Concerned by the contents of ReadyNAS .bash_history file

Question

I was looking at one of my NAS devices as admin and I noticed the .bash_history file in the admin home directory so I took a look. I'm concerned by what I see because I don't remember accessing the shell, nor would I would have tried to install rsyslog.&nbsp;Is there a legitimate reason why I would be seeing this or should I be concerned someone other than me found their way into the NAS as admin?&nbsp;apt-get install rsyslog
susdo apt-get install rsyslog
apt-get install rsyslog
ls
cd ..
ls
exit
apt-get install rsyslog
apt-get install rsyslog
exit
apt-get install rsyslog
exit
apt-get install rsyslog
exit
apt-key install rsyslog
apt-get install rsyslog
exit
apt-get install rsyslog
exit
apt-get install rsyslog
exit
apt-get install rsyslog

StephenB · Answer

iceweasel&nbsp;wrote:
I was looking at one of my NAS devices as admin and I noticed the .bash_history file in the admin home directory so I took a look.

FWIW, for most purposes it's best to log in as root (using the NAS admin password).&nbsp; So you probably should log in that way, and look at .bash_history there too.
&nbsp;
iceweasel&nbsp;wrote:
&nbsp;
Is there a legitimate reason why I would be seeing this or should I be concerned someone other than me found their way into the NAS as admin?

I think you should be worried (at least enough to follow up).&nbsp; Unfortunately, .bash_history doesn't timestamp the commands, so you don't know when they were issued.
&nbsp;
Download the log zip file, and look in apt-history.log.&nbsp; Some of the stuff in there is done by the system, but you will see manually installed packages there also, and that is dated.&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;

iceweasel · Answer

Thanks I'll follow those suggestions and look at the apt log as well as examine root account.

iceweasel · Answer

StephenB&nbsp;I downloaded the logs using the webportal. I think the majority of the apt-get history looks pretty straightforward and clean.Several of the system updates looking commands. The first looks like primary install and several of the second which seem to be ready nas system updates:Commandline: apt-get install -fy rn-dictionary freeapp-collection ca-certificates readynasosCommandline: apt-get -qq install -fy rn-dictionary freeapp-collection ca-certificates readynasos&nbsp;There's a freeapp removal back in 2017, minutes later there's the update show directly above:Start-Date: 2017-11-01  20:31:24
Commandline: apt-get -y purge freeapp-collection
Purge: freeapp-collection:armel (1507912757)
End-Date: 2017-11-01  20:31:26&nbsp;There's also a samba update in 2020Commandline: apt-get -yq install --reinstall --allow-downgrades -o APT::Status-Fd=5 smbplusBut there's really nothing else and I see no reference to the rsyslog attempts found in the .bash_history file.&nbsp;&nbsp;I couldn't find a .bash_history in root home. I do see .bashrc, .profile, and .ssh but no .bash_history unless I go to the /home/admin that's the only one I see. Well, I guess what I mean to say is there are three copies of the same file:/MyDir/home/admin/.bash_history
/run/nfs4/home/admin/.bash_history
/home/admin/.bash_historyI suspect eveything is simlinked to the same admin home directory, but I didn't dig to deep because I don't really know how.&nbsp;Are there any logs that indicate which users logged in with IP addresses?&nbsp;&nbsp;

StephenB · Answer

Maybe also look in dpkg.log in the log zip file.
&nbsp;
iceweasel&nbsp;wrote:
&nbsp;
Are there any logs that indicate which users logged in with IP addresses?

None that I know for ssh. http.log contains login info for the web interface.&nbsp; If you have auditing enabled, there should be info in auditd.log - but AFAIK that doesn't include ssh logins.
&nbsp;
If you are looking for recent activity, you can log in as root with ssh and enter
journalctl --no-pager -a -r | grep -i sshd

iceweasel · Answer

StephenB&nbsp;Thanks.&nbsp;I checked the auditd.log and there were no entries.The journalctl command only showed entries for the last couple of days (me) so either the logs were wiped or there were no actions prior to a couple days ago. I'm not sure I believe that but that's all they show.&nbsp;I checked auth.log and see a lot of, what I believe are, system tasks getting started as root.Dec 31 21:17:01 ReadyNAS-201 CRON[9711]: pam_unix(cron:session): session closed for user root
Dec 31 22:17:01 ReadyNAS-201 CRON[9932]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 31 22:17:01 ReadyNAS-201 CRON[9932]: pam_unix(cron:session): session closed for user root
Dec 31 23:17:01 ReadyNAS-201 CRON[10147]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 31 23:17:01 ReadyNAS-201 CRON[10147]: pam_unix(cron:session): session closed for user root
Jan 01 00:05:01 ReadyNAS-201 CRON[10326]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 01 00:05:01 ReadyNAS-201 CRON[10327]: pam_unix(cron:session): session opened for user root by (uid=0)I'm not clear on the difference between for root and for root by (uid=0).&nbsp;All logs I looked at including http were reset at the start of the year, ie they say logs begin Fri 12-31-2021 and they've been running for years.One other thing I'll mention and I'm not sure it's relevant or not, but I do have a firewall rule and another device block which prevent the NASes from getting through the gateway. So AFIAK all access to/from the NAS should be local traffic. I think that offers some protection, but I'm not going to assume my thoughts on that are correct.

Forum Discussion

Concerned by the contents of ReadyNAS .bash_history file

6 Replies

Related Content

Orbi placement concerns

SXR80 - Block Adult Content

Order concerns

Issue with content filtering

content not blocked

NETGEAR Academy

ProSupport for Business