secplus 0 Posted May 8, 2015 In the last few weeks, there has been some sort attacks specific to Dahua's DVRs all over the place. The first customer of mine that got hit happened about two months ago, and since then, almost everyone of my customers who didn't change their default passwords also got hit, and lately, in this forum and some others, more and more units are getting hit. My theory is that this is not some person doing this for fun, it has to be some sort of bot looking for something or just maybe, I could be crazy, but Dahua themselves doing it, at this point who knows. I took a 4ch DVR out the box and plugged it into my network, and used DMZ to put it out, not even 24hrs later it got hit. So, I'm trying to figure out not only if there's a common denominator, but also trying to figure out how to fix it without having to do a firmware update, because I have no idea where to get them, my distributor says that they don't have them. I got one question to those of you that got the same problem, where you using quickddns.com? that's my first guess right now. Share this post Link to post Share on other sites
Boogieman 1 Posted May 8, 2015 In the last few weeks, there has been some sort attacks specific to Dahua's DVRs all over the place. The first customer of mine that got hit happened about two months ago, and since then, almost everyone of my customers who didn't change their default passwords also got hit, and lately, in this forum and some others, more and more units are getting hit. My theory is that this is not some person doing this for fun, it has to be some sort of bot looking for something or just maybe, I could be crazy, but Dahua themselves doing it, at this point who knows. I took a 4ch DVR out the box and plugged it into my network, and used DMZ to put it out, not even 24hrs later it got hit. So, I'm trying to figure out not only if there's a common denominator, but also trying to figure out how to fix it without having to do a firmware update, because I have no idea where to get them, my distributor says that they don't have them. I got one question to those of you that got the same problem, where you using quickddns.com? that's my first guess right now. You should never leave the default username and password....dont even tell the customer that there is a default..simply change it ... Share this post Link to post Share on other sites
Securame 0 Posted May 8, 2015 My theory is that this is not some person doing this for fun, it has to be some sort of bot looking for something or just maybe, I could be crazy, but Dahua themselves doing it, at this point who knows. I took a 4ch DVR out the box and plugged it into my network, and used DMZ to put it out, not even 24hrs later it got hit. If you leave your car unlocked and it gets stolen, would you blame the car manufacturer? If not, what makes you think Dahua would be doing anything? Share this post Link to post Share on other sites
secplus 0 Posted May 8, 2015 The problem lies with the customers where we DID NOT do the install, the simply bought the equipment from us and self installed. And why would dahua do it? I'm just throwing ideas, but yeah it is unlikely that is them doing it. So far after resetting the units and deleting all the user names and changing password, everything seems to work, except the "888888" user accounT. No matter if I delete it and recreate it with full admin privileges, it still says that account doesn't exists when loggin in from a web browser; but it still works locally at the unit. So I just simply deleted the account and created a new one for the customers. So far so good Share this post Link to post Share on other sites
Securame 0 Posted May 8, 2015 So far after resetting the units and deleting all the user names and changing password, everything seems to work, except the "888888" user accounT. No matter if I delete it and recreate it with full admin privileges, it still says that account doesn't exists when loggin in from a web browser; but it still works locally at the unit. So I just simply deleted the account and created a new one for the customers. So far so good As I already told you on another thread, the 888888 account never works from network; it is only for local use, with monitor and mouse connected to the device. viewtopic.php?f=3&t=45848 Try it with a new unit, and you will see that the results are the same that on those devices that have been compromised; "the user does not exist". Share this post Link to post Share on other sites
secplus 0 Posted May 11, 2015 So far after resetting the units and deleting all the user names and changing password, everything seems to work, except the "888888" user accounT. No matter if I delete it and recreate it with full admin privileges, it still says that account doesn't exists when loggin in from a web browser; but it still works locally at the unit. So I just simply deleted the account and created a new one for the customers. So far so good As I already told you on another thread, the 888888 account never works from network; it is only for local use, with monitor and mouse connected to the device. viewtopic.php?f=3&t=45848 Try it with a new unit, and you will see that the results are the same that on those devices that have been compromised; "the user does not exist". hehe.......tenias razon. 888888 doesn't work in the network, it was 666666 that I had used......my apologies Securame Share this post Link to post Share on other sites
