IPVMU Certified | 04/07/16 12:58am
That IP address is a local address to that LAN. Do you know what device is currently using 1.33?
Maybe a camera at 1.33 is trying to send video to the NVR?
hmmm, the NVR is 192.168.0...
I havent seen many cameras log into an NVR usally its the other way around, but anything is possible, they wouldnt happen to be connected to a WLAN (wireless LAN) of some sort would they? nothing like hopping on someone's free wifi and seeing what you can break into if you are a bored hacker?
Maybe just a PC rebooting after Windows Update with a client viewer in the autostart group?
edit: just saw the 2000/hr
Perhaps a virus on the 1.33 PC which does a network scan. are you sure there is even a 1.33 machine?
IPVMU Certified | 04/07/16 05:41am
There are a number of ways a 192.168.0.x address can communicate with a 192.168.1.33 address. If the subnet mask is set to a class A or B for example, a misconfigured L3 switch or a router would all provide such functionality. regardless, it looks like an automated probing via software. Could also just be a kerbos / ssl key expiration. Hope this helps.
No 1.33 on the customer's network. The customer lost remote viewing at the same time as the illegal logins. The password to the NVR had been changed so I suspect the attacker to have been successful at getting in and changing the password. Got the password reset by Hik and got back in and remote view working. Checked the log again but it was no longer showing illegal logins. I did see where I remotely logged in right after the attack but it should my IP address as 192.168.0.40. I thought it would have shown the WAN not the LAN IP of the remote machine? If not, then 1.33 was simply a remote PC of the attacker, right?
I returned to the office and logged in remotely again. I went through a few menus but lost connection just before checking the log ( I wanted to verify my IP address). I tried the phone app but now I get Connection Failed. I suspect that there has been another attack this afternoon that changed the password again. Very strange.
Any more thoughts?
it could be the customer's mobile phone with a wrong password. he got an IP address from the wifi router on the wireless lan.
NVR have anything like this?
Without having to manually default the NVR , doesn't that mean the HIK NVR had a backdoor to allow them to access it and program the new password?
Just curious if that seems suspicious to anyone else?
Pro Focus LLC | 04/13/16 11:23pm
Easy people! All of the real manufacturers have an algorithm to create a one day only admin password. How else would they be able to allow you into your locked device? I know that with Dahua, this special password can only be used at the DVR/NVR. You cannot use it remotely.
Jason, the attack came from a host that had the IP address 192.168.1.33 on your local network. How they got there is the real question. Is 192.168.1.33 a PC that could have been remoted into? Is it another device like a wireless access point or switch? That is your first goal. WTH is at 192.168.1.33.
Secondly, you can assume that either the local WiFi network is insecure, or they had remote access. If they have insecure WiFi, that needs to be addressed. If 192.168.1.33 is a PC, you need to check it for typical remote desktop apps (LMI, Teamviewer, VNC, etc) or have it scanned for malware.
Third, you need to restrict illegal log ins like mentioned above. In fact, I believe that should be a default setting. I know that Dahua only allow 3 log in attempts before locking the account. You have to reboot the unit before being able to try that account again.
Fourth, assign better passwords too. 2000 attempts means your password was very weak, or the hacker has a horseshoe up his ass. There is no way a good password will be cracked in 2000 attempts.
Last, like others have said above, there are many scenarios where dissimilar subnets have access to each other. Unless there is a firewall explicitly blocking traffic between the subnets, a simple subnet mask error (class A instead class C mask) will allow it.
All of the real manufacturers have an algorithm to create a one day only admin password.
All real manufacturers have back-doors? I thought the date thing was just a Hikua deal.
Pro Focus LLC | 04/14/16 07:31pm
Just received some new Hik IP cams today and they do in fact have Enable Illegal Login Lock from the factory as checked on as default.
Okay, now I'm finding some highly suspicious ip addresses on the operation log. 100.96.159.56, 100.125.174.172, 100.69.32.36, 100.86.75.101.
I've convinced the customer to change the password to 12 characters all random. I will probably set up some mac filtering for his devices only. Is the only move to make now to have the customer get their IT people to tighten up security? Or are there any other steps I need to take?
