Hacked DAHUA cam and added that names

samplenhold said:
If your users are having botnet add user names to their cams or NVRs, then the problem is not the cams or NVRs. It is the (lake of) firewall/modem/router that is letting them in
Click to expand...
Thank you wery much...

And thank you for your read fully my message at all :)
TIGOS1 said:
I don't use port forwarding.
Click to expand...
TIGOS1 said:
The process of adding a new hacked user was found in the logs:
A connection was made using p2p without a user name but with administrator rights.
After that, a new user was added
Click to expand...
It was these tips of yours that really helped in solving the problem described.

But if I answer you seriously: I can advise you to check each of your cameras for hacking just in case

I really hope that YOUR vpn and firewalls helped you

I have video surveillance networks with different numbers of cameras
In some networks there are 3-5 of them, in other networks there are 500-600 of them.

Not all of them are hacked.
But it is enough if in a network of 300 cameras there are 10-15 hacked
 
As we have said, most of us don't allow the cameras to access the internet, so we are not experiencing the issues you see and thus have no hacked usernames in our account settings in the cameras.

Most here have isolated the cameras such that even when VPN into the system, all they have access to is the VMS and simply just the video feed and not the actual camera itself...
 
The simplest option for more secure access to your cameras is to use a service like tailscale or zerotier.
If you're using an NVR instead of a VMS, using one of these services would require running software on a PC that's always on.

In the boarder context of what's happening / how the cameras are getting hacked, some possibilities to consider:
  • Other compromised devices on the LAN could be exploiting the camera / nvr, most likely the router or a computer on the network.
  • P2P depends on the security and trust of servers controlled by a third party that could be hacked or otherwise compromised by geo politics.
  • P2P implementations (across manufactures and firmware revisions) may not be that secure and may be vulnerable to interception of credentials / tokens in transit. If used change passwords frequently.
  • Devices could be compromised somewhere in the supply chain before they even get to you.

Cameras / NVRs in your country are likely subjected to more attacks than most.

The best practice is generally to enforce security externally through the use of things like managed switches, vlans, and firewalls. More active users here use VMS software on a PC than NVRs. If recording cameras to a PC using VMS software like Blue Iris, a relatively simple set up I often advocate for is adding a second NIC to the PC and connecting a switch with the cameras to that (all cameras assigned static IPs in a different subnet). The VMS (video management system) PC can run a local time server and run tailscale or zerotier. Alternatively, a firewall appliance of some variety (even an rPi with the right software) could provide secure access to an NVR and isolate it from the network.
 
  • Like
Reactions: Cam-man28, Valiant and looney2ns
TIGOS1 said:
I don't use port forwarding.
Click to expand...
If UPnP isn't disabled at the router, sometimes a camera / NVR will use it to forward ports to the device.

Consider trying the "sheild's up" service of Gibson Research Corporation
then try the UPnP exposure test and then scan all relevant ports (you'll have to manually enter some ports you should scan).
 
Last edited:
  • Like
Reactions: looney2ns
See this example of what happens when you don't properly secure your network.

alastairstevenson

Thread 'Hikvision Honeypot Hackathon'

We get quite a lot of posts about port forwarding - and quite a lot of good advice in response about the risks, and pointers to more secure remote access methods.
And we still get posts related to the Hikvision backdoor vulnerability, where camera passwords are mysteriously lost, or cameras disappear from the network.
So I thought it might be interesting to relieve a bit of the lockdown boredom and see how well a Hikvision camera survives being accessible from the internet.
The short answer - it doesn't.

I set up port forwarding and exposed to the internet a DS-2CD2432F-IW cube camera...
  • Like
  • Wow
 
  • Like
Reactions: alastairstevenson
tangent said:
P2P depends on the security and trust of servers controlled by a third party that could be hacked or otherwise compromised by geo politics.
Click to expand...
Agree, but doesn't this also apply to tailscale and zerotier as well as any other P2P provider?
 
  • Like
Reactions: bigredfish and looktall
tigerwillow1 said:
Agree, but doesn't this also apply to tailscale and zerotier as well as any other P2P provider?
Click to expand...
Yes, they are similar to other nat traversal methods. But you're putting your trust in someone other than a Chinese manufacture and in a product with cryptography / security that you can hopefully have a bit more confidence in.

