01304 827609 info@use-ip.co.uk Find us

Hik-Connect Hikvision NVR using Hik-Connect - alarming for "illegal login" attempts

Phil

Phil

Administrator
Staff member
Messages
5,170
Points
113
Just had a chat with a customer who is concerned that his Hikvision 7608-I NVR is pinging audible alarms due to repeated illegal login attempts.
He has traced the IP address that the attempt was from to Russia, and is of course concerned.
He has his NVR set up for remote access via Hik-Connect.
His ISP is SKY in the UK.
With no choice other than to use the SKY router provided.

I've asked him to update all his Hikvision devices to the latest firmware version.
NB - his Hikvision kit was claiming to be at the latest firmware release even though it wasn't - unfortunately, you still must check their portal for the latest available firmware version.

I've checked the logs on one of our demo NVRs here and see no such alarms:
(set your start date to search a much longer period than the 1 day my screenshot shows)

1544025342977.png
 
Sorry to bump an old post but Im am getting increasingly concerned about the Hacking attempts on my Hikvision NVR.
This time last month in a 7 day day period I was getting 4-6 illegal login attempts...
Since the lockdown, In the past 2 days I have had 675 illegal login attempts showing on the NVR log panel.

On my Asus RT-AX88U with built in AIProtection from MicroTrends Im getting the following blocked intrusions:

2020-03-30 18:34:57

External Attacks
80.189.172.183
192.168.1.147
WEB Hikvision IP Camera Access Bypass -1.3 (CVE-2017-7921)
2020-03-30 16:36:02

External Attacks
80.189.172.183
192.168.1.147
WEB Hikvision IP Camera Access Bypass -1.3 (CVE-2017-7921)
2020-03-30 07:26:59

External Attacks
189.50.15.202
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-29 21:31:15

External Attacks
5.196.65.217
192.168.1.147
WEB Masscan Scanner Activity
2020-03-29 12:52:54

External Attacks
200.188.153.18
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-29 08:45:07

External Attacks
47.47.61.118
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-28 08:01:52

External Attacks
1.53.106.123
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-27 20:38:05

External Attacks
67.206.232.12
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-27 17:06:20

External Attacks
104.152.52.24
192.168.1.147
WEB Masscan Scanner Activity
2020-03-27 12:45:54

External Attacks
82.42.84.129
192.168.1.147
WEB Hikvision IP Camera Access Bypass -1.2 (CVE-2017-7921)
2020-03-27 12:30:34

External Attacks
100.37.98.250
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-27 10:55:41

External Attacks
138.197.167.245
192.168.1.147
WEB Muieblackcat Scanner
2020-03-27 09:24:26

External Attacks
71.251.119.91
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-27 09:04:40

External Attacks
186.225.180.144
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-27 05:15:39

External Attacks
96.73.79.150
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-25 16:34:15

External Attacks
175.0.11.162
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-24 20:20:05

External Attacks
79.176.138.19
192.168.1.147
WEB Netgear DGN1000 And Netgear DGN2200 Command Execution Vulnerability (BID-60281)
2020-03-24 06:52:04

External Attacks
156.96.155.231
192.168.1.147
WEB Apache Struts Dynamic Method Invocation Remote Code Execution -1.a
2020-03-23 15:07:39

External Attacks
61.219.221.174
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-23 15:07:15

External Attacks
61.219.221.174
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-23 15:06:51

External Attacks
61.219.221.174
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-23 15:06:27

External Attacks
61.219.221.174
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-23 15:05:59

External Attacks
61.219.221.174
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-23 15:04:23

External Attacks
125.65.46.249
192.168.1.147
WEB Apache Struts Dynamic Method Invocation Remote Code Execution -1.a
2020-03-23 10:34:55

External Attacks
104.237.234.24
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-22 17:39:41

External Attacks
167.172.158.192
192.168.1.147
WEB Muieblackcat Scanner
2020-03-22 11:18:17

External Attacks
1.246.222.113
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-22 11:15:08

External Attacks
1.246.222.113
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-22 05:13:27

External Attacks
36.108.151.33
192.168.1.147
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
2020-03-21 17:08:32

External Attacks
194.180.224.249
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-21 15:09:03

External Attacks
194.180.224.249
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-21 14:44:42

External Attacks
49.89.123.151
192.168.1.147
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
2020-03-21 14:18:03

External Attacks
194.180.224.249
192.168.1.147
WEB PHP CGI Argument Injection
2020-03-20 16:29:14

