Hacked DAHUA cam and added that names

TIGOS1

TIGOS1

Young grasshopper
Feb 25, 2020
48
6
Odessa, Ukraine
As we all know, many cameras are being hacked now

After hacking, new users are added to the cameras

I have a theory that this is done automatically with the help of bots

I suggest posting all detected hacked added names in this post

I have a second theory: if you add these names to the cameras yourself with YOUR password, then the bot will not be able to do this

(This will help with old firmware that is not updated by the manufacturer)

Please comment on this post what you think, even if you do not have new hacked names


oldworld
newworld
system_service
goguberlin
viraentertainment
hackedBy
CamhubfreeTG
(For this name found a group in telegram where they posted videos from hacked cameras. Thousands of cameras...)

AlexGogu
Lipovonche
GermanyBerlin
vclubsql
roman
system9
config
updates
disabled
system_service
admln
veronika
alexanrdu
 
alastairstevenson said:
Of course.
But only when the entire internet is allowed to access the cameras when port forwarding has been configured. Which is convenient, for external access, but such a risky and dumb thing to do.
Click to expand...
I guess your theory is that I have port forwarding done on each camera?

I may disappoint you.

The process of adding a new hacked user was found in the logs:
A connection was made using p2p without a user name but with administrator rights.
After that, a new user was added

That's it.
 
  • Sad
Reactions: alastairstevenson
You must have some entry point into your camera network. Doesn't necessarily mean that each is forwarded. But in a way might be less concerning if they were. ; )
 
Mike A. said:
VPN
Click to expand...
+1^^^^
And turn off uPNP in your router and uPNP and P2P in every camera and NVR (via their respective webGUI's).
 
Last edited:
  • Like
Reactions: camdensnyder and alastairstevenson
You do not have port forwarding on in your router?

Did you scan a QR code when you set up the cameras?

Which camera models are they and what is the firmware on it?

You have done something, and probably forgot, that has allowed this access to happen.

Are the cameras connected/going thru the router or are they isolated via VLAN or dual NIC or back of NVR and NVR is not in bridge mode?

Do you have an NVR? If so, what model and what is firmware date? Is P2P activated on it?
 
  • Love
Reactions: TIGOS1
wittaj said:
You do not have port forwarding on in your router?

Did you scan a QR code when you set up the cameras?

Which camera models are they and what is the firmware on it?

You have done something, and probably forgot, that has allowed this access to happen.

Are the cameras connected/going thru the router or are they isolated via VLAN or dual NIC or back of NVR and NVR is not in bridge mode?

Do you have an NVR? If so, what model and what is firmware date? Is P2P activated on it?
Click to expand...
I don't use port forwarding.
I don't see the point.
Besides, it's the most common vulnerability for hacking.

To add cameras, I first set up NVR inside the local network
Then I add cameras to this NVR (I don't use the KR code of the cameras. And I don't understand why this is necessary)

And of course I forgot a lot of things while doing this, because there are so many actions needed to get everything going. :)

I can't believe you all still use port forwarding on all your cameras?
 
TIGOS1 said:
I don't use port forwarding.
I don't see the point.
Besides, it's the most common vulnerability for hacking.

To add cameras, I first set up NVR inside the local network
Then I add cameras to this NVR (I don't use the KR code of the cameras. And I don't understand why this is necessary)

And of course I forgot a lot of things while doing this, because there are so many actions needed to get everything going. :)

I can't believe you all still use port forwarding on all your cameras?
Click to expand...

Um WE DO NOT use port forwarding....

Who here said we do?

We are asking because many people come here with hacked camera threads and that is usually the issue - they port forwarded...
 
TIGOS1 said:
Then I add cameras to this NVR (I don't use the KR code of the cameras. And I don't understand why this is necessary)
Click to expand...
The QR code is a quick and error-free way to enter the unique ID code of the camera when P2P is to be the means of remote access.
 
Your all answers were very helpful in the task I described in the topic. Thank you all very much :)

I would like to collect in this topic not advice "to turn off video surveillance" to be safe

I would like everyone who has encountered this to write lists of new users added to you after the hack

I very often see hacked cameras and NVRs
These cameras and NVRs are very often not the newest models and the manufacturer has not released updates for them for a long time

I wrote at the very beginning that I have a theory for combating hacking bots: add the most common names of hacked users myself (with my password, of course)

So I have a request: if you have already encountered this, send here the names of the users who were added to you
 
TIGOS1 said:
VPN is also access.
This is how the network works

You either turn off the network or not
Click to expand...
Access that requires encrypted key exchange/passwords and encrypts traffic between the end points. That's why it's standard best practice for remote access. As I said, account names aren't going to stop anything. All of the cam exploits go completely around user authorization. If they can get to your cams to do that to begin with, you have larger problems that account names won't solve.
 
  • Like
Reactions: samplenhold, bigredfish and TonyR
Mike A. said:
Access that requires encrypted key exchange/passwords and encrypts traffic between the end points. That's why it's standard best practice for remote access. As I said, account names aren't going to stop anything. All of the cam exploits go completely around user authorization. If they can get to your cams to do that to begin with, you have larger problems that account names won't solve.
Click to expand...
For now, I'm trying to protect my clients from botnet attacks.

Botnet doesn't analyze what I have there and how, it adds its user according to a template.

That's why I would like to have the names that botnets added to your cameras
 
TIGOS1 said:
For now, I'm trying to protect my clients from botnet attacks.
Click to expand...
If your users are having botnet add user names to their cams or NVRs, then the problem is not the cams or NVRs. It is the (lake of) firewall/modem/router that is letting them in. You need to secure the network. We have well over 168,000 users here on IPCAMTALK, and very rarely do we have much real cam or NVR hacks. That is because these users adhere to the recommendations that have been given to you in this thread.

See post #2 by @looney2ns and others that state to use a VPN like Tailscale or Zerotier. Isolate your cams from the internet using VLANs or a physical isolation. Do not run your cams through a router.

As others have said if you already have this issue, then there are most likely trojans or other control apps loaded on your network that, if not removed, will just reinstall the offending software.

You will not get any traction for these user names as most everyone here has not had this problem.
 
  • Like
Reactions: bigredfish, looney2ns and Mike A.
You must log in or register to reply here.
Top Bottom