Strange Admin Accounts

drewgost

Getting the hang of it
Oct 6, 2016
224
29
I have several genuine Dahua cameras and an NVR that I purchased from Andy at EmpireTech over the years. While reviewing the user accounts on my cameras, I noticed something unusual and wanted to ask if you've seen this before.

On some cameras, there are additional Reserved Administrator Accounts with the memo field "CISA". These accounts cannot be modified or deleted because the firmware treats them as reserved. The usernames are different on each affected camera.
Examples:
IPC-HDW5231R-ZE (Firmware V2.800.0000016.0.R, Build 2020-06-05)
  • security
  • deafult
  • ujfjyst
  • zylucem
Another IPC-HDW5231R-ZE with the same firmware has:
  • pdrllew
  • gylmllg
A different model camera has:
  • vviditq
  • hcurwsx

However, other cameras are completely normal with only the expected admin account (and config where applicable). For example, another IPC-HDW5231R-Z has no extra accounts at all.
To troubleshoot, I've already:
  • Verified only my own admin session appears under Online User.
  • Disabled UPnP on my Verizon router.
  • Confirmed DMSS remote access still works after disabling UPnP.
  • Verified there are no manual port forwarding rules.
  • Checked logs and didn't find any account creation events.
  • Found one unexpected admin account on my NVR5232-4KS2 (uvzqsbr), but that account could be deleted successfully.

My question is:

Are these reserved "CISA" administrator accounts expected on any Dahua firmware, or do they indicate a configuration or firmware issue?


Would you recommend:
  • leaving them alone,
  • factory resetting the affected cameras,
  • or flashing the firmware?
Thanks for any help!
 
Finding accounts like that is almost certainly a sign the devices were compromised.

The most common way for such devices to be hacked would be from having them at some point exposed to the internet via UPnP or NAT-PMP or port forwarding. However if they're connected to a cloud service for remote access, that could also be the attack vector. Even having just one vulnerable device exposed could cause them all to be compromised (as the vulnerable one could be used as a proxy to reach the others).

Some basic hacks aren't even persistent. They could have just added those administrative accounts and assumed the device would remain accessible as before so an attacker would just log in to the camera later to run more commands.

Some hacks may only run from a device's RAM and not be able to survive a power cycle.

Some hacks will be persistent though. Factory resetting could get rid of it. Factory resetting, then flashing firmware, then factory resetting again, would increase your chances of getting rid of the malware. However even this isn't a 100% guarantee of success.

The best thing you could do to protect these devices (and the rest of your network) is to fully take away their internet access. Put them on a network that consists only of the cameras and NVR, with no way to access the internet, and change all their IPv4 addresses to a private IP range you aren't using anywhere else. If you need remote access to the system, you have to do it through a VPN. Of course that can be difficult to set up. I would suggest using a PC with dual network adapters; one connected to an internet-connected network, the other connected to the isolated camera network. Then you can install tailscale on the PC and configure it as a subnet router that provides everything in your tailscale account with access to the camera subnet. Of course this doesn't give your NVR a way of sending event notifications, so if that is a feature you rely on then it requires the NVR to have internet access, which opens up a significant amount of risk again.
 
Thanks for the detailed reply. I appreciate it.


Since posting, I've done quite a bit more investigation and wanted to add some information.


  • All of my cameras are Dahua and were purchased new from EmpireTech (Andy) over several years. DO you know how I can connect to Andy?
  • None of the cameras are connected directly to the router. They are all connected to three PoE switches, which connect to a Dahua NVR5232-4KS2. DMSS is configured to connect only to the NVR, not to the individual cameras.
  • I've now disabled UPnP on my Verizon router, and DMSS continues to work remotely over cellular, so there are no longer any automatic port mappings.
  • I checked the Online User page on every camera and only my own admin session is present.
  • The NVR had one unexpected admin account, but it was removable. The camera accounts are different—they're marked as "Reserved" and cannot be modified or deleted.
  • Interestingly, not all cameras are affected. I have cameras of the same model and firmware where one has only the expected accounts, while another has several random reserved admin accounts. The random usernames are also different on each affected camera.

Because of that, I'm not yet convinced this proves an active compromise, although I agree the accounts are unusual and deserve investigation.


Have you seen this specific pattern before on Dahua cameras, where different cameras each have different reserved administrator accounts marked "CISA"? If so, was it ultimately traced to malware, a firmware issue, or something else?
 
  • Wow
Reactions: Arjun
Thanks for the detailed reply. I appreciate it.


Since posting, I've done quite a bit more investigation and wanted to add some information.


