Ukraine Hack
Posted: Mon Sep 25, 2017 3:01 pm
I have two separate NVR systems and over the weekend, had both get hacked by what I've been able to determine is an IP address from the Ukraine. What happened is all cameras went offline and completely disappeared from the device list. Multiple reboots, etc. did not resolve. At first I thought it was a hardware PoE failure, but when my second system did the exact same thing a day later, I knew something else had to be up. After a harder look there it was...saw my 4 spare camera channels were renamed to "Hacked 5 - 8".
Below are the logs from the NVR. I did a factory reset and got everything back up and running, but am concerned how they got into the NVR in the first place and what steps need to be taken to secure it. I of course had a unique admin password changed from the default that could not have been guessed. The same with other user accounts. I also read in the manual that accounts are supposed to lock out after 5 bad login attempts so there's no way this thing could have been brute force. Is there a known security issue? Is there a newer version of firmware I should be running?
I am running a NVR708NS-P. System version 3.200.KL05.0. Build date 02-23-2016. Web 3.1.0.52249. I do use icddns.com for dynamic DNS for both systems. I only bring that up because that service was out for awhile in July and wonder if this is related because they got into both of my NVRs a day apart that are in two different locations, in two different states, on separate ISPs with very different external IPs. There is zero connection or relation from one to the other so am concerned they somehow found both of my NVRs through icddns.com. That still doesn't explain how they were then able to login and change my config to make both systems inoperable.
The other system is about a year older. I can pull the info from that system as well if needed later this afternoon.
Here are the logs:
No. Time User Name Log Type Note
109 17-09-22 23:32:38 admin User logged in IP Address: 195.211.190.199 User: admin
110 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
111 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
112 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
113 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
114 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
115 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
116 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
117 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
118 17-09-22 23:32:38 admin Save Save NETWORK Config! IP Address:195.211.190.199
119 17-09-22 23:32:38 admin Save Save DNS Config! IP Address:195.211.190.199
120 17-09-22 23:32:38 admin Save Save NETWORK Config! IP Address:195.211.190.199
121 17-09-22 23:32:38 admin Save Save IPV6 DNS Config! IP Address:195.211.190.199
122 17-09-22 23:32:38 admin Save Save Wireless Config! IP Address:195.211.190.199
123 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:5 Channel Display :CAM 5-->HACKED 5
124 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:6 Channel Display :CAM 6-->HACKED 6
125 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:7 Channel Display :CAM 7-->HACKED 7
126 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:8 Channel Display :CAM 8-->HACKED 8
127 17-09-22 23:32:38 admin Save Save UPnP Config! IP Address:195.211.190.199
128 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:1 Enable :Yes-->No
129 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:2 Enable :Yes-->No
130 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:3 Enable :Yes-->No
131 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:4 Enable :Yes-->No
132 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:1 Enable :No-->Yes
133 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:2 Enable :No-->Yes
134 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:3 Enable :No-->Yes
135 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:4 Enable :No-->Yes
136 17-09-22 23:33:33 default Shut down Shutdown Time: 09-22-17 11:32:06PM
137 17-09-22 23:33:33 default Boot up Reboot Symbol: 0x00 Reboot Type: Normal Reboot
138 17-09-22 23:33:33 default HDD No Space Free Space: 0%
139 17-09-22 23:33:33 default HDD INFO Disk totals: Current working disk:
Below are the logs from the NVR. I did a factory reset and got everything back up and running, but am concerned how they got into the NVR in the first place and what steps need to be taken to secure it. I of course had a unique admin password changed from the default that could not have been guessed. The same with other user accounts. I also read in the manual that accounts are supposed to lock out after 5 bad login attempts so there's no way this thing could have been brute force. Is there a known security issue? Is there a newer version of firmware I should be running?
I am running a NVR708NS-P. System version 3.200.KL05.0. Build date 02-23-2016. Web 3.1.0.52249. I do use icddns.com for dynamic DNS for both systems. I only bring that up because that service was out for awhile in July and wonder if this is related because they got into both of my NVRs a day apart that are in two different locations, in two different states, on separate ISPs with very different external IPs. There is zero connection or relation from one to the other so am concerned they somehow found both of my NVRs through icddns.com. That still doesn't explain how they were then able to login and change my config to make both systems inoperable.
The other system is about a year older. I can pull the info from that system as well if needed later this afternoon.
Here are the logs:
No. Time User Name Log Type Note
109 17-09-22 23:32:38 admin User logged in IP Address: 195.211.190.199 User: admin
110 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
111 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
112 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
113 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
114 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
115 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
116 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
117 17-09-22 23:32:38 admin Save Save COLOR SETTING Config! IP Address:195.211.190.199
118 17-09-22 23:32:38 admin Save Save NETWORK Config! IP Address:195.211.190.199
119 17-09-22 23:32:38 admin Save Save DNS Config! IP Address:195.211.190.199
120 17-09-22 23:32:38 admin Save Save NETWORK Config! IP Address:195.211.190.199
121 17-09-22 23:32:38 admin Save Save IPV6 DNS Config! IP Address:195.211.190.199
122 17-09-22 23:32:38 admin Save Save Wireless Config! IP Address:195.211.190.199
123 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:5 Channel Display :CAM 5-->HACKED 5
124 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:6 Channel Display :CAM 6-->HACKED 6
125 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:7 Channel Display :CAM 7-->HACKED 7
126 17-09-22 23:32:38 admin Save Save DISPLAY Config! IP Address:195.211.190.199 Channel:8 Channel Display :CAM 8-->HACKED 8
127 17-09-22 23:32:38 admin Save Save UPnP Config! IP Address:195.211.190.199
128 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:1 Enable :Yes-->No
129 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:2 Enable :Yes-->No
130 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:3 Enable :Yes-->No
131 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:4 Enable :Yes-->No
132 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:1 Enable :No-->Yes
133 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:2 Enable :No-->Yes
134 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:3 Enable :No-->Yes
135 17-09-22 23:32:38 default Save Save Monitor Config! IP Address:Login Local Channel:4 Enable :No-->Yes
136 17-09-22 23:33:33 default Shut down Shutdown Time: 09-22-17 11:32:06PM
137 17-09-22 23:33:33 default Boot up Reboot Symbol: 0x00 Reboot Type: Normal Reboot
138 17-09-22 23:33:33 default HDD No Space Free Space: 0%
139 17-09-22 23:33:33 default HDD INFO Disk totals: Current working disk: