Jump to content
secplus

Hacked DVR--Dahua

Recommended Posts

Well, customer did not change password on his Dahua 8CH CVI V2 DVR, and now I see this:

 

270851_1.png[/url]

I can delete the system account, but funny thing is that when I try to log into the system from the web browser, the "888888" account, which is clearly still on the account's list, says that the name doesn't exist....

 

Has anyone had this happen to them'? if so, what's the fix?

 

Thanks.

Share this post


Link to post
Share on other sites

Dahua's 888888 account is only for local access, it can only be used with a monitor and mouse plugged on the unit. It can not be used from network.

Share this post


Link to post
Share on other sites
Dahua's 888888 account is only for local access, it can only be used with a monitor and mouse plugged on the unit. It can not be used from network.

 

No, you are incorrect. The 888888 account works over the network and remotely. and it doesn't matter what type of input you use to access the unit.

Share this post


Link to post
Share on other sites

Whatever.

 

System consists of four accounts:

? Username: admin. Password: admin. (administrator, local and network)

? Username: 888888. Password: 888888. (administrator, local only)

? Username: 666666. Password: 666666(Lower authority user who can only monitor,

playback, backup and etc.)

? Username: default. Password: default (hidden user). Hidden user “default” is for

system interior use only and can not be deleted. When there is no login user, hidden

user “default” automatically login. You can set some rights such as monitor for this

user so that you can view some channel view without login.

Share this post


Link to post
Share on other sites

You should totally reflash the firmware. Along the created user on the user list there are some right modified to some reserved accounts, including and not limited to "admin". Therefore a new firmware (even if it is the exact same version your system currently has, if greater than 2.616) will destroy whatever is modified in the software and restore the system to it's secure nature. Do not forget to modify the entire userlist password and of course, before the update delete the "system" user. Use port forward not DMZ, and forward only the ports you use.

Good luck!

Share this post


Link to post
Share on other sites

Thank you for this. My only issue is that I don't have access to the firmware files. The dahua website is confusing when it comes to this And I font know were else to get it from. I don't think my distributor has it either...

Share this post


Link to post
Share on other sites
Dahua's 888888 account is only for local access, it can only be used with a monitor and mouse plugged on the unit. It can not be used from network.

 

Dear sir

 

My dvr hack what can i do sir??

every 2 or 3 hour its hack after hack tcp ip settings lost and all channels saw HACKED 1

 

302295_1.jpg

302295_2.jpg

302295_3.jpg

 

what is the proper way to solve this

Share this post


Link to post
Share on other sites

Dear sir

 

My dvr hack what can i do sir??

every 2 or 3 hour its hack after hack tcp ip settings lost and all channels saw HACKED 1

 

Zoom in (real dimensions: 1032 x 581)Image

Zoom in (real dimensions: 1032 x 581)Image

Image

 

what is the proper way to solve this

same error

Share this post


Link to post
Share on other sites

Securame is correct, the 888888 is a local admin account. It cannot be used over a network connection. Only from the headend with monitor and mouse.

 

If you don't want to be hacked here are some tips.

 

•Do not use P2P connection, use port forwarding.

•Do not use default ports (80 & 37777), create custom ports and forward them on the gateway/modem.

•Change your admin/admin password.

 

I've had this happen many times and once I change these 3 things never hacked again.

Share this post


Link to post
Share on other sites

Have you changed all the passwords? admin, 888888 and 666666 included. Do you know how many users you have in the system. You can also check the LOG for User login records and IP that has modified any settings.

Share this post


Link to post
Share on other sites

all passwords are changed, i have only admin and default account's. one user for dvr and they use phone to watch cameras

Share this post


Link to post
Share on other sites
all passwords are changed, i have only admin and default account's. one user for dvr and they use phone to watch cameras

 

Can you give more information on how you had the unit configured/connected online? I have also had 3 people contact me with this same problem on the last couple of days.

 

- What devices are they?

- Did you have open ports (I guess this must be yes)

- What ports did you have open?

- Were you using the default web port 80?

- Did you use P2P to access the device?

 

Thanks!

Share this post


Link to post
Share on other sites

My client has NVR-5232 and had it was hacked last evening (21.9.17).

 

I can confirm also that hacker has accessed the device with user account 888888 via network. There were no default passwords in NVR. According to log, everything was done just in 2 minutes. When I arrived the site all the cameras were offline and in spare channels I could see HACKED in the channel name. Also PPPoe settings was written "HACKED".

