IP2M-841B backdoor admin88

[subz]

Hi there,

I have multiple IP2M-841B running with latest firmware. I observe that user "admin88" was created automatically without my consent despite:

- I have tried to delete this "admin88" user multiple of times but it automatically comes back.
- I have changed to a very strong and complex master password to make sure that noone can create addtional "admin88" user.
- I have manually done soft reset/hard reset the camera many times and verified that the "admin88" is automatically added in afterward.
- I have downloaded and verified the lastest firmware from the authentic Amcrest website.
- The log has shown that "admin88" IP address is from the different country than my current location.

1.png (152.35 KiB) Viewed 1929 times

2b.png (109.78 KiB) Viewed 1926 times

3.png (176.24 KiB) Viewed 1929 times

So Amcrest has to provide a solid explaination here as why user "admin88" with ful admin previllege is installed without user consent?
Does anyone experience the same issue on this model? Is this a backdoor from amcrest/dahua?

I just want to make sure before I would post all of these discoveries on to a different public security platforms.

[longedge]

I've never heard of anything like this before, it sounds very suspicious and so I just downloaded a fresh copy of that firmware and installed it in my own camera.

version.jpg (24.76 KiB) Viewed 1917 times

I added a new user.

newuser.jpg (28.43 KiB) Viewed 1917 times

What I am seeing is entirely normal.

Where was the camera purchased, is it second hand?

[subz]

As I mentioned, I even tried soft/hard reset the cameras but user "admin88" will be automatically added in after a while.
I then try to login and manually delete that "admin88" user but again, it will be added back with in a month or so as seen in the log.

No, all the these cameras are purchased brand new from amazon.

[longedge]

My own camera was also purchased from Amazon here in the UK. I downloaded the firmware just now from Amcrest website. I installed the firmware and did a factory reset.

I have my own thoughts on this matter but I shall pass it up to Amcrest. I think that it's very significant when you say the new user is added "after a while".

I should add that apart from being a customer, I have no connection at all with Amcrest.

[subz]

I think you should monitor your camera for a month or two and check to see if "addtional user" such as "admin88" is created.
It doesnt appear right away after a clean reset/delete but in my case, it would come back in a month.

[Revo2Maxx]

I don't know I have had one of my 841 online for over a year and I have no such admin88 added. I have no new user added and from the look of the log either that is your IP address or your camera is connected to the Internet and someone has access to your main password. They then make the new account admin88 is only thing that would make since of what could be going on. My camera is connected to my network and only has access to the Internet with P2P access as there is no one that could access my cameras from the Internet because I have it closed. P2P can get though and sure if someone has my password they could use ASP to gain access to my camera and make an account however they would need to know the password and the Serial Number to start out with..

There is a Ip address of the person that made a connection to the camera Off PSiNet from Washington DC. Either that is your Local Static Ip or one of the user that made the connection.

I would Downgrade to the 2019 FW, after it is done installing the FW, Do a factory Reset on the camera, then make sure you use a different password and check to see if you have same issue with admin88!

[subz]

Thank you for your response.

These happened on different installation sites with the same camera model and firmware.
As I mentioned, master password has been changed, and they are different per sites. The same username "admin88" appear on different sites? I dont think its the coincidence. There must be something that tringered the hardcode inside of the firmware.

That Washington IP is different than my current location and no I will not downgrade the firmware due to the previous one with CVE audio vulnerability which Amcrest publicly admitted & patched.

Now, I have monitored this incident for a while, what I observe is that 2 out of 3 sites which have "admin88" user added in, what they have in common is that P2P and DDNS with Amcrest are ON. The other site which is not affected is using DNS fowarding and P2P off.

The other common is that it seems "admin88" user is added in after some electricity lost or camera frozen crash and restart, but this is my suspesction, im not sure 100%.

It really feels that there must be something hard written in the code.

[Revo2Maxx]

Sorry but you might want to look at the CVE. The one they are referring to is the older 2017 FW for the Camera. The 2019 FW is new different and is now a 2.420 where the old one was a 2.520 FW. So the one that I said you should go to isn't the one in the CVE.. They wouldn't leave a FW posted on the web that has known issues...

[Revo2Maxx]

So I installed the FW again that I just DL from the website. I thought maybe there was something added to a different upload of the FW. So seeing my guess is that one that was there now is the one you are using (Not saying there was ever more then 1 just in case there happen to have been) I DL it again, Installed it again, and I will see if there is something special about it over what I was running...

Also while I don't have an admin88 and if you do have one showing on your user list then it would show up in this CGI. However after you remove and reboot the camera run this command and see if there is anything that is listed as admin88 in the file this kicks out.

http://10.0.0.29/cgi-bin/magicBox.cgi?a ... SystemInfo

Just change the IP for your ip and it should make a text file then do a search under edit aka (Find) and put in admin88 and would love to see what it is around in the file if there..

Screenshot (4567).png (166.51 KiB) Viewed 1634 times

Screenshot (4566).png (128.55 KiB) Viewed 1634 times

[Revo2Maxx]

Opps sorry that is the wrong one

http://10.0.0.29/cgi-bin/Config.backup?action=All

That CGI will make a Text file in mine there is admin and admin2 that is disabled