Another - Dahua DVR/NVR Hacked - how to protect older system

[ncohen 0]

Hi,

 

So I've been installing Dahua systems over the last 6/7 years and have all sorts of devices out there, from DVR's running a few analogue cameras to large IP camera systems.

 

I always make sure to change all default passwords and keep on the latest firmware where possible. I have heard of the Dahua hacks a few months ago but didn't think much of it since I always change the passwords.

 

Fast forward to this week when I received three calls about systems going offline on Tuesday morning. I usually leave the auto Tuesday 2am reset on.

 

What I figured happened was the hackers got in Sunday/Monday and did their thing, the unit reboots and activates their new settings leaving the customer with a hacked system.

 

Here's where it gets weird. From the logs I can see their IP and that they have logged in using the '888888' login. Yes I know that is supposed to be a local login only but whatever it isn't. The thing is my custom password is still working and if I try log in with '888888' as the password it fails.

 

So, how did they get in? is there a backdoor utilizing the default password? is it via telnet and should/can I change the password there?

 

Are they able to get onto the local network this way?

 

Also, what is the best way to protect the units? with the newer NVR's I have the latest firmware from Dahua's website but is that enough? and what about the old DVR's I have out there with no firmware update available to them?

 

Any info would be a great help for me and I'm sure the many other who have had these hacks happen!

 

Images below

[iTuneDVR 2]

Model of your device, firmware version?

[ncohen 0]

Model of your device, firmware version?

 

Hi,

 

3 x Units

 

1 - 16 Channel 960H DVR (Don't know model number) Firmware: 2.616.AD00.0, Build Date: 30-09-2013

 

2 - 4 Channel NVR, NVR104P, Firmware: 3.200.0000.4, Build Date: 09-05-2015. Updated to: 3.200.0000.0, Build Date: 31-03-17

 

3 - 8 Channel NVR, NVR4108P, Firmware: 3.200.0000.0, Build Date: 17-03-2015 Updated to: 3.203.0000.0, Build Date: 12-06-17

 

any other information required please let me know

[oh6hfx 0]

I can confirm this also with NVR-5232, see other thread viewtopic.php?f=3&t=45848

 

Hacker has logged in with 888888 from outside network.

[Neutech 0]

You need to remove the Telnet function on the DVR / NVR this is where the issue is they can get in no matter what passwords you have changed they are only soft hacked once you log in via Admin and default and setup again all goes back to normal.

Dahua have stated that any firmware dated 2017 will be covered fine

 

Contact your supplier they will have the software to sort the Telnet issue

[ncohen 0]

You need to remove the Telnet function on the DVR / NVR this is where the issue is they can get in no matter what passwords you have changed they are only soft hacked once you log in via Admin and default and setup again all goes back to normal.

Dahua have stated that any firmware dated 2017 will be covered fine

 

Contact your supplier they will have the software to sort the Telnet issue

 

Hi,

 

I've seen this code: http:///cgi-bin/configManager.cgi?action=setConfig&Telnet.Enable=true

 

Is there something similar which can disable telnet?

 

I did telnet into my older DVR (doesn't work on my 4104 NVR) and looked around but that didn't record any log of my entry. What would have to be done to cause a log to be recorded?

 

Thanks

[oh6hfx 0]

You need to remove the Telnet function on the DVR / NVR this is where the issue is they can get in no matter what passwords you have changed they are only soft hacked once you log in via Admin and default and setup again all goes back to normal.

Dahua have stated that any firmware dated 2017 will be covered fine

 

Contact your supplier they will have the software to sort the Telnet issue

 

In my clients case the NVR is behind Cisco NAT router and telnet port is not forwarded. Unless they did hack the router also...