mountainluau 0 Posted December 26, 2012 Hi everybody. I have been lurking and learning for a while but now I have a perplexing problem and I need some perspective and insight from the community. I have worked on, or installed upwards of 25 to 50 surveillance systems in my profession (datacom), and as a company we install Speco systems exclusively and I have been fairly impressed with their product line. I finally decided to install a DVR at home but went with a cheaper system. I don't want to name the system just yet but it is a POPULAR "lower end" brand. I did soon realize that security was a joke on the DVR starting with a six digit numeric password being the best that I could achieve. I then soon realized that it offered no log as to see who was or had logged into the unit. I am behind a pretty good firewall so I decided to set-up the firewall itself to log my traffic to the internal IP address of the DVR. I quickly discovered that I had an unauthorized connection to a Chinese IP address!!! The IP address had an established connection to port 32...WTF? So I setup a rule to block the connection but soon realized that it wasn't just some Chinese guy trying to make a connection to my DVR but that the DVR itself was acting as the client and calling out to the IP address in question. Although the behavior is blocked as of now, it is so-to-speak wearing out my firewall. The DVR is actually cycling through ports trying to establish a connection to "THE IP ADDRESS". I probably have 300 PAGES of log files/5000 attempts in just two days! Here is the REAL kicker.... the IP address in question is a Chinese DVR manufacturer/seller.......... So.... the "The Company" that sold me the DVR has been no help and has told me that it is a "outdated" unit... that they no longer support. They don't even offer a copy of the ORIGINAL firmware for download (in the event the original firmware was compromised). Port 23 is open sonI am going to attempt to Telnet into the unit and "Guess" the root password and download the current firmware from the unit but past that I wouldn't know what to do other that look at it with a hex editor and hope to identify an IP string that I could at least change to something like a loopback address.... It is clear that you get what you pay for but this is ridiculas! My friend that does surveillance in another state says I should contact Homeland Security..... I don't know......DVR acting as a client calling out to a Chinese DVR Manufacturer....that is just messed up. I hope to get some insight from you guys, but I thought you may want to here the story anyway. Sorry for the long post. Thanks, ML Share this post Link to post Share on other sites
ak357 0 Posted December 26, 2012 I did soon realize that security was a joke on the DVR starting with a six digit numeric password being the best that I could achieve. I then soon realized that it offered no log as to see who was or had logged into the unit. I am behind a pretty good firewall so I decided to set-up the firewall itself to log my traffic to the internal IP address of the DVR. I quickly discovered that I had an unauthorized connection to a Chinese IP address!!! The IP address had an established connection to port 32...WTF? So I setup a rule to block the connection but soon realized that it wasn't just some Chinese guy trying to make a connection to my DVR but that the DVR itself was acting as the client Thanks, ML What if DVR has build in ddns and trying talk to server ? Share this post Link to post Share on other sites
mountainluau 0 Posted December 26, 2012 ddns is saying off.....? Share this post Link to post Share on other sites
GrouchoBoucho 0 Posted December 26, 2012 some dvrs have an option to connect out to the manufacturer's website, then instead of logging directly into the dvr from remote, you connect to the central website, and get routed to your dvr... kind of like logmein or teamviewer. could that be what it's doing? Share this post Link to post Share on other sites
mountainluau 0 Posted December 26, 2012 I don't think so. That was never listed as an option nor did the seller have an explaination. They just blew-me-off. I would love to test another unit. My bet is that it would do the same thing. It is attempting to connect to port 80 of the remote server FTR.... It's the cycling through local ports that is really strange. Share this post Link to post Share on other sites
GrouchoBoucho 0 Posted December 26, 2012 pretty sure this question has come up here before... Share this post Link to post Share on other sites
shockwave199 0 Posted December 26, 2012 What brand? Perhaps try defaulting the unit out just for the hell of it. If it's an ebay purchase, who knows what was set before you got it. Full default wouldn't hurt. Share this post Link to post Share on other sites
ak357 0 Posted December 26, 2012 Yep I Would love to know Brand Share this post Link to post Share on other sites
yakky 0 Posted December 26, 2012 I'm no expert but I do play a corrupt software engineer on a Mexican soap opera.... my thoughts: -Take the tinfoil hat off for a moment and catch your breath... -Its not Dahua as those provide a log of who logs in, but if it was doing covert activity, it surely would clear this out. -Let us know how quickly you "guess" the telnet password, even if its numeric, it'll take a long time. -Its likely the unit it calling home to set its time/ddns/check firmware updates -Someone who builds a unit like this isn't going to do some beginner attempt at snooping only connecting back to the camera mfg's home base. -And last but not least, you can use something like tcpdump or wireshark to figure out exactly how benign its activity is. Share this post Link to post Share on other sites
