Is my Dahua DVR being hacked?

J

Jupiloy

n3wb
May 28, 2026
7
3
Argentina
Hi everyone,

First post here, I found this place while looking for a Dahua user forum to find out if someone unauthorized is accessing my DVR.

I have the DH-XVR1A04, and on two separate occasions I noticed that two admin users were created without my intervention. Two months ago, an admin user named 'UVA' was added, with the memo 'UVA', and a few weeks ago another admin account named 'viumjsj' was created with the memo 'CISA'.

Reviewing the logs, In both cases, the associated IP address is 127.0.0.1 (localhost), unlike if I were to create another account myself (192.168.X.X). After the creation, the "UVA" user logged in several times within a 5-second period, and then there was no further activity.
In the case of the "viumjsj" user, there is only the user creation record and nothing else.

As a security measure, after the first incident, I performed a factory reset and reconfigured the DVR, but I noticed that it happened again when I checked the DVR recently.

I want to add:
I connect via P2P using DMSS and SmartPSS with strong credentials, and I only use the admin account to configure the DVR.
Password reset, CGI, and ONVIF are disabled on the DVR.
Port forwarding and UPnP are disabled on the router.

Is this some kind of internal system function, or is it someone outside my local network trying to access the DVR somehow, possibly through a vulnerability (since the software build date is from 2019)?”

Sorry for my English, I’m not a native speaker.

Thanks.
 
  • Like
Reactions: mat200
Those user names certainly sound like something odd is going on. How it the DVR Internet connected? No port forwarding and UPnP is a good start, but P2P can have issues too...
 
  • Like
Reactions: mat200
There were problems with Dahua P2P implementation on their NVRs and with SmartPSS with firmware's prior to July/Aug or 2024
Current FW and P2P is fine

I've never seen Admin users added by themselves.
 
  • Like
Reactions: mat200 and CCTVCam
EagleEye7 said:
Those user names certainly sound like something odd is going on. How it the DVR Internet connected? No port forwarding and UPnP is a good start, but P2P can have issues too...
Click to expand...
The DVR is connected directly to the internet. When I'm away from home, I connect to it via P2P using DMSS. I assume P2P isn't the most secure option, especially considering it's a somewhat older device, but it's more convenient because my network uses CG-NAT.

I was thinking about using a VPN such as Tailscale, but that would require keeping a device powered on 24/7.
 
  • Like
Reactions: mat200
Jupiloy said:
The DVR is connected directly to the internet. When I'm away from home, I connect to it via P2P using DMSS. I assume P2P isn't the most secure option, especially considering it's a somewhat older device, but it's more convenient because my network uses CG-NAT.

I was thinking about using a VPN such as Tailscale, but that would require keeping a device powered on 24/7.
Click to expand...

Does your router have OpenVPN built-in?
 
Nothing inherently insecure with Dahua's P2P. Much like Tailscale or other P2P services.
It just they had problems with older NVR and SmartPSS/DMSS firmware in how they communicated.

Though a VPN would get around having your XVR exposed with known bad FW on your devices
 
I see. I asked Dahua support if there were any updates since the one I have (V3.218.0000002.5 build date 2019) and they gave me this: DH_XVR5x04-S2(2.0)_Eng_P_V3.218.0000002.7.R.210707, which I think is from July 2021.

Do you think it's worth updating? Although a VPN is probably better.
 
I have no way of knowing. The info they put out in summer of '24 was that they were discontinuing SmartPSS immediately, and that all NVRs should be updated to FW July '24 or later.

Yes in your case a VPN would be the best route
 
  • Like
Reactions: CCTVCam
It looks like certainly the result of your DVR being hacked. Seeing 127.0.0.1/localhost in the log indicates that it probably wasn't even a simple authentication bypass, but rather they got enough control over the DVR (e.g. via an SSH connection or some other kind of command injection that makes the DVR run attacker-specified commands) that, from the perspective of the logging system, the requests were coming from the DVR itself.

Without knowing what vulnerability they exploited to get in, nobody can say if 2021 firmware will fix it. The safest thing you can do is block it off from the internet entirely and only access it via a VPN.
 
  • Like
Reactions: CCTVCam and bigredfish
Damn, that's scary. I also have a cheap Srihome Wi-Fi IP camera with P2P, and that doesn't inspire much confidence, especially since it's a relatively unknown Chinese brand.

The camera is connected to the DVR via ONVIF, but I have P2P enabled because some functions don't work without it.

I'm not sure, but this wasn't happening before I got that camera. Could it just be a coincidence?
 
P2P itself is not inherently insecure.

Like most things, its how its implemented. Using obscure wifi cameras is like playing russian roulette

Dahua's current P2P appears to be fine and is in use worldwide. My own firewall appliance shows little to no activity beyond what is expected of it and I've been running it on a number of NVRs for a year or more. Make sure FW is up to date. Old pre-2024 equipment may be more susceptible if not updated but they've cut most of that off at the relay servers from what I've read..
 
Who and what else is on your internal network?. A compromise may also come from within, either someone malicious or another compromised device.
 
Jupiloy said:
I also have a cheap Srihome Wi-Fi IP camera with P2P, and that doesn't inspire much confidence, especially since it's a relatively unknown Chinese brand.
Click to expand...
Don't want to scare you any more than needed, but there is no way I would allow this on my network. Isolated VLAN segment with firewall rules, no P2P, yes, but not just connected haphazardly...

Many seem to think Dahuas current P2P is fine. I am not saying they are wrong but I prefer to roll my own connection method, VPN etc. certainly if running older firmware!
 
bp2008 said:
It looks like certainly the result of your DVR being hacked. Seeing 127.0.0.1/localhost in the log indicates that it probably wasn't even a simple authentication bypass, but rather they got enough control over the DVR (e.g. via an SSH connection or some other kind of command injection that makes the DVR run attacker-specified commands) that, from the perspective of the logging system, the requests were coming from the DVR itself.

Without knowing what vulnerability they exploited to get in, nobody can say if 2021 firmware will fix it. The safest thing you can do is block it off from the internet entirely and only access it via a VPN.
Click to expand...

It sounds to me like they've bypassed the security using a vulnerability & given themselves root, which then opens them up to do anything or put anything on there. eg give themsleves admin, create accounts or put trojans / other software on there etc.

I'm no expert, but probably the way forward is a factory hard reset, updated firmware & the use of a VPN - often you need to purchase an accessory router to use on your ISP service as as you said, ISP's only often provide the cheapest & feature set cut down versions of routers.
 
  • Like
Reactions: bigredfish
Thanks everyone for your replies. This situation is more serious than I thought...

I'll definitely set up a VPN like Tailscale to connect to the DVR and I'll probably disable P2P on the Wi-Fi camera.
I'll also perform another factory reset on the DVR and apply the update I received from Dahua support.

I suspect that, among my local devices, the Wi-Fi camera might be malicious or someone external to the local network might be behind it.

Out of curiosity, even though I don't know much about networking, I will inspect the connections to and from the DVR using Wireshark and tools like Ettercap to see if I find anything interesting.
 
  • Like
Reactions: bigredfish
You must log in or register to reply here.
Top Bottom