 

Also hacker had changed some settings in all 7 cameras. I had to plug them in one by one and updating fw with configtool before I could get any video out.

 

Here a clip from the log:

 

37 17-09-21 21:10:49 888888 User logged in IP Address: 89.34.79.84 User: 888888

38 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

39 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

40 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

41 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

42 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

43 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

44 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

45 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

46 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

47 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

48 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

49 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

50 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

51 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

52 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

53 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

54 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

55 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

56 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

57 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

58 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

59 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

60 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

61 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

62 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

63 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

64 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

65 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

66 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

67 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

68 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

69 17-09-21 21:10:49 888888 Save Save COLOR SETTING Config! IP Address:89.34.79.84

70 17-09-21 21:10:49 888888 Save Save NETWORK Config! IP Address:89.34.79.84

71 17-09-21 21:10:49 888888 Save Save DNS Config! IP Address:89.34.79.84

72 17-09-21 21:10:49 888888 Save Save IPV6 DNS Config! IP Address:89.34.79.84

73 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:8 Channel Display :CAM 8-->HACKED 8

74 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:9 Channel Display :CAM 9-->HACKED 9

75 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:10 Channel Display :CAM 10-->HACKED 10

76 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:11 Channel Display :CAM 11-->HACKED 11

77 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:12 Channel Display :CAM 12-->HACKED 12

78 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:13 Channel Display :CAM 13-->HACKED 13

79 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:14 Channel Display :CAM 14-->HACKED 14

80 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:15 Channel Display :CAM 15-->HACKED 15

81 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:16 Channel Display :CAM 16-->HACKED 16

82 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:17 Channel Display :CAM 17-->

83 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:18 Channel Display :CAM 18-->

84 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:19 Channel Display :CAM 19-->

85 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:20 Channel Display :CAM 20-->

86 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:21 Channel Display :CAM 21-->

87 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:22 Channel Display :CAM 22-->

88 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:23 Channel Display :CAM 23-->

89 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:24 Channel Display :CAM 24-->

90 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:25 Channel Display :CAM 25-->

91 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:26 Channel Display :CAM 26-->

92 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:27 Channel Display :CAM 27-->

93 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:28 Channel Display :CAM 28-->

94 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:29 Channel Display :CAM 29-->

95 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:30 Channel Display :CAM 30-->

96 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:31 Channel Display :CAM 31-->

97 17-09-21 21:10:49 888888 Save Save DISPLAY Config! IP Address:89.34.79.84 Channel:32 Channel Display :CAM 32-->

98 17-09-21 21:10:52 888888 Save Save UPnP Config! IP Address:89.34.79.84

Share this post


Link to post
Share on other sites

The issue is with the Telnet function on older FW DVR / NVR

 

Contact your supplier they have the SW to sort the Telnet issue

 

Dose not matter if you have changed all passwords on the unit and is its P2P or static IP and you have changed the ports or not they can still get in and I have witnessed that 3 times this week already

 

Dahua say upgrade any Firmware dated pre 2017

Share this post


Link to post
Share on other sites
The issue is with the Telnet function on older FW DVR / NVR

 

Contact your supplier they have the SW to sort the Telnet issue

 

Dose not matter if you have changed all passwords on the unit and is its P2P or static IP and you have changed the ports or not they can still get in and I have witnessed that 3 times this week already

 

Dahua say upgrade any Firmware dated pre 2017

 

 

I can vouch for this post 100%. Several of my customers are reporting the same issue. The pre 2017 Firmware has a backdoor allowing remote users to access '888888' username without a password. I dont know if any of your customers have gotten "hacked" while using P2P because I have yet to see that.

 

I am curious if anyone has seen that yet using P2P so I know what to expect with some of my newer customers.

 

I must say Dahua seems to be taking security very seriously with the newer 2017 Firmware revisions. Such a shame with the older ones though. So many service calls in our future

Share this post


Link to post
Share on other sites

I had 8 DVR's Hacked this weekend. They used telnet to hack the dvr's. Every one was accessed using the LOCAL ADMIN(88888888) acct. Mine even had the passwords changed. They proceeded to change the color on all the cameras to make it appear black or off. They also Labeled all the Camera's Hacked. The Ip Address was changed rendering the device offline and now unable to fix remotely. This was all done in under a second. All the devices logs showed IPS from Amsterdam for the login. Probably a vpn of some sort or annonomizer.

 

It would be nice if the DVR's could just update automatically to the new firmware..

 

What a pain in the ass.

