NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

WildfireTech's avatar
WildfireTech
Guide
Apr 29, 2018
Solved

READYCLOUD Appears to have been hacked

I got my weekly security bulletin from my NetGear R6400 this morning and it is full of pages and pages of entries like this:   [LAN access from remote] from XXX.XXX.XXX.XXX:YYYYY to XXX.XXX.XXX.X...
ReadyCLOUD Portal
Security
  • Marc_V's avatar
    Marc_V
    Apr 29, 2018

    Hi WildfireTech

     

    Can you please send in the logs and report from your router also if you have screenshots that would be also helpful. Sending logs

     

    Regards

     

     

schumaku's avatar
schumaku
Guru - Experienced User
Apr 29, 2018

Completely unrelated to ReadyCloud.

 

Your NAS port 80 is exposed to the wild Internet, being by UPnP PMP or manual port forwarding. Every attempted access to the ReadyNAS Web interface is allowed, and forwarded by your router. Whatever traffic is there - being attempted username/password dictionary access tries, or evaluating for potential security issues.

 

Editing potentially attcker IPs is fine, changing your most likely RFC 1918 private IP addresses used on the LAN is not required.

WildfireTech's avatar
WildfireTech
Guide
Apr 29, 2018

I have no port forwarding or port triggering configured.  UPnP is disabled on my router and the NAS (no idea how to manage my ISP's Cable Modem).

 

Thanks

  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Apr 30, 2018
    WildfireTech wrote:

    I have no port forwarding or port triggering configured.  UPnP is disabled on my router and the NAS (no idea how to manage my ISP's Cable Modem).

     

    Port 80 is normal HTTP - it isn't the port that ReadyCloud or ReadyRemote use.

     

    Is the second IP address that you redacted the IP address of the router?  Or is it the IP address of the ReadyNAS?

     

    Note that private IP addresses aren't routable, so it is safe to post addresses in the ranges 192.168.0.0.-192.168.255.255, 10.0.0.0-10.255.255.255 and 172.16.0.0 – 172.31.255.255 ( https://en.wikipedia.org/wiki/Private_network ).

    • WildfireTech's avatar
      WildfireTech
      Guide
      Apr 30, 2018

      The reason I beleive that this has to do with ReadyCloud is that I:

      1) Do not have Port Forwarding or Port Triggering of any form configured

      2) Have UPnP configured on my router or the NAS

      3) Have no DDNS entities set up that would direct users to my ISP address looking for anything

       

      Therefore, the only reason I can come up with as to WHY anyone would know anythig about "me" on the internet is that they got into ReadyCloud which had the destination of the NAS.

       

      I have de-coupled the NAS from ReadyCloud and changed the IP address on my private network.  

      • schumaku's avatar
        schumaku
        Guru - Experienced User
        Apr 30, 2018
        That's unrelated to you. ReadyCloud does unlikely communicate by whatever protocol by establishing (TCP is a guess only, these routers s**k) session on port 80 from the Internet to the NAS.

        The ReadyCloud network connection is established also kind of a specialised VPN from the ReadyNAS to the ReadyCloud cloud infrastructure. In this VPN network (still using an otherwise assigned IPv4 address space) does the ReadyCloud communication take place.

        The question is how it was possible to establish such a communication - all one does need is an IP address (whatever DDNS or DNS entries are not relevant, communication happens always on numeric IP addresses) - from the wild Internet to your NAS on the LAN. That's why I've raised the flag claiming it's unlikely ReadyCloud.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More