Is my NVR hacked by someone?

[mikeymika]

Hi all,

Last night my Dahua DHI-NVR4208-8P-4KS2 just beeped in the middle of the night (never did that before).
After looking at the log at the time of beeping it says the following:

(Events occur from bottom to top):

3
Time: 2020-03-11 02:20:25
Type: Save
Contents:
Save <VSP_PaaS> config!

IP:Login Local
User:
Group Name:


4
Time: 2020-03-11 02:20:25
Type: Remote Info
Contents:
Channel: 2

IP Address: IP Adres of CAM 1 here

Type:User logged in.

5
Time: 2020-03-11 02:20:25
Type: Remote Info
Contents:
Channel: 1

IP Address: IP Adres of CAM 2 here

Type:User logged in.

6
Time: 2020-03-11 02:20:20
Type: HDD
Contents:
HDD Totals: <1>
Current Working HDD: </dev/sda>


7
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save <P2P> config!

IP:Login Local
User:
Group Name:


8
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save <P2P> config!

IP:Login Local
User:
Group Name:


9
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save <VSP_PaaS> config!

IP:Login Local
User:
Group Name:


10
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save < NETWORK> config!

IP:Login Local
User:
Group Name:

Preferred DNS :89.101.251.229-->84.116.46.22
Alternate DNS :89.101.251.228-->84.116.46.23

11
Time: 2020-03-11 02:20:18
Type: User logged in.
Contents:
IP Address: Local
User: default


12
Time: 2020-03-11 02:20:18
Type: Modify User
Contents:
User: default


13
Time: 2020-03-11 02:20:16
Type: Boot up
Contents:
Reboot Symbol: 0x05
Reboot Type: Protection Reboot


14
Time: 2020-03-11 02:20:16
Type: Shutdown
Contents:
Shutdown Time: 11-03-20 02:19:34



After seeing this i'm a bit worried someone (IP adresses 84.116.46.22 and 84.116.46.23 from Wien, Austria or 89.101.251.228 and 89.101.251.229 from dublin ireland) hacked my NVR and changed some settings??
I'm in the Netherlands myself and none of the IP adresses have anything to do with my as far as i know.
not all events and the actions mentioned mean anything to me, i hope someone here can explain what things happend on my NVR last night.

Is just changing my password enough or do i need to take some more action?
Thanks in advance!

 

[SouthernYankee]

how is the NVR connected to the internet ?
What type of security is on your router ?
How are you accessing your NVR remotely when you are not at home ?
Are you using P2P ?

 

[mikeymika]

how is the NVR connected to the internet ?
What type of security is on your router ?
How are you accessing your NVR remotely when you are not at home ?
Are you using P2P ?

Nvr Connected to internet via ethernet cable and router
not sure what types of sucurity you have on a router but the wifi is setup with a strong WPA2-PSK password
Used to do it with the gDMSS plus app and tinycam. lately only tiny cam since gDMSS didnt seem to show the cams anymore and tiny cam still did.
Doesnt gDMSS use P2P? like i said above didnt use gDMSS any more since a month or 4.

 

[area651]

I cant help but speculate that port forwarding is in effect here and this is what happens often with it. I think you've left ports exposed and it got scanned and hit. Personally I like OpenVPN to shield my systems from such.

disclaimer: I know very little about NVR other than they're typically plug and play (aka exposed and unsecure). Also I know nothing about gDMSS.

 

[SouthernYankee]

I believe that you are using p2p. I believe that this is a security risk.
What is the manufacture and model of your router ?
I would shut down the P2P and try to set up an inbound VPN (OpenVPN) .

I hope one of the NVR experts respond to the post. @alastairstevenson

 

[mikeymika]

I believe that you are using p2p. I believe that this is a security risk.
What is the manufacture and model of your router ?
I would shut down the P2P and try to set up an inbound VPN (OpenVPN) .

I hope one of the NVR experts respond to the post. @alastairstevenson

For Tinycam you need to port forward your ONVIF and RTSP port on your router which i had.. maybe those where the ports used to get in?
the router is a "no name" supplied by my internet provider. its known as a "ziggo connect box" hardware version 5.01.

So i read 2 different things.. Yankee is no fan of P2P and Area651 is no fan of Port forwarding...
so which one is the best/most secure way to remotely connect to my nvr.

for now i disabled p2p in my nvr. and disabled the port forwarding in my router... but this way i can not have any remote access to my camera's what so ever.

 

[TonyR]

So i read 2 different things.. Yankee is no fan of P2P and Area651 is no fan of Port forwarding...
so which one is the best/most secure way to remotely connect to my nvr.

Neither...set up VPN as suggested by @area651 and @SouthernYankee .

....for now i disabled p2p in my nvr. and disabled the port forwarding in my router... but this way i can not have any remote access to my camera's what so ever.

Good.
Also insure uPNP is disabled/off in all cams, the NVR and the router.....everywhere.
When enabled/on, it can be hacked to forward ports all by its lonesome.

 

[mat200]

Hi all,

Last night my Dahua DHI-NVR4208-8P-4KS2 just beeped in the middle of the night (never did that before).
After looking at the log at the time of beeping it says the following:

(Events occur from bottom to top):

3
Time: 2020-03-11 02:20:25
Type: Save
Contents:
Save <VSP_PaaS> config!

IP:Login Local
User:
Group Name:


4
Time: 2020-03-11 02:20:25
Type: Remote Info
Contents:
Channel: 2

IP Address: IP Adres of CAM 1 here

Type:User logged in.

5
Time: 2020-03-11 02:20:25
Type: Remote Info
Contents:
Channel: 1

IP Address: IP Adres of CAM 2 here

Type:User logged in.

6
Time: 2020-03-11 02:20:20
Type: HDD
Contents:
HDD Totals: <1>
Current Working HDD: </dev/sda>


7
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save <P2P> config!

IP:Login Local
User:
Group Name:


8
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save <P2P> config!

IP:Login Local
User:
Group Name:


9
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save <VSP_PaaS> config!

IP:Login Local
User:
Group Name:


10
Time: 2020-03-11 02:20:20
Type: Save
Contents:
Save < NETWORK> config!

IP:Login Local
User:
Group Name:

Preferred DNS :89.101.251.229-->84.116.46.22
Alternate DNS :89.101.251.228-->84.116.46.23

11
Time: 2020-03-11 02:20:18
Type: User logged in.
Contents:
IP Address: Local
User: default


12
Time: 2020-03-11 02:20:18
Type: Modify User
Contents:
User: default


13
Time: 2020-03-11 02:20:16
Type: Boot up
Contents:
Reboot Symbol: 0x05
Reboot Type: Protection Reboot


14
Time: 2020-03-11 02:20:16
Type: Shutdown
Contents:
Shutdown Time: 11-03-20 02:19:34



After seeing this i'm a bit worried someone (IP adresses 84.116.46.22 and 84.116.46.23 from Wien, Austria or 89.101.251.228 and 89.101.251.229 from dublin ireland) hacked my NVR and changed some settings??
I'm in the Netherlands myself and none of the IP adresses have anything to do with my as far as i know.
not all events and the actions mentioned mean anything to me, i hope someone here can explain what things happend on my NVR last night.

Is just changing my password enough or do i need to take some more action?
Thanks in advance!

Hi @mikeymika

If you did not make those changes, then I would expect that you've been cyberjacked.

Time to secure your network.
Check all devices connected to your LAN.
Take the NVR and cameras offline - reinstall software, and start over...

 

[bigredfish]

Beep was the reboot

Yep good chance someone else owns your NVR now