My DVR was hacked and used in a botnet, please help

[somethingnew2]

I recently noticed the timezone was changed in my DVR to Seoul 9:00, in addition the NTP server was changed to osrq [dot] xyz which looks like a botnet after checking google. I am using a MAGIC series DVR which is from UNIXCCTV and getting support and firmware updates seem like a nightmare.

I have currently disconnected the DVR from the internet, I would like to know what other actions I can take? I'd like to secure and upgrade my network/router etc. What steps would you guys recommend? Thanks!

 

[sebastiantombs]

Look in the Wiki, in the blue bar at the top of the page. There's a whole section on securing your network.

Here's a thread on the same subject -
VPN Information Thread

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

 

[somethingnew2]

OK thanks for that, I'm up to page 10 in that thread. I did order new Ubiquiti hardware, in the meantime I have reset my router. I did have AntiVirus software running as well as a vendor Firewall on Win10 set to Public Network, no infection ever detected but I formatted all PCs on my network and changed important passwords anyway.

Do you guys think anything else was affected on my network? Any other recommendations?

 

[The Automation Guy]

OK thanks for that, I'm up to page 10 in that thread. I did order new Ubiquiti hardware, in the meantime I have reset my router. I did have AntiVirus software running as well as a vendor Firewall on Win10 set to Public Network, no infection ever detected but I formatted all PCs on my network and changed important passwords anyway.

Do you guys think anything else was affected on my network? Any other recommendations?

There is no way for us to know if other equipment was effected. On one hand, I doubt this was a focused attack on your specific network where individuals would try to access/exploit multiple services/computers on that one network. Odds are this was a focused attack on the actual DVR device and the individuals were attacking that particular device anytime they found it on the world wide web. So the individuals were probably focused on the device, not your particular network.

On the other hand, it is possible that the individuals would use the exploited DVR as a portal into your larger network, so you cannot assume that everything else is fine. However, if the individuals were trying to set up a botnet, they probably were looking at the "low hanging fruit" with regards to security and devices like DVRs are a great target. They might not have wasted their time looking for other potential exploits in your network when there are lot more unsecure devices to exploit on the WWW.

 

[looney2ns]

Also this: How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

 

[Shockwave199]

Close any ports you may have opened in your router for the dvr to view remotely- done by going into the port forwarding settings of the router and deleting the ports you may have assigned for the dvr. In your router also disable upnp if it's enabled- something you also may have enabled to view the dvr remotely. Dvr's are old tech with old firmware. This is a sign- get rid of the dvr. It's time to upgrade to newer less vulnerable gear.

 

[somethingnew2]

There is no way for us to know if other equipment was effected. On one hand, I doubt this was a focused attack on your specific network where individuals would try to access/exploit multiple services/computers on that one network. Odds are this was a focused attack on the actual DVR device and the individuals were attacking that particular device anytime they found it on the world wide web. So the individuals were probably focused on the device, not your particular network.

On the other hand, it is possible that the individuals would use the exploited DVR as a portal into your larger network, so you cannot assume that everything else is fine. However, if the individuals were trying to set up a botnet, they probably were looking at the "low hanging fruit" with regards to security and devices like DVRs are a great target. They might not have wasted their time looking for other potential exploits in your network when there are lot more unsecure devices to exploit on the WWW.

I agree, I think if they compromised anything else such as banking info they would have probably used it by now. It's just that what if that has been stressing me out this past week!

Also this: How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

Thanks this is gonna be a long frustrating weekend. Have to learn how to setup a Ubiquiti network securely.

Close any ports you may have opened in your router for the dvr to view remotely- done by going into the port forwarding settings of the router and deleting the ports you may have assigned for the dvr. In your router also disable upnp if it's enabled- something you also may have enabled to view the dvr remotely. Dvr's are old tech with old firmware. This is a sign- get rid of the dvr. It's time to upgrade to newer less vulnerable gear.

Thanks I will get rid of the uPnp on both for sure. I have reset my current router and gotten a new IP address since. I also checked GRC shields up, passed the tests I ran. I agree, the DVRs are pretty old and I knew they had back doors back then, I was reluctant to stream for over a decade, I did only for initial installation of cameras for viewing angle. I am really frustrated with myself, I overlooked this and my network, leaving the ISP to push updates...

 

[Monstergerm]

I agree, I think if they compromised anything else such as banking info they would have probably used it by now. It's just that what if that has been stressing me out this past week!



Thanks this is gonna be a long frustrating weekend. Have to learn how to setup a Ubiquiti network securely.



Thanks I will get rid of the uPnp on both for sure. I have reset my current router and gotten a new IP address since. I also checked GRC shields up, passed the tests I ran. I agree, the DVRs are pretty old and I knew they had back doors back then, I was reluctant to stream for over a decade, I did only for initial installation of cameras for viewing angle. I am really frustrated with myself, I overlooked this and my network, leaving the ISP to push updates...

Hi somethingnew2,
I encountered the exact same hack on my Magic DVR a few days ago. I noticed my internet going in and out frequently. They changed a whole bunch of settings on the DVR and used a ripper.cc/u address in my timeserver field, changed MAC address, DDNS and so on.
I was able to change everything back, changed the admin password.
But I need to be able to watch the DVR on my computers at home. Which port settings would I need for this?

 

[sebastiantombs]

@Monstergerm You need to use a VPN not open ports on the router. When I say a VPN I mean a VPN actually running on your LAN and not VPN service to allow you to surf anonymously. OpenVPN is built into many routers, Asus as an example, and allow you to access your own network from anywhere in the same way you can access when you're home.

 

[wittaj]

You need the VPN that puts you back on your network and IP address range, not a paid VPN that masks or hides your IP address for porno and illegal streaming...

 

[TonyR]

But I need to be able to watch the DVR on my computers at home. Which port settings would I need for this?

+1 on the above info regarding a VPN for remote access, but if you plan to view ONLY on your LAN and not remotely (WAN) then no router ports need to be forwarded or opened.