Strange Admin Accounts

drewgost

Getting the hang of it
Oct 6, 2016
220
25
I have several genuine Dahua cameras and an NVR that I purchased from Andy at EmpireTech over the years. While reviewing the user accounts on my cameras, I noticed something unusual and wanted to ask if you've seen this before.

On some cameras, there are additional Reserved Administrator Accounts with the memo field "CISA". These accounts cannot be modified or deleted because the firmware treats them as reserved. The usernames are different on each affected camera.
Examples:
IPC-HDW5231R-ZE (Firmware V2.800.0000016.0.R, Build 2020-06-05)
  • security
  • deafult
  • ujfjyst
  • zylucem
Another IPC-HDW5231R-ZE with the same firmware has:
  • pdrllew
  • gylmllg
A different model camera has:
  • vviditq
  • hcurwsx

However, other cameras are completely normal with only the expected admin account (and config where applicable). For example, another IPC-HDW5231R-Z has no extra accounts at all.
To troubleshoot, I've already:
  • Verified only my own admin session appears under Online User.
  • Disabled UPnP on my Verizon router.
  • Confirmed DMSS remote access still works after disabling UPnP.
  • Verified there are no manual port forwarding rules.
  • Checked logs and didn't find any account creation events.
  • Found one unexpected admin account on my NVR5232-4KS2 (uvzqsbr), but that account could be deleted successfully.

My question is:

Are these reserved "CISA" administrator accounts expected on any Dahua firmware, or do they indicate a configuration or firmware issue?


Would you recommend:
  • leaving them alone,
  • factory resetting the affected cameras,
  • or flashing the firmware?
Thanks for any help!
 
Finding accounts like that is almost certainly a sign the devices were compromised.

The most common way for such devices to be hacked would be from having them at some point exposed to the internet via UPnP or NAT-PMP or port forwarding. However if they're connected to a cloud service for remote access, that could also be the attack vector. Even having just one vulnerable device exposed could cause them all to be compromised (as the vulnerable one could be used as a proxy to reach the others).

Some basic hacks aren't even persistent. They could have just added those administrative accounts and assumed the device would remain accessible as before so an attacker would just log in to the camera later to run more commands.

Some hacks may only run from a device's RAM and not be able to survive a power cycle.

Some hacks will be persistent though. Factory resetting could get rid of it. Factory resetting, then flashing firmware, then factory resetting again, would increase your chances of getting rid of the malware. However even this isn't a 100% guarantee of success.

The best thing you could do to protect these devices (and the rest of your network) is to fully take away their internet access. Put them on a network that consists only of the cameras and NVR, with no way to access the internet, and change all their IPv4 addresses to a private IP range you aren't using anywhere else. If you need remote access to the system, you have to do it through a VPN. Of course that can be difficult to set up. I would suggest using a PC with dual network adapters; one connected to an internet-connected network, the other connected to the isolated camera network. Then you can install tailscale on the PC and configure it as a subnet router that provides everything in your tailscale account with access to the camera subnet. Of course this doesn't give your NVR a way of sending event notifications, so if that is a feature you rely on then it requires the NVR to have internet access, which opens up a significant amount of risk again.
 
Thanks for the detailed reply. I appreciate it.


Since posting, I've done quite a bit more investigation and wanted to add some information.


  • All of my cameras are Dahua and were purchased new from EmpireTech (Andy) over several years. DO you know how I can connect to Andy?
  • None of the cameras are connected directly to the router. They are all connected to three PoE switches, which connect to a Dahua NVR5232-4KS2. DMSS is configured to connect only to the NVR, not to the individual cameras.
  • I've now disabled UPnP on my Verizon router, and DMSS continues to work remotely over cellular, so there are no longer any automatic port mappings.
  • I checked the Online User page on every camera and only my own admin session is present.
  • The NVR had one unexpected admin account, but it was removable. The camera accounts are different—they're marked as "Reserved" and cannot be modified or deleted.
  • Interestingly, not all cameras are affected. I have cameras of the same model and firmware where one has only the expected accounts, while another has several random reserved admin accounts. The random usernames are also different on each affected camera.

Because of that, I'm not yet convinced this proves an active compromise, although I agree the accounts are unusual and deserve investigation.


Have you seen this specific pattern before on Dahua cameras, where different cameras each have different reserved administrator accounts marked "CISA"? If so, was it ultimately traced to malware, a firmware issue, or something else?
 
Don't worry - its just the CCP, thousands of miles away :rofl:
 
  • Haha
Reactions: drewgost