart. But two were One Second apart. The software lockout minimum attempts can only be set to 3 or more. I'd like it to be just one failed attempt and your blocked. Dahuas can be set that way. LTS not. But it seems to me that they have tried 20 times and failed. I wonder how many different tricks are available to them and will they run out and loose interest?
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Since you have multiple venues that you take care of... might want to polish up on network security, especially if this is commercially based. VPN, yes. Router security, yes. Firewall security, yes. Just slapping in a NVR on any network using port forwarding .... well, you get what you deserve.
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
These are more than likely automated attacks. Probably not an actual person sitting at a keyboard.

Host a SSH server on port 22 some time and watch the logs on how many attempted logins happen. Hundreds a day.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
15,521
Reaction score
22,657
Location
Evansville, In. USA
An LTS installation was already hacked once. Now they are at it again. It's a 4 hour round trip for me to the venue. It's an LTN8616-P16. About twenty illegal login attempts from the same IP address, (supposedly a Verizon phone customer by whois) in the last 24 hours. They don't seem to be getting in yet. After the last attack I was able to find upgraded firmware going from 3.4.96 to NVRK_V4.30.005_210222. I did not find it from LTS Us, it was on LTS Australia. I wonder if that is stopping them and the backdoors are no longer in this version of firmware? But I was looking for IP filtering in this version and it's not there. I have some Dahua venues and their software has the IP Right function that has stopped all the problems through filtering. There does seem to be a V4.40xx available, but it actually has an earlier date, so I don't know if applyiing that will be any more help. I don't mind getting used to Illegal login alerts if their not getting in, but I'd like to filter someway. I know Port Forwarding is not optimum for security and I'm researching options. But I'm hoping this site can possibly provide some answers that LTS doesn't. Mainly I guess is "Have these later firmware versions addressed the brute force or backdoor issues or not? Thanks for any help here.
NO NVR should be exposed to the internet....ever. Do not depend on the NVR firmware to protect your network.
Study the links @wittaj gave you above.
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
I know Port Forwarding is not optimum for security
Lol! Understatement of the year.
If these are commercial installations that you're referencing, and the CCTV elements are on the customer LAN, know that the LAN and it's data is at serious risk of being compromised.
And you may be at risk of being sued, when an intrusion occurs ...
 

c hris527

Known around here
Joined
Oct 12, 2015
Messages
1,782
Reaction score
2,066
Location
NY
Lol! Understatement of the year.
If these are commercial installations that you're referencing, and the CCTV elements are on the customer LAN, know that the LAN and it's data is at serious risk of being compromised.
And you may be at risk of being sued, when an intrusion occurs ...
You Have that right, Most of my commercial and or Government customers have there Insurance Carriers survey their networks and If they are exposed or their appliances are out of date, they will NOT provide them with cyber Insurance, good for me, been telling some of them for years to upgrade and now they are forced into it.
 

nxindy

n3wb
Joined
Jun 27, 2021
Messages
17
Reaction score
11
Location
Indiana
So I understand what you guys are saying. The problem is I'm not the IT manager for this company. That person is "Family" and she is a real tight ass. There are language and cultural handicaps as well. I'd just as soon be done with them. But I have to find a way to secure the NVR from hacks. I can't install a pc and run Open VPN etc. So here's a question. Is there a device/appliance I can install just before the NVR, some kinda of firewall appliance that will allow me to set a white or black list, and could it be managed remotely? I just need to close off all access except for my ip for administration, a couple of pc's in their homes and a range of IPs that match their phones. It might not be perfect, but I think it's the best I can do.
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
You can replace their router with one that supports OpenVPN. That is probably the easiest way to deal with this.

