Jump to content
sansisc

Hikvision DVRs: Please check for malware

Recommended Posts

we just came across some Hikvision DVRs that were infected with malware. The malware did scan outbound for vulnerable Synology disk stations (port 5000 tcp) and ran a bitcoin miner. Other DVRs may be affected as well. So far, it looks like the infection happened with telnet using default credentials .

 

To check if your DVR is affected:

 

- telnet to the DVR

- login as root (password should be the same as your "admin" password)

- check the /dev/ directory for odd files. The only entries in this directory should be devices, you shouldn't have any actual files.

 

For more details, see:

https://isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner+/17879

 

If you find anything on your DVR, please let us know as we are still investigating this issue. (https://isc.sans.edu/contact.html )

 

Thanks.

Share this post


Link to post
Share on other sites

Doh... That sucks big time. It should be common practice to change the default admin "12345" password, in fact I would like DVR manufacturers to disallow remote access if the password is the default one.

 

I did a test last year with 200 Hikvision units I located online; 57% were online with the 12345 password, and I could have done anything I wanted with the units. I wrote this post about it on our blog (it is in spanish):

http://www.securamente.com/sobre-la-recomendacion-de-modificar-los-passwords-por-defecto-de-nuestro-equipo-de-videovigilancia/

 

I even located a company in India with 1612 Hikvision DVRs online; ALL of them were with admin/12345...

http://www.securamente.com/passwords-por-defecto-en-un-equipo-de-cctv-lo-que-no-hay-que-hacer/

 

Luckily the telnet port is usually not accessible from the outside, but if the malware comes from another device already inside the network, tough luck.

Share this post


Link to post
Share on other sites

Interesting post!

 

I encounter this carelessness all the time- I see WAY too many diy and also 'pro' installs online with default pass. Strong/unique password should be COMMON SENSE these days!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×