Bob, if you had Hik DVRs/NVRs with remote access enabled using admin/12345 you were most likely sharing control of those devices with a botnet anyway for some time.
At this point they probably need to be hard reset locally and the password changed.
thanks for the priceless info ! tomorrow i ll get some units.need to google to catch the procedure to do it ! once,thank you !
We are HiKVision OEM partner.
These DVRs will have been hacked.
Over the last week we have had over 150 customer DVRs that have been hacked and the password changed.
Please note when you reset the password please look in to the user accounts as it seems on this particular hack the hacker is creating new user accounts and passwords so that they can still access the DVR after the Admin password has been reset from the hackers.
The user account the Hacker seems to be creating is called “System” so to most people they may think this is a genuine account which it is not.
Define "remotely". Who has access to them? Are they on an isolated company VLAN with no external access, only through a company gateway server? In this case, perhaps IT changed the default password.
If they were left with default password, and are accessible with no VPN / accessible via internet, the password was changed by a person, could be anyone. Could be the aspiring hacker or some kid in a basement somewhere who is just having "fun". We can't help you here and there is no easy way to fix it except sending someone out to every site and resetting the NVR if there was no backup admin created (always recommend creating a 2nd admin account).
You might also want to do these resets in an isolated network and delete the corrupted settings entirely just to be sure. Then update the firmware.
I have had a couple Interlogix cameras (same thing as Hikvision renamed) do the same thing and we had to go out and physically factory default the camera. The weird think about it is that they are attached to an Avigilon VMS and not open to the Internet. Something very odd going on here and I can't figure it out.
Your customer had a device attached to the public internet using default credentials. "WCGR", as they say on Reddit.
Thanks to everyone who commented here. We ran a post on this this morning prompting Hikvision to admit to the hacking.