Holy ----! I've checked the logs on five other Hik NVR's. ALL of them are showing numerous illegal logins as well as successful logins from addresses very similar to 100.90.145.34. IP tracker shows them to C H I N A (of course), Sweden, and Vietnam... if the info provided by the tracker is reliable. These all have considerably strong passwords.
I know a lot of people here have been harping on Hik's security risk for a while. Unfortunately, I haven't heeded the warnings and now I must do the best I can to tighten up. Through all of the discussions about this, I don't recall anyone suggesting a viable alternative. I only recall suggestions for far more expensive options. Though I fully understand the argument against driving the cost down and using Chinese products, what are the small (very small) businesses and residential clients to do? They also need quality HD video surveillance but would not ever have it if it meant paying a huge price tag. It would be great if and American company would produce an NVR appliance comparable to Hik. I would definitely switch to it.
Pro Focus LLC | 04/17/16 12:25pm
Calling the FBI is a little drastic, but you really should have all credit card transactions on a seperate network anyways. It is required for PCI compliance.
IPVMU Certified | 04/17/16 02:32pm
Folks, the real issue here is his server (HIK NVR in this case) responding to requests on TCP port 80. Plenty of other ports under the sun to choose from which offer some reduced visibility to those looking to compromise his system.
The log files are showing nothing more than probing from an outside source. The manner in which HIK has chosen to implement IP capture in their logs is based on a decades old standard and is VERY easy to spoof. I would spend no time trying to chase down a phantom private address like 192.168.1.33 or 100.96.159.56 as they are not real public IPs (More here: http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml).
The logs post above show common day to day probing. Anyone operating a web enabled server will see thousands of these an hour in many cases. from HTTP to FTP to other protocols, the probing party is simply using a dictionary attack to hurl passwords at the "admin" account. To stay safe: keep your passwords complex, keep your system patched, and change your port to something higher than 1024! (More here: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers)
Hope this helps.
IPVMU Certified | 04/17/16 02:52pm
Yes, I missed where he said above that they were successful in logging in.
Jason, are you seeing something other than the logs which leads you to understand someone has been able to log in?
IPVMU Certified | 04/17/16 03:03pm
2000 tries is too round number... it is almost impossible to crack password in such small quantity of tries... and 2000 is definitely a number to mask the direct login... The person who did that should have used exploit (what else shown in logs?) or just knew the password.
As for the remote IPs... the attacker would use proxy anonymizer to hide the source. I do such things regularly myself while pen-testing my customers... The attacker can drink coffee with a laptop at Starbucks next door and you will see him coming from China.
As for consequences: Jason you should treat an NVR or even camera as a regular PC run on Linux, so they could scan the network from inside; analyse other hosts, try to get access to other systems... pretty much everything...
I can't tell more, I don't know your topology...
Overall situation is tend to be a targeted attack led by semipro, definitely you should check other hosts.
For the risk mitigation I would recommend IPS (Intrusion Prevention Systems) they will prevent from password bruteforcing and assume that it is attack in progress, regular (not NG) firewall will pass this if remote login is permitted. If the outlet is stand alone then they should consider buying provider security service, if it is a network of outlets they should build a security perimeter with firewall and IPS.
try monitoring the attackers MAC address with Wireshark or similar. you can get the MAC address then you can block this MAC in your router and check the first few bytes for manifacturer, but at best you can get what network adapter he is using. your wifi is compromised at least, as they got a local IP address from your router.
as they stopped at 2000 tries their brute force password breaker might have a software limit for 2000 tries. I see multiple vulnerabilites, first your WIFI network, I bet you dont use any encryption at all or you use WEP which can be broken in a few minutes.
to be honest, to all these installers who are convinced that IP video surveillance is nothing but wiring a few devices together and connect a patch cable the router, I suggest to get an IT guy ASAP or take the consequences...
IPVMU Certified | 04/17/16 09:19pm
I think we may we overlooking the log capacity may only show 2,000 attempts, right? I'm not familiar enough with that NVR to say what the limits of the log may be. 20 pages?