IP CAMERA: Illegal Login
- Thread starter RBW
- Start date
Is that from your camera or NVR log?
Did you change your server port (sometimes called SDK port) from the default of 8000?
Some talk about it in a couple threads on here:
https://www.ipcamtalk.com/showthread.php/6768-Suspicious-login
https://www.ipcamtalk.com/showthread.php/6621-Network-Video-Recorder-Illegal-Login
The reported IP is likely meaningless, as I mentioned in one of those threads. I proved it incorrectly reported the true source IP when coming in through NAT.
Did you change your server port (sometimes called SDK port) from the default of 8000?
Some talk about it in a couple threads on here:
https://www.ipcamtalk.com/showthread.php/6768-Suspicious-login
https://www.ipcamtalk.com/showthread.php/6621-Network-Video-Recorder-Illegal-Login
The reported IP is likely meaningless, as I mentioned in one of those threads. I proved it incorrectly reported the true source IP when coming in through NAT.
Ok will have a read. Thank you.
I get the illegal message direct from the camera. An email is sent each time.
I guess it is common sense to change the default port of which i have not. lol
Also seems strange to me that the admin username cannot be changed from admin.
I guess a hacker could try a random ip using a kind of software that detects hik cameras. When found they will automatically know the username leaving only the password to crack.
Pretty much.. yes. In order for it to have been found, you must have exposed port 8000 to the internet on your router. I assume because you wanted to use iVMS or some such from outside your home network. So yes, changing the port is a must. I see lots of scans hit the outside of my firewall for 8000 randomly... you wouldn't believe the amount of "background noise" that goes on that you probably never see.
At least you changed the password first-off... otherwise...yikes.
At least you changed the password first-off... otherwise...yikes.
If I enable illegal login detction, I get almost instant hits from my own Windows desktop. I tested with no ports forwarded, upnp off etc.
What is not helpful is if you turn the account lock off, you don't get any illegal login logs at all.
What is not helpful is if you turn the account lock off, you don't get any illegal login logs at all.
2CD2132F-I camera, 5.3.0 build 150814.
Using port 8000 internally. At the time of testing no external port forwarded to 8000 internally.
If I enabled "Enable Illegal Login Lock", within minutes I get illegal login reports from the IP of my own Windows desktop and Android phone (on my wifi), which are the two devices which access legitimately. However when you turn Illgal Login Lock off (so the account doesn't keep locking), no illegal login events are recorded at all which does not help much.
Guys ive had this too. I think its a bug. As soon as i enabled illegal logging i got this too.
Its a bit annoying like the bugs you invariably find on each version.
Search "illegal login" here and you'll see the references.
Oh i wish i had never changed the password!
I have forgotten the new password and now i cannot gain access to my camera
It is a chinese version DS-2CD2032F-I V5.2.5.
Any advice on how to recover the password please?
I get an error message the user is blocked!
I have forgotten the new password and now i cannot gain access to my camera
It is a chinese version DS-2CD2032F-I V5.2.5.
Any advice on how to recover the password please?
I get an error message the user is blocked!
Last edited by a moderator:
Del Boy
Getting comfortable
Try this, had worked for me in the past.
https://www.ipcamtalk.com/showthread.php/2920-Hikvision-camera-admin-password-reset-tool
https://www.ipcamtalk.com/showthread.php/2920-Hikvision-camera-admin-password-reset-tool
Worked a treat Bel Boy nice one
Also it looks like the google chrome internet explorer extension is not working which hasn't helped!
Del Boy
Getting comfortable
Bel Boy... that's quite a promotion from my current job
I always use Firefox now when dealing with Hikvision.
I always use Firefox now when dealing with Hikvision.
Hi
I faced the same issue with my HikVision camera (EVENT TYPE: Illegal Login,login ip:local IP) and finally I managed to understand what happens using the informations in the camera log.
The log is accessible from the camera config interface System/maintenance/log
1. when you legally connect to the camera from outside your network (with your smartphone 4G connexion, with port forwarding enabled) you can see that the camera records two distinct connexions one with your real/external ip address IP1 and an other with a local ip address IP2. For me IP2 was always an address not attributed (ping IP2 returns timeout).
To check this, connect to your camera to see realtime video (this create the 2 above connexions) and then connect to the camera Config menu from your local network (this creates a third connexion with IP3 a valid local address) and go to System/User Management/on line users and you will see three ongoing connexions with IP1, IP2 and IP3
2. Now when you check data from the camera log file at the date/time indicated in the the email sent by the camera to warn about the illegal login, you will find things like this :
This way you you can get IP1 the address of the hacker and then block it in your router firewall or/and in the camera ip black list
Since I did this the illegal login stopped
Hope this helps
I faced the same issue with my HikVision camera (EVENT TYPE: Illegal Login,login ip:local IP) and finally I managed to understand what happens using the informations in the camera log.
The log is accessible from the camera config interface System/maintenance/log
1. when you legally connect to the camera from outside your network (with your smartphone 4G connexion, with port forwarding enabled) you can see that the camera records two distinct connexions one with your real/external ip address IP1 and an other with a local ip address IP2. For me IP2 was always an address not attributed (ping IP2 returns timeout).
To check this, connect to your camera to see realtime video (this create the 2 above connexions) and then connect to the camera Config menu from your local network (this creates a third connexion with IP3 a valid local address) and go to System/User Management/on line users and you will see three ongoing connexions with IP1, IP2 and IP3
2. Now when you check data from the camera log file at the date/time indicated in the the email sent by the camera to warn about the illegal login, you will find things like this :
| Heure | Type principal | Type secondaire | User | IP |
17/02/2021 20:27 | Fonctionnement | Connexion à distance | admin | IP1 |
17/02/2021 20:27 | Exception | Illegal login | IP2 | |
17/02/2021 20:27 | Fonctionnement | Connexion à distance | admin | IP1 |
17/02/2021 20:27 | Fonctionnement | Connexion à distance | admin | IP1 |
17/02/2021 20:27 | Fonctionnement | Connexion à distance | admin | IP1 |
17/02/2021 20:27 | Fonctionnement | Connexion à distance | admin | IP1 |
17/02/2021 20:27 | Exception | Illegal login | IP2 | |
17/02/2021 20:27 | Fonctionnement | Connexion à distance | admin | IP1 |
This way you you can get IP1 the address of the hacker and then block it in your router firewall or/and in the camera ip black list
Since I did this the illegal login stopped
Hope this helps