NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

MWALLIS7's avatar
MWALLIS7
Aspirant
Apr 25, 2022

Ready NAS RN42400 reformatted to Flex-RAID and renamed itself BITCOIN

ReadyNAS RN42400 firmware 4.2.31; Windows 10 O/S with latest updates; home network.   Security Alert: Woke up Saturday morning to find out my NAS was off-line. Rebooted it and loaded RAIDAR to chec...
StephenB's avatar
StephenB
Guru - Experienced User
Apr 26, 2022

Ouch.  Hopefully you've gotten all the accounts secured with no downstream issues.  The good news is that your backup plan saved your data.

 

MWALLIS7 wrote:

but I remembered that Windows Update resets the CIFS File Sharing support it needs so I had to reenable it, and that may be why it didn't get infected also.

FWIW, I keep all file sharing protocols turned off on my backup NAS for precisely this reason (and use "pull" rsync backup).  The backup NAS are also on a power schedule (in part because they can't get infected when turned off).

 

MWALLIS7 wrote:

 

Security Alert: Woke up Saturday morning to find out my NAS was off-line. Rebooted it and loaded RAIDAR to check log and instead of a multi-share configuration named "NAS-424" i was confronted with a single-share volume named BITCOIN. Turned off immediately and disconnected from network. My Email alerts read like this:

  • 5:09am NAS-424 Volume: Notice "Volume configuration switched to Flex-RAID."
  • 5:30am NAS-424 Volume: Error "Volume data deletion failed."
  • 5:38am BITCOIN System: Notice "The system is shutting down."

 

I am wondering if any other devices were infected (for instance a PC)? Were you forwarding ports in the router to the NAS?

 

MWALLIS7's avatar
MWALLIS7
Aspirant
Apr 26, 2022

Back in the stone age I lost my Master's thesis to file corruption after a power shortage, so ever since then I've been paranoid about backups. Luckily I had a fresh printout of thesis so I just typed it back in.

 

Rsync backups were configured on backup NAS to be "pulled" everyday at 4:05 am.

 

My laptop was turned off from about 1am to 10am, while event happened at 5am. I ran a virus scan with free Malwarebytes shortly after I figured out what was going on.

 

Here's my comments on port-forwarding in reply to sandshark (which also includes notes on file-sharing:

 

  • Port forwarding is set up for eMule and uTorrent, which i rarely use anymore.
    • Local port 46223 is set to TCP protocol
    • Local port 9257 is set to UDP protocol
    • Local port 49999 is set to TCP & UDP
  • Password access is enabled (and I changed my password after incident)

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More