 

Anyways. You don't need to factory default the device as they just changed settings. So simply change them back. Update all passwords aswell. But do Upgrade to the latest firmware..

 

If your network knowledgeable possibly changing ports on your router and forwarding to the dvr parts may also make it more difficult to hack in the future. Ive done this but for multiple dvr's at the same location and it works well...

 

 

Hope this helps anyone that may have been hacked..

Share this post


Link to post
Share on other sites

Another reseller here

 

Factory default, changing the '888888' password does nothing, which really stinks. Haven't seen it on any P2P devices yet.

Seems to be only devices with port forwarding, and it devices we restore are of course hacked asap and over and over again

 

Dahua needs to deploy some sort of patch or something, not sure how they can be take seriously in regards to security.

Share this post


Link to post
Share on other sites

Hey guys. I'm a technician for an alarm company, we install these DVRs and NVRs, I've experienced a few of this same issues mentioned, as well as the DAHUA I have at home. What I was told was that DAHUA did a firmware update that was executed incorrectly. They are aware of the issue.

 

This is the fix I was given, keep in mind when formatting the hard drive you will loose all your previous recordings.

 

Step 1

- HD manage

- Format

- Execute

- Ok

- Ok (restart)

Step 2

- Settings

- Default

- Ok

 

So basically your factory defaulting he settings. I did notice that the recording schedule and motion recording stayed there after settings were defaulted.

Edited by Guest

Share this post


Link to post
Share on other sites
Hey guys. I'm a technician for an alarm company, we install these DVRs and NVRs, I've experienced a few of this same issues mentioned, as well as the DAHUA I have at home. What I was told was that DAHUA did a firmware update that was executed incorrectly. They are aware of the issue.

 

This is the fix I was given, keep in mind when formatting the hard drive you will loose all your previous recordings.

 

Step 1

- HD manage

- Format

- Execute

- Ok

- Ok (restart)

Step 2

- Settings

- Default

- Ok

 

So basically your factory defaulting he settings. I did notice that the recording schedule and motion recording stayed there after settings were defaulted.

 

 

I did this with a few of my customers earlier today to find out the "Hacked" camera screens and Image settings returned. Im not sure that this is the best long term solution unfortunately. I would pursue getting your customers the latest Dahua firmware revision thats guaranteed to close this backdoor into their DVRs.

 

Im working on getting some updates from them and confirmation that this will solve the issue.

Share this post


Link to post
Share on other sites
Securame is correct, the 888888 is a local admin account. It cannot be used over a network connection. Only from the headend with monitor and mouse.

 

It seems I was not THAT correct; 888888 is a local admin account, and it should only work when used locally (if it worked as expected, which it doesn't).

 

It surely does seem that there is an xploit that allows remote access of the 888888 account, which most people never bother changing the password (it seems any way that with some firmwares it can be accessed without a valid password).

Share this post


Link to post
Share on other sites

Had another 3 systems to reconfigure after being "hacked" this week. Changing the TCP port and 888888 password along with disabling P2P seem to do the trick.

I've given a few of my customers step by step instructions to Defualt all settings and unplug the network cable until our techs can reconfigure the network and make the proper changes. At least this way they have cameras visible on their live monitors and if no monitor connected at least the cameras are recording in viewable color not pitch black.

Firmware has been difficult to get because

1. A lot of Systems are outdated and firmware is not easy to get for older systems (2015-2016)

2. Support from dist. companies to contact Dahua techs and get firmware then sent to us for flashing takes a few days. In that time we discover more models affected and need to resubmit tickets.

 

Someone mentioned cloud upgrades for firmware. Check out UniView I switched brands last year after seeing their products at a trade show and their NVRS and IP Cameras all have cloud based upgrading capabilities and great products.

 

Someone also mentioned Formatting the HD... not sure at all why you would have people erasing their video ... I would disregard that entirely and DO Not Format your Hard Drive. I have never heard this for any reason other than to erase all video data.

 

Wish everyone luck with their clients in this service filled time.

Share this post


Link to post
Share on other sites

Hi guys. I have 7 customers with that situation, and my supplier is trying to make some money end sell new equipment, so is not giving me the new SW.

The problem is that its been hard for me to match the Sw I found with the models I have.

Most of them are CVR system 4.202.0011.0.

I cant find any reference with this system info, so I've been trying to upgrade kind of in a HIT AND MISS with no success at all.

My point, where can I find the new SW based on those models I have? all of them are 2014-2015. 8 and 16 cams. No hybrid, of course, only CVI.

Thanks a lot.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×