I had a client with a hacked Dahua NVR that I had to battle these past few weeks. The only way we knew it had been hacked was because we could not save any changes. We found this out when I attempted to install three additional Dahua cameras at this site.
The NVR had no issue adding the new cameras, but as soon as it rebooted (Dahua devices reboot weekly on Tuesday @ 02:00 by default), it lost the new cameras.
When I was called back to the site Wednesday AM, I found that the NVR had been reverted to the settings just before I added the three cameras. It was after digging further that I found an additional user account named "service" that had a note on the account that said "your_device_has_been_hacked_ple".
I was unable to make any changes to the NVR config that would survive a reboot. My admin credentials remained intact and usable, but there was little hope of fixing the issue via the NVR GUI. I attempted to navigate CLI via telnet, but was not able to correct the issue myself.
I leaned on my Dahua OEM suppliers for their assistance in locating a newer firmware with hopes that it would overwrite / correct the permissions issues. After upgrading the firmware, the permissions issue persisted. Note that I could not run the firmware update via the GUI, I had to use the Dahua DVR Upgrade Tool Ver1.16 utility to push it to the device.
My next step was trying to again use telnet access to try and unlock the NVR. However, there was a new roadblock. The original firmware 2.608 allowed up to 8 character passwords, but the newer firmware 2.616 only allowed 6 character passwords. This made my 8 character password unusable. I could use the Dahua daily code to make changes in the NVR GUI, but these were not saved to the telnet level password list. So now I was locked out of telnet access.
My final attempt was to connect via RS232 and try to erase everything on the NVR and upload a complete firmware image. To do this, you will need a few programs, NCOM and a Cisco TFTP server app. NCOM allows you a CLI console to run commands. I was able to use the HELP command to find ERASECFG, which successfully cleared the permissions issue. I also used the NCOM/TFTP method to upload the complete Dahua firmware image (update.img).
I guess I am documenting this here in case others have a similar issue. To fend off this from happening again, we now are using a non-standard port externally forwarded to port 37777 in hopes that this will prevent its discovery by hackers again. This isn't a sure fire way to prevent future hacks, but it will surely take longer for them to find it.
NOTICE: This comment was moved from an existing discussion: Should I Hack 10,000 Dahua Cameras?