Mass Compromise of Dahua and EZ-IP IP Cameras: How to Detect If Your Camera Is Part of a Botnet

TL;DR

If you have Dahua or IMOU IP cameras manufactured roughly between 2015 and 2023, there is a significant probability they are already compromised. Attackers exploit the well-known CVE-2021-33044 vulnerability and the P2P cloud service (Easy4ip) to remotely create hidden administrator accounts on your cameras.

In this article we'll break down how to detect compromise, what specific markers attackers leave behind, and what to do if your cameras are already hijacked.

Symptoms of compromise: what to look for

If you're a sysadmin maintaining a CCTV system, or a business owner with Dahua/IMOU cameras installed, or simply a user of surveillance cameras — make sure to check for these indicators:

1. Unknown users in the account list

Log into the camera or recorder's web interface: Setup → System → Users.

If you see a user with a random-looking name (e.g. ajmnocf, default, goguberlin, fcam, hackedby, AlexGogu) with administrator privileges and a "comment" like CISA — this is a direct indicator of compromise. It's not a regular account; it's a botnet marker tagging the camera as "captured territory".

2. Suspicious links in configuration fields

In channel names, descriptions, comments, or other text fields, you may find a Discord server invite link (e.g. FCAM - discord.gg/DpSH***). This is a coordination channel for a community trading access to compromised cameras and sharing video streams.

Do not visit this link under any circumstances — it's an active threat actor resource, and even browsing it may put your security at risk.

3. Anomalous network traffic

The cameras continuously attempt outbound connections to external servers:

• 165.154.0.0/16 — Dahua P2P infrastructure

• 47.254.0.0/16, 47.91.0.0/16, 47.245.0.0/16 — Dahua cloud on Alibaba Cloud (Hong Kong/Singapore)

• Ports 8800, 15301, 12367 UDP/TCP

This is the botnet's command channel routed through legitimate Dahua cloud infrastructure.

4. A deleted user reappears

A classic sign — you delete the suspicious account, and 30-60 minutes later it's back. The botnet "re-installs" it through the P2P channel from a command server.

5. Settings change "by themselves"

After Factory Default and reconfiguration, certain parameters (P2P state, ONVIF users, network configuration) revert to the previous compromised state.

How it works: technical breakdown

CVE-2021-33044: authentication bypass without a password

This is a critical vulnerability with a CVSS score of 9.8 (out of 10), which CISA officially added to the Known Exploited Vulnerabilities Catalog in August 2024. It has been actively exploited since 2021.

The vulnerability works as follows: during authentication, an attacker passes the parameter clientType: "NetKeyboard" in the login request (CVE-2021-33044) or specifies "loopback" as the connection source (CVE-2021-33045). If your camera runs a Dahua firmware released before mid-2021, in these cases attackers completely bypass password validation and gain administrator access.

Technically:

• Normal login: MD5("admin:realm:PASSWORD")

• Exploit: MD5("admin:realm:") — empty password

Vulnerable firmware accepts the empty-password hash and returns a valid session token. No brute force, no default credentials — just authentication bypass.

The P2P attack vector

How does an attacker reach your camera inside your local network behind NAT?

A Dahua camera with P2P (Easy4ip) enabled automatically registers with Dahua's cloud infrastructure, receiving a unique UID. Anyone with this UID can connect to the camera through Dahua's relay servers, bypassing your NAT and firewall. This is by design — it's the feature that powers "remote viewing via the DMSS app without port forwarding".

Attackers:

1. Scan Dahua's P2P infrastructure for accessible UIDs

2. Connect to the camera through a P2P relay

3. Apply CVE-2021-33044 to bypass authentication

4. Create an admin user (ajmnocf and similar)

5. Plant a Discord invite as a territorial marker

6. Install a persistent daemon for re-entry

This isn't a local problem. It's a global campaign

To avoid making bare claims — here are the public sources documenting this exact problem:

• CISA (US) — added CVE-2021-33044 to the Known Exploited Vulnerabilities Catalog in August 2024

• Bleeping Computer — estimated 1.2 million potentially vulnerable Dahua cameras exposed on the internet (per Shodan)

• IPVM (the leading independent IP video surveillance publication) — multi-year coverage of Dahua compromises

• Bitdefender — disclosed CVE-2025-31700/31701 in July 2025, enabling persistent daemons in camera firmware

• Cyber Security Agency of Singapore — official advisory

• ipcamtalk.com forum — active "Hacked DAHUA cam and added that names" thread

The username ajmnocf we encountered is not yet in public threat intel databases — it's a new variant of the same botnet just now emerging. If you find this user on your cameras, you're seeing the same active campaign.

