Tonight, I received numerous e-mail alerts form my customers Dahua DVR's & NVR's. They were all Illegal Login @ 12-1-16 @ 21:17 hrs. The illegal address that attempted to air access was 183.129.160.229. A google search of this address is from China Telecom. Please pass on
Illegal Access Attempt From China At Dahua Recoders
I received numerous alerts form my customers Dahua DVR's & NVR's.
So you had multiple customers attacked from the same exact IP at the same exact time?
Why is that hard to believe? Scripts can run on a single host simultaneously from the same public IP. Why would that be strange?
Not impossible of course, but it seems unlikely unless the target IPs are related.
For instance, if you had 100 Dahua customers with multiple ISPs and unrelated IP ranges, and only 10 of them had attempted breaches, but all of those 10 were at the exact same second, it would imply a single server was attacking a massive number of hosts in just that second.
Though it might be a single source IP spoofed by many servers.
You would also win Ethan's NTP sync award of the year :)
The reason I asked for clarification was because of this and the fact that he may have intended "customer's" instead of "customers".
Yes, attached is a screen shot from the alert. I don't think they were able to gain access because all default passwords are always change.
Alarm Event: Illegal Login
Alarm Start Time(D/M/Y H:M:S): 01/12/2016 21:16:47
Alarm Device Name: HCVR
According to whatismyipaddress, this IP address is from Hanghzou (coincidentally Dahua's home city) and has a record of hacking attempts:
I have submitted this to Dahua's cybersecurity email.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.