Checking for signs of trouble in network equipment to determine if it's compromised or malfunctioning
Checking for signs of trouble in network equipment to determine if it's compromised or malfunctioning
It can still be helpful since affecting the entire network suggests it might be broadcast traffic rather than a direct router hit. Best would be a managed switch reflecting NVR traffic to a PC for recording, or a PC equipped with two NICs handling the same path between NVR and switch.
I successfully resolved the issue and determined the NVR was acting maliciously. I obtained a switch capable of port mirroring and analyzed the traffic using Wireshark. The findings included DNS requests to unusual domains and repeated attempts to connect via TCP to an IP address from an obfuscation service. These domains were linked to a trojan/bot analysis. Since the NVR wasn't responding to queries and no TCP connections were established, it's likely the control server was blocked or taken down. I may need to scan the entire network for similar traffic if the trojan has spread. Thanks for your support, especially Alex. I hadn't realized affordable switches with port mirroring existed before you mentioned them.
The DVR is a specific brand and model, but I don't have its exact details. If you need more information, you might want to check the product documentation or contact the manufacturer.
It's a Linux-based system with an x86 processor. The setup was poorly secured—exposed HTTP port and default credentials—which explains the incident. Clearly, many mistakes were made during configuration. This device isn't entirely trustworthy, even though it seems suspicious on its own. It's a DIGIEVER DS-4205 Pro.