How do you really know it was "hacked"? I mean, attempted unknown login attempts showing in the logs aren't really an issue. Every home firewall/router drops millions of these probes and "attacks" each year. Was the NVR actually taken over and you had to do a reset to fix something?? Or are you just concerned with what your seeing in the logs??
 

nxindy

n3wb
Joined
Jun 27, 2021
Messages
17
Reaction score
11
Location
Indiana
You can replace their router with one that supports OpenVPN. That is probably the easiest way to deal with this.

How do you really know it was "hacked"? I mean, attempted unknown login attempts showing in the logs aren't really an issue. Every home firewall/router drops millions of these probes and "attacks" each year. Was the NVR actually taken over and you had to do a reset to fix something?? Or are you just concerned with what your seeing in the logs??
Unfortunately, replacing their router isn't going to happen. The admin password was changed and sent to all the cameras as well. System kept working for months fine. I just had no remote admin access. I had several other logins available and they all worked under user status so it wasn't a big deal. Then the owner gave their credentials to an employee who left and I had to change it. I had to go there, reset and upgrade the firmware, and reset each camera. LTS was zero help with their password reset bullshit files that I waited 2 days for, so I had to go to each one and hard reset. 3 days on the road out of my pocket.
Forward to now. I haven't been there yet. As of this moment, the hackers are at about 100 illegal login attempts and haven't got in. I believe the new firmware from LTS Australia is much better, but not a solution. I think they're down to guessing passwords. So yeah, I'm getting the illegal login emails and trying to convince myself it is not an issue, as biggen said. But not enough to stop the alerts. I currently have 9 systems. All are port forwarded. One Dahua was hacked 2 years ago, and this posted LTS system. The rest are fine and have IP filters and I have company router privileges. They all alert me to illegal logins.

I've spent way too much time in crawl spaces and attics to be called a newb. I cut my teeth on VCR systems and a gaggle of iDview motion JPEG DVRs and 24 volt cameras. Here to learn and ask, not be scolded. Thanks.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Unfortunately, replacing their router isn't going to happen. The admin password was changed and sent to all the cameras as well. System kept working for months fine. I just had no remote admin access. I had several other logins available and they all worked under user status so it wasn't a big deal. Then the owner gave their credentials to an employee who left and I had to change it. I had to go there, reset and upgrade the firmware, and reset each camera. LTS was zero help with their password reset bullshit files that I waited 2 days for, so I had to go to each one and hard reset. 3 days on the road out of my pocket.
Forward to now. I haven't been there yet. As of this moment, the hackers are at about 100 illegal login attempts and haven't got in. I believe the new firmware from LTS Australia is much better, but not a solution. I think they're down to guessing passwords. So yeah, I'm getting the illegal login emails and trying to convince myself it is not an issue, as biggen said. But not enough to stop the alerts. I currently have 9 systems. All are port forwarded. One Dahua was hacked 2 years ago, and this posted LTS system. The rest are fine and have IP filters and I have company router privileges. They all alert me to illegal logins.

I've spent way too much time in crawl spaces and attics to be called a newb. I cut my teeth on VCR systems and a gaggle of iDview motion JPEG DVRs and 24 volt cameras. Here to learn and ask, not be scolded. Thanks.
You have access to the router config parameters, I assume since you set up port forwarding and did firmware updates. What brand/model router is it? Maybe you can set the NVR & cameas on their own VLAN or dedicated guest nework. Tell them, due to the age of the router, you can not be held liable for any hacking intrusion when using port forwarding. Turn off any remote access, local only.
 

nxindy

n3wb
Joined
Jun 27, 2021
Messages
17
Reaction score
11
Location
Indiana
I don't have access to the router. I told her I needed a static address and to forward the port and she did it. I mentioned security issues through the whole process and she said she would handle it. The firmware updates were on the NVR from a thumb drive. They are very happy with the quality of the system. It looks beautiful. They can't really understand the issues. I think I may suggest to them that I hand the system off to a local surveillance company. I can't keep running down there. But I don't want to be the guy who just stops answering the phone.
 