External Attacks
36.107.218.145
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-20 16:26:08

External Attacks
36.107.218.145
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-20 11:49:12

External Attacks
123.10.132.122
192.168.1.147
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
2020-03-18 20:29:42

External Attacks
173.234.153.161
192.168.1.147
WEB Hikvision IP Camera Access Bypass -1.2 (CVE-2017-7921)
2020-03-17 23:37:40

External Attacks
82.96.51.28
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-17 14:27:07

External Attacks
82.64.203.231
192.168.1.147
WEB Netgear DGN1000 And Netgear DGN2200 Command Execution Vulnerability (BID-60281)
2020-03-16 21:04:12

External Attacks
188.82.62.97
192.168.1.147
WEB Netgear DGN1000 And Netgear DGN2200 Command Execution Vulnerability (BID-60281)
2020-03-16 14:22:52

External Attacks
222.247.5.14
192.168.1.147
WEB Remote Command Execution via Shell Script -1.a
2020-03-16 10:53:48

External Attacks
171.91.247.36
192.168.1.147
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
2020-03-16 07:23:19

External Attacks
151.234.88.72
192.168.1.147
WEB Netgear DGN1000 And Netgear DGN2200 Command Execution Vulnerability (BID-60281)
2020-03-15 14:27:42

External Attacks
36.108.151.216
192.168.1.147
WEB Dasan GPON Routers Command Injection -1.1 (CVE-2018-10561)
2020-03-15 10:15:08

External Attacks
91.186.218.27
192.168.1.147
WEB Netgear DGN1000 And Netgear DGN2200 Command Execution Vulnerability (BID-60281)
2020-03-15 08:13:11

External Attacks
187.162.38.233
192.168.1.147
WEB Netgear DGN1000 And Netgear DGN2200 Command Execution Vulnerability (BID-60281)
 
Last edited:
Ok so to clarify go into NVR and change server port to “123456” (or similar) then go into router and add this “123456” port to port forwarding then reboot both NVR and router ?
 
Just for info:
What model NVR do you have?
What firmware version are you running please?
 
It's advisable not to use the default ports of 80 (HTTP), 8000 (Server) and 554 (RTSP) in the NVR/DVR. I've seen on multiple occasions on customers NVR's repeated illegal login attempts - sometimes in the thousands.

In the NVR network settings change the ports to three consecutive numbers, for instance 40000,40001,40002. The reason for making them consecutive is that on some routers, Virgin Media Hub for example, it saves you typing in three separate port forwarding rules as you can enter the three TCP ports as a range. Update your router port forwarding to suit the amended ports and if you've set your device in iVMS/Hik Connect using the IP Domain method you'll need to update the server port reference there also. Be aware that if you change the ports using the web GUI as opposed to the local monitor, you'll need to reconnect after applying - appending the IP address with : port number in your browser.
 
Hello Phil.

NVR DS-7608NI-I2 / 8P
Firmware V4.22.005 build 191208

All IP cameras running the latest firmware (checked last night)

Looking at the NVR log from last night I had the following IP 176.215.108.92 from The Russian Federation trying for 3 hours to gain access.

WEB Hikvision IP Camera Access Bypass -1.2 (CVE-2017-7921)
 
Also, for interest:
Do you have port forwarding configured?
And if so, do you have a static web IP address, or are you using a DDNS service?
And if so, which please?
 
malford said:
Ok so to clarify go into NVR and change server port to “123456” (or similar) then go into router and add this “123456” port to port forwarding then reboot both NVR and router ?
Click to expand...

Yes. I had a ton of those login attempts when I first set up my system. Port 8000 is a common server port and is routinely scanned by bots like you describe. I changed it to 12345 and have not had another login attempt in a very long time. It's not that 12345 is any more protected than 8000, it's just not a commonly used server port and is thus ignored by bots.
 
You must log in or register to reply here.

Similar threads

A
Illegal login exceptions - Russian hackers?
Replies
5
Views
3K
JB1970
JB1970
M
Benefits of AcuSense (NVR & Camera working together)
Replies
3
Views
2K
JB1970
JB1970
N
Illegal Login alerts from my Hikvision NVR?
2
Replies
22
Views
11K
JB1970
JB1970
I
Unable to Retrieve Custom Object Detection Events via AIOP_Video on Hikvision DeepMind NVR?
Replies
0
Views
148
Ind3xO4
I
D
AX PRO Hikvision AX Pro Alarm - Sounder Connectivity?
Replies
7
Views
2K
Kyle
Kyle
Back
Top