NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
READYCLOUD Appears to have been hacked
I got my weekly security bulletin from my NetGear R6400 this morning and it is full of pages and pages of entries like this:
[LAN access from remote] from XXX.XXX.XXX.XXX:YYYYY to XXX.XXX.XXX.XXX:80, <DATE TIMESTAMP>
(IP Addresses and Dates / Times redacted). In reading in the forums this means that there is an actual external accessor on my network and the target for EVERY ATTEMPT was the ReadyNAS. The only reason I can think of that I would start getting NAS remote access successes from Japan, Germany, Brazil, and Russia is that someone hacked into ReadyCloud and compromised my data.
Since there is no direct support for issues like this, I'm positng this to the forum.
Do any of y'all have recommendations for me other than "terminate ReadyCloud use and go get another product"?
Hi WildfireTech
Can you please send in the logs and report from your router also if you have screenshots that would be also helpful. Sending logs
Regards
9 Replies
Replies have been turned off for this discussion
Hi WildfireTech
Can you please send in the logs and report from your router also if you have screenshots that would be also helpful. Sending logs
Regards
Marc_V, Logs sent per directions as linked. Please let me know if you find anything.
Completely unrelated to ReadyCloud.
Your NAS port 80 is exposed to the wild Internet, being by UPnP PMP or manual port forwarding. Every attempted access to the ReadyNAS Web interface is allowed, and forwarded by your router. Whatever traffic is there - being attempted username/password dictionary access tries, or evaluating for potential security issues.
Editing potentially attcker IPs is fine, changing your most likely RFC 1918 private IP addresses used on the LAN is not required.
I have no port forwarding or port triggering configured. UPnP is disabled on my router and the NAS (no idea how to manage my ISP's Cable Modem).
Thanks
WildfireTech wrote:
I have no port forwarding or port triggering configured. UPnP is disabled on my router and the NAS (no idea how to manage my ISP's Cable Modem).
Port 80 is normal HTTP - it isn't the port that ReadyCloud or ReadyRemote use.
Is the second IP address that you redacted the IP address of the router? Or is it the IP address of the ReadyNAS?
Note that private IP addresses aren't routable, so it is safe to post addresses in the ranges 192.168.0.0.-192.168.255.255, 10.0.0.0-10.255.255.255 and 172.16.0.0 – 172.31.255.255 ( https://en.wikipedia.org/wiki/Private_network ).
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