What to do: action checklist

If you've found signs of compromise

Step 1. Isolate from the internet

First and most important — immediately cut cameras off from WAN. If you use MikroTik, add firewall rules. If you have a consumer router, disable port forwarding and UPnP. Without a connection to its command server, the botnet can't do anything.

Step 2. Preserve evidence

Before resetting, take screenshots of the compromised users, links, and settings — for incident reporting and future analysis.

Step 3. Factory Default + Initialize

Through Dahua's official Config Tool utility, perform Factory Default (full reset) on each camera — not "Default" (soft reset, which doesn't clear user accounts). Then go through the initialization procedure with a new strong password.

Step 4. Firmware update

Download the latest official firmware from the Dahua or IMOU official sites — official sources only. Install it on every camera.

Step 5. Security configuration

On every camera, make sure to:

• Disable P2P / Easy4ip (Setup → Network → P2P → Disable)

• Disable UPnP, DDNS, Bonjour, Multicast, SNMP

• Uncheck "Anonymous Login" in user settings

• Disable Auto Register / Active Registration

• Disable Cloud Upgrade

• Set a strong unique password (16+ characters)

• Check ONVIF users (a separate list!) — remove unauthorized ones

• Change default HTTP/RTSP/SDK ports

• Configure IP Filter (Whitelist) — only NVR and admin IPs

Step 6. Check the NVR

If your cameras are compromised, there's a high probability the recorder is too. Repeat the procedure for the NVR/DVR.

Step 7. Network audit

Check other devices on the local network — a compromised camera may have served as an entry point for attacks against servers, workstations, and other devices.

Preventive measures (for everyone)

Even if you haven't found signs of compromise, we recommend:

Network level:

• Place cameras in a dedicated VLAN

• Block camera outbound internet access at the firewall

• Allow camera access only from NVR and admin workstation IPs

• Local DNS (e.g. via MikroTik), redirect Dahua cloud domain queries to 127.0.0.1

• Use VPN for remote access (WireGuard, OpenVPN), not P2P

Camera level:

• Disable all cloud features (P2P, DDNS, Auto Register, Cloud Upgrade)

• Strong unique passwords

• Regular firmware updates

• On-camera IP filtering

Architecture level:

• For existing Dahua/Hikvision deployments — strictly isolate them from the internet

• Document each site's configuration

What we do when we find a compromised system

In our client work we regularly encounter this problem. Our standard playbook:

1. Audit — inventory of cameras, models, firmware versions, account status, and cloud feature configuration

2. Evidence collection — preserve indicators of compromise (users, links, traffic anomalies) before any remediation

3. Isolation — firewall configuration (typically MikroTik) to block external communication

4. Cleanup — Factory Default + Initialize + firmware update + full reconfiguration per security checklist

5. Network segmentation — moving cameras to a VLAN with restricted access

6. VPN for remote access — replacing P2P with a secure channel

7. Monitoring — logging configuration to detect further anomalies

8. Documentation — client report with incident description and recommendations

If you'd like to have your system checked — we provide these services. Contact us ↗.

Conclusion

The compromise of Dahua and IMOU IP cameras is not a theoretical threat or a local bug. It's a documented global campaign exploiting:

1. The critical CVE-2021-33044/33045 vulnerability (authentication bypass without a password)

2. Legitimate Dahua P2P infrastructure as a delivery channel for attacks

3. Weak default settings on millions of devices worldwide

The good news: the problem is solvable. The right combination of network isolation, configuration cleanup, and disabling P2P completely blocks the attack. Cameras keep working, you don't lose access — only the remote access method changes (VPN instead of Dahua cloud).

The bad news: the problem won't go away on its own. Without intervention, cameras will remain part of the botnet, leaking video streams to unknown destinations and participating in attacks on other systems.

If your cameras still have P2P enabled and are exposed to the internet, the best time for an audit has already passed. The second-best time is now.

References

• CISA Known Exploited Vulnerabilities Catalog

• CVE-2021-33044 on NVD

• CVE-2021-33045 on NVD

• Dahua Security Advisory DHCC-SA-202106-001

• IPVM: Dahua 21 Critical Vulnerabilities

• Bleeping Computer: 1.2M Dahua cameras exposed

• Bitdefender: Critical Dahua Camera Flaws 2025

• CERT-UA: Official site

This material is educational and analytical. Sensitive details (full Discord invite link, exact threat actor artifacts) are deliberately omitted to prevent dissemination of active attack infrastructure.