mountainluau 0 Posted December 26, 2012 I'm no expert but I do play a corrupt software engineer on a Mexican soap opera.... my thoughts: -Take the tinfoil hat off for a moment and catch your breath... -Its not Dahua as those provide a log of who logs in, but if it was doing covert activity, it surely would clear this out. -Let us know how quickly you "guess" the telnet password, even if its numeric, it'll take a long time. -Its likely the unit it calling home to set its time/ddns/check firmware updates -Someone who builds a unit like this isn't going to do some beginner attempt at snooping only connecting back to the camera mfg's home base. -And last but not least, you can use something like tcpdump or wireshark to figure out exactly how benign its activity is. FTR the model might as well be known It is a Night Owl 88550c bought through TigerDirect. It was an 8 camera/500 Gig DVR for $287.00. I still don't regret buying it because I can at least monitor my home now. I see myself moving into an HD unit in the near future but I wanted to get something up and running now. I have Wirehshark, ettercap and C&A. Was thinking of trying John for telnet. Starting off I'm going to base this on "root" as the username. Any additional info would be appreciated. My hopes are that somebody out there has this unit and could do some snooping and see if the behaviour is platform specific. Going to try to start digging into this tonight. ML Share this post Link to post Share on other sites
shockwave199 0 Posted December 26, 2012 I'm actually surprised the dvr doesn't have a log. I thought that was standard fair for all of them. Share this post Link to post Share on other sites
yakky 0 Posted December 26, 2012 FTR the model might as well be known It is a Night Owl 88550c bought through TigerDirect. It was an 8 camera/500 Gig DVR for $287.00. I still don't regret buying it because I can at least monitor my home now. I see myself moving into an HD unit in the near future but I wanted to get something up and running now. I have Wirehshark, ettercap and C&A. Was thinking of trying John for telnet. Starting off I'm going to base this on "root" as the username. Any additional info would be appreciated. My hopes are that somebody out there has this unit and could do some snooping and see if the behaviour is platform specific. There are a couple of passwords that floated around for the Nightowl, not of those worked for me. I tried mine with all numeric combos from 0-999999, nothing worked. I also ran john for about a month IIRC, no hits either, it was a POS and I sent it back. Share this post Link to post Share on other sites
mountainluau 0 Posted December 26, 2012 FTR the model might as well be known It is a Night Owl 88550c bought through TigerDirect. It was an 8 camera/500 Gig DVR for $287.00. I still don't regret buying it because I can at least monitor my home now. I see myself moving into an HD unit in the near future but I wanted to get something up and running now. I have Wirehshark, ettercap and C&A. Was thinking of trying John for telnet. Starting off I'm going to base this on "root" as the username. Any additional info would be appreciated. My hopes are that somebody out there has this unit and could do some snooping and see if the behaviour is platform specific. There are a couple of passwords that floated around for the Nightowl, not of those worked for me. I tried mine with all numeric combos from 0-999999, nothing worked. I also ran john for about a month IIRC, no hits either, it was a POS and I sent it back. What did you use for username...root? Share this post Link to post Share on other sites
mountainluau 0 Posted December 29, 2012 Resolved... I can take off my tinfoil hat finally! Turned out to be a UPNP setting on the DVR... The manual doesn't even reference it, but I went back through the settings again and see that UPNP set to "ON" and thought why do I need that anyway. I turned it to off and it fixed the problem. I should have known better! It still doesn't explain why it was "Plug-N-Playin" back to China. I'm still gonna jack into it... just because..... I'll update ya... ML Share this post Link to post Share on other sites
GrouchoBoucho 0 Posted January 1, 2013 It still doesn't explain why it was "Plug-N-Playin" back to China. that's how the dvr knows the port forwarding has been successful. it tells the router, 'open these ports'. then it connects out to 'home base' to say, 'hey, i'm here can you see me?'. then 'home base' tries to connect back to it on those ports. if it works, then it reports to the dvr, 'yes, i can see you, the ports are set up correctly.' Share this post Link to post Share on other sites
yakky 0 Posted January 2, 2013 Glad you got it figured out. Share this post Link to post Share on other sites
mountainluau 0 Posted January 2, 2013 It still doesn't explain why it was "Plug-N-Playin" back to China. that's how the dvr knows the port forwarding has been successful. it tells the router, 'open these ports'. then it connects out to 'home base' to say, 'hey, i'm here can you see me?'. then 'home base' tries to connect back to it on those ports. if it works, then it reports to the dvr, 'yes, i can see you, the ports are set up correctly.' Copy that. Thats good to know. Thanks ML Share this post Link to post Share on other sites