Umut

Getting the hang of it
Joined
Apr 25, 2016
Messages
56
Reaction score
31
If you can't setup VPN server and want to do port forwarding, don't use default port ranges like 80 to 1000, 1050 to 1070, 554 to 560, 8000 to 8100, 9000 to 9100, 37777, 35000, 32789. If you use random ports like 26168, 39147, 43804 %99 of the attacks will stop.
 

Sphinxicus

Getting comfortable
Joined
Aug 30, 2017
Messages
174
Reaction score
341
Location
Ireland
why not put a Raspberry Pi in the network? install OpenVPN (you can use PiVPN to make it super easy). Port forward from the router to the Raspberry Pi. Much safer exposing the Pi with hardened software intended to be public facing than a NVR.

You then use your VPN client to tunnel from your remote device to the Rasperry Pi and once connected you can work as if you are plugged in locally.

Ideally you would place the Pi and all Camera related devices on its own network that has no route to the network that the companys devices are sitting on to add a layer of seperation. $35 for the Pi + a case/power adapter. Not much for peace of mind. Just a thought.
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,660
Reaction score
3,480
Thanks wittaj, I'm aware of that and trying to learn how to apply it. Some other points: They keep trying the admin account. Most of the attempts are about one hour apart. But two were One Second apart. The software lockout minimum attempts can only be set to 3 or more. I'd like it to be just one failed attempt and your blocked. Dahuas can be set that way. LTS not. But it seems to me that they have tried 20 times and failed. I wonder how many different tricks are available to them and will they run out and loose interest?
They attack the admin account because they want to get root. Once they have root, they can do anything to your system from simply accessing it to altering the firmware / code to brick your system / cameras.

If you port forward, your system broadcasts to the whole internet, I'm here, I'm an X brand security camera, come get me. There are OSCINT search tools thast cna find any device in the world and pinpoint it's location based on port forward broadcast information. If this doesn't scare you maybe this well:


Edited with an easier to demonstrate video.
 
Last edited:

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
The bottom line is you are port forwarding so you should expect to see attempted logins. These aren't "backdoors". Automated scripts are designed to scan IP ranges and probe for open ports. Once an open port is found, the script probes for the service (trying to determine if its a webserver, ssh server, etc...), then once it identifies the service the script will attempt a basic dictionary attack using common username/passwords (admin:1234 for example) If the script is successful, it notifies the creator/owner.

You defeat it by not port forwarding and using a VPN. That means either replacing the router or installing a computer in the network that can host the VPN. Another solutions is to simply block the IP range that is causing those attempted logins. Any router worth its salt has this ability. If you can't do either of those, then create a more complicated password so it can't be brute forced and ignore the attempted login attempts because there is nothing you can do about it.
 
Last edited:

nxindy

n3wb
Joined
Jun 27, 2021
Messages
17
Reaction score
11
Location
Indiana
So thanks for some good suggestions. What about sticking a new D-Link router just before the NVR on my line. Turn off the DHCP etc. I think those can provide IP filtering and maybe even VPN services. I wonder if I could manage it remotely since it's behind another router and port forwarding to it. I can't mess with their network at all. They've got gas pump systems, POS with credit card processing, lottery machines, online business accounting stuff, and god knows what else. If I brake any of that she's gonna kill me.
Meanwhile, more attempts all last night 1 hour and 1 minute apart and they're still not in.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,445
Reaction score
47,571
Location
USA
Yeah, you need to get that squared away. Someone gets into that network and they have a gold mine of havoc to create.

Or worse it is a local yocal and once they get in and disable the cams the rob the place.
 

Sphinxicus

Getting comfortable
Joined
Aug 30, 2017
Messages
174
Reaction score
341
Location
Ireland
you're making it more complicated than it needs to be by adding a 2nd router and asking for trouble with all the PoS etc. systems as you will end up with double NAT.

Replace the existing router or add a device in the network to act as your VPN endpoint.
 
Top