You can also self-host a similar service with Netmaker: Remote Access VPN & Software Defined Networking
 
Last edited:
  • Like
Reactions: looney2ns and tigerwillow1
im from argentina and have the same problem... some dvrs hacked... i will try to convince my clients to change p2p to port fowarding
 
Last edited:
sergio.cativa said:
so, dahua must provide some update to fix it
Click to expand...
Most devices / software stop receiving updates and support at some point.

Devices like security cameras / nvrs see security issues patched much less frequently and more slowly than software on a PC.
 
yes on telegram there are groups who sell these hacked cameras for money, i tried reporting them to telegram but they didn't do anything, i saw some of those account names in 2 of my cameras and promptly removed it but one got added back the same night so they may be using some script method..
 
  • Wow
Reactions: TIGOS1
comets said:
yes on telegram there are groups who sell these hacked cameras for money, i tried reporting them to telegram but they didn't do anything, i saw some of those account names in 2 of my cameras and promptly removed it but one got added back the same night so they may be using some script method..
Click to expand...

Please send that group`s

Trying to come up with a way to counter-hacks cameras with old firmware
But these ideas are not automatic.
It's not like a manufacturer releasing updates. It's an attempt to come up with something.
Have a few ideas for this

Already figured out how to massively turn off (and on) P2P camera modes in a local network

Figured out how to massively get all camera and NVR user names in a local network

Figured out how to MASS DELETE users of cameras and NVR in a local network
 
Hate to say it but a lot of what people calling Hack is JUNK it is someone that had not only the system online but also had the system setup with Weak or no protection. I am so against camera companies that have the ability to turn off having to sign in with RTSP or HTTP. Meaning access to webui just click on web address and it takes you to main menu no log in WTH No thank you.. What is dumb is that most times the owners don't even know they are open because they don't understand what it is they are unchecking or they had an issue with logging on and support told them here use this code then uncheck this and then you will have access until what ever and they don't know that it is now open for everyone if they don't re enable the HTTP Auth.. Dumb I say.. Next there are some people that when they install systems for others they leave back doors or keep the log in info and then they don't get paid for services of maintain the system and they then sell the data of how to access.. Or many other things that can happen.

Then what most people don't get is that the system security is only as secure as the weakest link.. Someone has 4 Amcrest cameras and a Reolink camera but the cameras are all open to the world not because of the cameras being bad but because the camera are connected to a NVR that don't require the RTSP feeds Auth to log in so just running the RTSP URL will load the cameras.. Then they must have the UPNP enabled or port forwarded so now the RTSP feeds are able to be crawled.. 1/2mil home with bad security setup you might as well not have any at all .. Geez..
 
  • Like
Reactions: bigredfish
I just wanted to add, I had 5 cameras hacked with the posted posted user names as posted earlier. None of them had exposed ports. They did have the p2p enabled. 2 different networks.

I only came across it due to the fact the cameras keep enabling h265 (which my BI machine doesn't like).
 
sprocketq said:
I just wanted to add, I had 5 cameras hacked with the posted posted user names as posted earlier. None of them had exposed ports. They did have the p2p enabled. 2 different networks.

I only came across it due to the fact the cameras keep enabling h265 (which my BI machine doesn't like).
Click to expand...

Which camera brands and how long have you had them and when was firmware last updated?

Trying to determine if it is the older vulnerable P2P that Dahua recently closed down due to too many vulnerabilities on EOL cameras or the newer ones.
 
  • Like
Reactions: Clark Griswald
wittaj said:
Which camera brands and how long have you had them and when was firmware last updated?

Trying to determine if it is the older vulnerable P2P that Dahua recently closed down due to too many vulnerabilities on EOL cameras or the newer ones.
Click to expand...
IPC-HFW1831E
IPC-HFW7442H-Z4
IPC-EW5531

Put into service around mid-late 2020. I haven't pushed any new firmware on them.

IPC-HFW7442H-Z4
LP Camera
System VersionV2.800.0000000.2.R, Build Date: 2019-07-09
WEB VersionV3.2.1.758498
ONVIF Version18.06(V2.4.5.698080)
REDACTED
Algorithm Version2.0.6
Security Baseline VersionV2.0

I just updated the IPC-HFW1831E to the latest on Andy's website.

IPC-EW5531
System VersionV2.800.0000010.0.R, Build Date: 2019-08-07
WEB VersionV3.2.1.766334
ONVIF Version16.12(V2.4.3.651299)
REDACTED
Security Baseline VersionV1.4
 
You must log in or register to reply here.
Top Bottom