  • All of my cameras are Dahua and were purchased new from EmpireTech (Andy) over several years. DO you know how I can connect to Andy?
  • None of the cameras are connected directly to the router. They are all connected to three PoE switches, which connect to a Dahua NVR5232-4KS2. DMSS is configured to connect only to the NVR, not to the individual cameras.
  • I've now disabled UPnP on my Verizon router, and DMSS continues to work remotely over cellular, so there are no longer any automatic port mappings.
  • I checked the Online User page on every camera and only my own admin session is present.
  • The NVR had one unexpected admin account, but it was removable. The camera accounts are different—they're marked as "Reserved" and cannot be modified or deleted.
  • Interestingly, not all cameras are affected. I have cameras of the same model and firmware where one has only the expected accounts, while another has several random reserved admin accounts. The random usernames are also different on each affected camera.

Because of that, I'm not yet convinced this proves an active compromise, although I agree the accounts are unusual and deserve investigation.


Have you seen this specific pattern before on Dahua cameras, where different cameras each have different reserved administrator accounts marked "CISA"? If so, was it ultimately traced to malware, a firmware issue, or something else?

You were hacked bigly.
First suspect would be UPnP
 
  • Haha
Reactions: Arjun
Looks like Andy is learning to be American with his customer's cameras :rofl:
I had one of my neighbors go through the same experience. He couldn't believe it. I'm in the process of trying to convince him to switchover from his ISP devices to Ubiquiti followed by a VPN configuration.
 
CISA is a legit agency (Cybersecurity and Infrastructure Security Agency) - Now it boils down to whether or not these are legit folks from the CISA, or a group / entity that is pretending to represent CISA :lmao:
 
Thanks for the detailed reply. I appreciate it.


Since posting, I've done quite a bit more investigation and wanted to add some information.


  • All of my cameras are Dahua and were purchased new from EmpireTech (Andy) over several years. DO you know how I can connect to Andy?
  • None of the cameras are connected directly to the router. They are all connected to three PoE switches, which connect to a Dahua NVR5232-4KS2. DMSS is configured to connect only to the NVR, not to the individual cameras.
  • I've now disabled UPnP on my Verizon router, and DMSS continues to work remotely over cellular, so there are no longer any automatic port mappings.
  • I checked the Online User page on every camera and only my own admin session is present.
  • The NVR had one unexpected admin account, but it was removable. The camera accounts are different—they're marked as "Reserved" and cannot be modified or deleted.
  • Interestingly, not all cameras are affected. I have cameras of the same model and firmware where one has only the expected accounts, while another has several random reserved admin accounts. The random usernames are also different on each affected camera.

Because of that, I'm not yet convinced this proves an active compromise, although I agree the accounts are unusual and deserve investigation.


Have you seen this specific pattern before on Dahua cameras, where different cameras each have different reserved administrator accounts marked "CISA"? If so, was it ultimately traced to malware, a firmware issue, or something else?
I have a strong suspicion that DMSS is to blame, its an app that is intentionally compromised and botched. Why would anyone use DMSS is beyond me.
 
Hi everyone and thank you for all of your comments.
I just wanted to follow up in case other members run into the same issue.

I recently went through all of my older Dahua IP cameras and found several unexpected administrator accounts that I hadn't created. Rather than trying to delete them individually, I performed a factory reset on each camera through its web interface. After the reset, I initialized each camera with a new admin account and a strong password, reassigned its original static IP address, and then re-added it to my Dahua NVR.

After the reset, only the administrator account I created was present, and the camera's web interface was back to normal.

I also disabled P2P, DDNS, and other services I don't use, verified the time and NTP settings, and exported configuration backups.
It took some time to work through all of the cameras, but it gave me confidence that each one now has a clean, known-good configuration.

Thanks again to everyone who offered advice and suggestions—they were greatly appreciated.
 
  • Like
Reactions: Arjun
Hi everyone and thank you for all of your comments.
I just wanted to follow up in case other members run into the same issue.

I recently went through all of my older Dahua IP cameras and found several unexpected administrator accounts that I hadn't created. Rather than trying to delete them individually, I performed a factory reset on each camera through its web interface. After the reset, I initialized each camera with a new admin account and a strong password, reassigned its original static IP address, and then re-added it to my Dahua NVR.

After the reset, only the administrator account I created was present, and the camera's web interface was back to normal.

I also disabled P2P, DDNS, and other services I don't use, verified the time and NTP settings, and exported configuration backups.
It took some time to work through all of the cameras, but it gave me confidence that each one now has a clean, known-good configuration.

