Hikvision DVRs: Please check for malware

we just came across some Hikvision DVRs that were infected with malware. The malware did scan outbound for vulnerable Synology disk stations (port 5000 tcp) and ran a bitcoin miner. Other DVRs may be affected as well. So far, it looks like the infection happened with telnet using default credentials .

To check if your DVR is affected:

- telnet to the DVR

- login as root (password should be the same as your "admin" password)

- check the /dev/ directory for odd files. The only entries in this directory should be devices, you shouldn't have any actual files.

For more details, see:

https://isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner+/17879

If you find anything on your DVR, please let us know as we are still investigating this issue. (https://isc.sans.edu/contact.html )

Thanks.

Doh... That sucks big time. It should be common practice to change the default admin "12345" password, in fact I would like DVR manufacturers to disallow remote access if the password is the default one.

I did a test last year with 200 Hikvision units I located online; 57% were online with the 12345 password, and I could have done anything I wanted with the units. I wrote this post about it on our blog (it is in spanish):

http://www.securamente.com/sobre-la-recomendacion-de-modificar-los-passwords-por-defecto-de-nuestro-equipo-de-videovigilancia/

I even located a company in India with 1612 Hikvision DVRs online; ALL of them were with admin/12345...

http://www.securamente.com/passwords-por-defecto-en-un-equipo-de-cctv-lo-que-no-hay-que-hacer/

Luckily the telnet port is usually not accessible from the outside, but if the malware comes from another device already inside the network, tough luck.

Interesting post!

I encounter this carelessness all the time- I see WAY too many diy and also 'pro' installs online with default pass. Strong/unique password should be COMMON SENSE these days!!