READYCLOUD Appears to have been hacked

That's unrelated to you. ReadyCloud does unlikely communicate by whatever protocol by establishing (TCP is a guess only, these routers s**k) session on port 80 from the Internet to the NAS.

The ReadyCloud network connection is established also kind of a specialised VPN from the ReadyNAS to the ReadyCloud cloud infrastructure. In this VPN network (still using an otherwise assigned IPv4 address space) does the ReadyCloud communication take place.

The question is how it was possible to establish such a communication - all one does need is an IP address (whatever DDNS or DNS entries are not relevant, communication happens always on numeric IP addresses) - from the wild Internet to your NAS on the LAN. That's why I've raised the flag claiming it's unlikely ReadyCloud.

You should certainly change the admin password. Did you have a strong password on your NAS admin account before?  

 

Also look at the http configuration on the NAS (system->settings->services) and see if "http admin" is checked.

 

And check with your router manufacturer (or ISP if you have an ISP-supplied router) and make sure that if your router firmware is up to date.  Check your router to make sure that remote administration is disabled, and change the router admin password.  There's no need to change the wifi network name or passphrase, though it does no harm.

 

If your router gives you traffic reports of internet usage, keep an eye on those reports (looking for unusual amount of internet traffic). If you do see such traffic (or experience very slow internet access from another device), then disconnect the ReadyNAS ethernet cable, and see if the issues disappear.   Of course check the router logs too.

 

Netgear should be able to see traces in the logs (particularly packages installed on the NAS) if you were hacked.  

 

---

WildfireTech wrote:

 

2) Have UPnP configured on my router or the NAS

  

---

Do you mean "do not have"? 

 

---

WildfireTech wrote:

 

Therefore, the only reason I can come up ...

What I take from this is that you have no idea if there was a successful hack or what the attack vector actually was.  There is evidence of a successful connection via port 80, but no evidence either way that a hacker was able to log into the NAS web ui (or what mechanism caused port 80 traffic to be forwarded by your router to the NAS). 

 

You're just guessing/speculating that the attack vector was ReadyCloud.  I'm not suggesting that's impossible (though as I said, ReadyCloud doesn't use port 80).  The problem with locking on to an unconfirmed theory is that you stop looking for more possibilities (malware somehow getting on a PC, an attack through an app on a mobile device that is connected both to a cellular network and your network, your router being hacked instead of the NAS ...).  FWIW, I agree with schumaku that your theory isn't likely to be correct.

 

If the NAS has been seriously hacked, then changing its private IP address will make absolutely no difference.  There will be software on the NAS that connects outbound through your firewall, and that normally won't show up at all in your router logs.  Even if you are right about the attack vector being ReadyCloud, leaving ReadyCloud now isn't an effective response for the same reason.  Once the hacker is in, s/he will install tools that give them ongoing access.