Thanks again to everyone who offered advice and suggestions—they were greatly appreciated.
If your firmware is older than 2021, I suggest you also update the NVR firmware and each camera's firmware to the latest version (you can find the latest firmware either or Andy's website or Dahua's Repository)

Here Index of /Firmware/Rejestratory
or
Here

and far as PC and Mobile software goes -
Download Softwares
or
 
And you have UPnP turned off on the NVR, cameras, and your router right?

And you’re not port forwarding right?

And your NVR FW is later than July 2024 right?

And you use SmartPSS Lite not the older SmartPSS right?

And you’ve checked other devices (computers) on that same network right?
 
  • Exclamation
Reactions: Arjun
If your firmware is older than 2021, I suggest you also update each camera's firmware to the latest version (you can find the latest firmware either or Andy's website or Dahua's Repository)
Arjun would you by any chance have any links to Andy or the repository?
 
  • Like
Reactions: Arjun
Arjun would you by any chance have any links to Andy or the repository?
I updated my post #11 as you posted :)

Here Index of /Firmware/Rejestratory
or
Here

and far as PC and Mobile software goes -
Download Softwares
or
 
  • Like
Reactions: drewgost
And you have UPnP turned off on the NVR, cameras, and your router right?

And you’re not port forwarding right?

And your NVR FW is later than July 2024 right?

And you use SmartPSS Lite not the older SmartPSS right?

And you’ve checked other devices (computers) on that same network right?
Yes.
  • UPnP: Disabled on the NVR and cameras. My router also has UPnP disabled.
  • Port forwarding: None. I don't have any camera or NVR ports forwarded to the Internet.
  • NVR firmware: My NVR is running the latest firmware available for my model, which I updated during this process.
  • SmartPSS: I don't use SmartPSS. I use DMSS for remote viewing and connect via IP/Domain on my local network (with Tailscale available if I ever need secure remote access).
  • Other devices: Yes. I checked the other computers and devices on my network, and I didn't find anything suspicious.

After resetting each camera, creating new administrator credentials, and disabling services I don't need (P2P, DDNS, and UPnP), everything has been operating normally.
 
Arjun would you by any chance have any links to Andy or the repository?
Make sure you update to the latest firmware; I updated one of my neighbor's NVR last week and they had an NVR with firmware build from 2017 which explained multiple accounts on their NVR; fortunately, their cameras only had one admin account, but having access to the NVR is plentiful as that essentially enables access to all connected cameras to China and beyond. I updated their NVR first to a firmware built in 2021, then performed a second update and updated the firmware the latest 2024 build. No further firmware updates for that specific NVR after 2024. After several days, I checked for any potential malicious activity on their NVR and was pleased not to see any nefarious accounts.

I suggest you update to the latest firmware step-wise if you have a much older firmware on your NVR - start with the one released in 2021, then update again to 2024 - probably best to reset everything to factory defaults and reconfigure from there for stability reasons.
 
I have a strong suspicion that DMSS is to blame, its an app that is intentionally compromised and botched. Why would anyone use DMSS is beyond me.

Pre July 2024 and in tandem with the NVR with pre July 2024 FW

Current SmarSS Lite with current NVR FW is just as secure as other P2P apps people here use and recommend,

Most have no clue how P2P works

Tail scale and DMSS both effectively use P2P as do a myriad of other apps

The problem with the old pre 2024 stuff was Dahuas implementation at the relay servers, it exposed plain text
 
  • Like
Reactions: Arjun
That's good to know, isn't the latest DMSS app (for mobile platforms like iOS and Android) built by a third-party, and not Dahua?
Pre July 2024 and in tandem with the NVR with pre July 2024 FW

Current SmarSS Lite with current NVR FW is just as secure as other P2P apps people here use and recommend,

Most have no clue how P2P works

Tail scale and DMSS both effectively use P2P as do a myriad of other apps
 
I have an IPC-HDW5231R-ZE currently running V2.800.0000016.0.R (Build 2020-06-05).

I downloaded General_IPC-HX5X3X-Rhea_MultiLang_NP_Stream3_V2.800.0000032.0.R.250224.bin from the firmware page for this model.

The camera accepted the file, rebooted successfully, and continues to function normally, but the Version page still reports V2.800.0000016.0.R (Build 2020-06-05). No error was displayed during the upgrade.

Is there a different firmware branch for early revisions of the IPC-HDW5231R-ZE, or is there another firmware package I should be using?
 
It probably didn’t take it

Are you using an NVR? A d are your cameras using the NVR PoE or on a switch on your LAN?