ReadyNAS Vault using rsync??

I'm not a vault user, but according to this link the data is in the amazon S3 cloud: http://readynasvault.zendesk.com/entrie ... ly-stored- I suppose they could also use other storage suppliers.

64.64.131.102 is owned by IIC internet (also known as onlinestoragesolution.com), which offers its own on-line storage solution. Does that ring a bell?

StephenB wrote:
I'm not a vault user, but according to this link the data is in the amazon S3 cloud: http://readynasvault.zendesk.com/entrie ... ly-stored- I suppose they could also use other storage suppliers. 64.64.131.102 is owned by IIC internet (also known as onlinestoragesolution.com), which offers its own on-line storage solution. Does that ring a bell?

Yes, I did lookup the IP, but IIC Internet is unknown to us.

Interesting that somehow this was done when nobody else has access to the ReadyNAS.

I do note that under System -> Config Backup -> Backup, nothing has been selected there.

However, rsync probably backs up independently of these selections, correct?

Edited to Add: Noted that these are only system configs backed up.

I was assuming that the rsync to 64.64.131.102 was a frontview backup job. Is it something else? For instance something you are seeing running via ssh?

Maybe this is obvious, but I think I'd

(a) turn off the scheduling of the backup job for now, and disable rsync on the share if you aren't using that.
(b) change the admin password for the NAS (and the root password if you use SSH).
(c) check the logs and see if the backups are actually working
(d) contact vault support directly
(e) contact onlinestoragesolution.com support. If you didn't authorize the backups, then someone is illegally using them to steal your data. If you have the login user name and destination path, it should be easy for them to track down who it is, and they should be able to see the data transfer from their own logs.

If the NAS is compromised/hacked then you should probably rebuild it (starting from a factory reset, and restoring data from backups). Re-configure the NAS manually, as you don't want to accidentally grab something in the OS partition that could reopen the vulnerability.

No idea what the rsync was, seriously.

Thanks for the points - done:

a) Done.
b) Done. (not sure what is the root password)
c) logs are not showing any rsync entries.
d) Have to do this soon.
e) There were no usernames or passwords - could rsync still be used, if the IP was allocated to someone?

Thanks again!

Did you see the rsync traffic via the SonicWall? Sounds like you didn't see it directly via a process on the ReadyNAS itself.

If you had root SSH, you could run 'ps -ef --forest' which should show the rsync process, and its parent process that spawned it.

eg.

root      2028     1  0 May29 ?        00:00:02 /usr/sbin/netatalk
root      2033  2028  0 May29 ?        00:00:01  \_ /usr/sbin/afpd -d -F /etc/netatalk/afp.conf
root      2034  2028  0 May29 ?        00:00:00  \_ /usr/sbin/cnid_metad -d -F /etc/netatalk/afp.conf

Not sure what Vault uses for its back end. I know Replicate uses rsync, but you have an NV+ v1(?) which wouldn't have Replicate on it. And no backup jobs to other NAS via FrontView Backup Manager at all?

If you never enabled ssh, then the root password is the same as the admin password - and you changed them both.

If someone could see the dataflow on the path to the destination, then they could theoretically use rsync (spoofing the IP address). Though I think it is more likely that rsync terminated on the IIC Internet server.

Are you certain it was on the NAS, and not someone else in the company using rsync for something else?

StephenB wrote:
If you never enabled ssh, then the root password is the same as the admin password - and you changed them both. If someone could see the dataflow on the path to the destination, then they could theoretically use rsync (spoofing the IP address). Though I think it is more likely that rsync terminated on the IIC Internet server.

I was able to change the admin password early in the morning remotely, and now checking for the NV+ logging into the network via VPN (only 1 of 2 certified users to the network) - not able to access the unit.

No pingbacks received from the IP either.

Also, if I ping/tracert this IP, it comes back to: server.iicinternet.com [64.64.131.102], with a last hop in Dallas: GLOBAL-INTE.edge9.Dallas1.Level3.net [4.30.68.182]

No idea if the hacker just shut down the unit now that I attempted to thwart his stealing our info.

Will post once I get into the office.

(I also tried calling the contact number for iicinternet, was kept on hold for a *long* time, using both their normal and 800 numbers - no response. Shell company of some sort??)

StephenB wrote:
Are you certain it was on the NAS, and not someone else in the company using rsync for something else?

100% sure.

SuperFlyBoy wrote:
I was able to change the admin password early in the morning remotely, and now checking for the NV+ logging into the network via VPN (only 1 of 2 certified users to the network) - not able to access the unit. No pingbacks received from the IP either. No idea if the hacker just shut down the unit now that I attempted to thwart his stealing our info.

We lost power overnight and the UPS unit apparently needs the battery replaced, so it shut down unexpectedly.

Doing a reboot with check-scan/quotas.

Just want to confirm that the ReadyNAS Vault (RNV) does not utilize rsync. I think it is safe to say that RNV is unrelated to the issue.

That said, if you have any other questions or concerns about RNV (related to this issue or otherwise), please direct message or shoot us a note at support@vault.readynas.com.