NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Concerned by the contents of ReadyNAS .bash_history file
I was looking at one of my NAS devices as admin and I noticed the .bash_history file in the admin home directory so I took a look. I'm concerned by what I see because I don't remember accessing the s...
iceweasel wrote:
I was looking at one of my NAS devices as admin and I noticed the .bash_history file in the admin home directory so I took a look.
FWIW, for most purposes it's best to log in as root (using the NAS admin password). So you probably should log in that way, and look at .bash_history there too.
iceweasel wrote:
Is there a legitimate reason why I would be seeing this or should I be concerned someone other than me found their way into the NAS as admin?
I think you should be worried (at least enough to follow up). Unfortunately, .bash_history doesn't timestamp the commands, so you don't know when they were issued.
Download the log zip file, and look in apt-history.log. Some of the stuff in there is done by the system, but you will see manually installed packages there also, and that is dated.
I downloaded the logs using the webportal. I think the majority of the apt-get history looks pretty straightforward and clean.
Several of the system updates looking commands. The first looks like primary install and several of the second which seem to be ready nas system updates:
Commandline: apt-get install -fy rn-dictionary freeapp-collection ca-certificates readynasos
Commandline: apt-get -qq install -fy rn-dictionary freeapp-collection ca-certificates readynasos
There's a freeapp removal back in 2017, minutes later there's the update show directly above:
Start-Date: 2017-11-01 20:31:24 Commandline: apt-get -y purge freeapp-collection Purge: freeapp-collection:armel (1507912757) End-Date: 2017-11-01 20:31:26
There's also a samba update in 2020
Commandline: apt-get -yq install --reinstall --allow-downgrades -o APT::Status-Fd=5 smbplus
But there's really nothing else and I see no reference to the rsyslog attempts found in the .bash_history file.
I couldn't find a .bash_history in root home. I do see .bashrc, .profile, and .ssh but no .bash_history unless I go to the /home/admin that's the only one I see. Well, I guess what I mean to say is there are three copies of the same file:
/MyDir/home/admin/.bash_history /run/nfs4/home/admin/.bash_history /home/admin/.bash_history
I suspect eveything is simlinked to the same admin home directory, but I didn't dig to deep because I don't really know how.
Are there any logs that indicate which users logged in with IP addresses?
Maybe also look in dpkg.log in the log zip file.
iceweasel wrote:
Are there any logs that indicate which users logged in with IP addresses?
None that I know for ssh. http.log contains login info for the web interface. If you have auditing enabled, there should be info in auditd.log - but AFAIK that doesn't include ssh logins.
If you are looking for recent activity, you can log in as root with ssh and enter
journalctl --no-pager -a -r | grep -i sshd
StephenB Thanks.
I checked the auditd.log and there were no entries.
The journalctl command only showed entries for the last couple of days (me) so either the logs were wiped or there were no actions prior to a couple days ago. I'm not sure I believe that but that's all they show.
I checked auth.log and see a lot of, what I believe are, system tasks getting started as root.
Dec 31 21:17:01 ReadyNAS-201 CRON[9711]: pam_unix(cron:session): session closed for user root Dec 31 22:17:01 ReadyNAS-201 CRON[9932]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 31 22:17:01 ReadyNAS-201 CRON[9932]: pam_unix(cron:session): session closed for user root Dec 31 23:17:01 ReadyNAS-201 CRON[10147]: pam_unix(cron:session): session opened for user root by (uid=0) Dec 31 23:17:01 ReadyNAS-201 CRON[10147]: pam_unix(cron:session): session closed for user root Jan 01 00:05:01 ReadyNAS-201 CRON[10326]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 01 00:05:01 ReadyNAS-201 CRON[10327]: pam_unix(cron:session): session opened for user root by (uid=0)
I'm not clear on the difference between for root and for root by (uid=0).
All logs I looked at including http were reset at the start of the year, ie they say logs begin Fri 12-31-2021 and they've been running for years.
One other thing I'll mention and I'm not sure it's relevant or not, but I do have a firewall rule and another device block which prevent the NASes from getting through the gateway. So AFIAK all access to/from the NAS should be local traffic. I think that offers some protection, but I'm not going to assume my thoughts on that are correct.
iceweasel wrote:
I'm not clear on the difference between for root and for root by (uid=0).
I think it just means that cron (running as root) started the cron job.
iceweasel wrote:
I checked the auditd.log and there were no entries.
The journalctl command only showed entries for the last couple of days (me) so either the logs were wiped or there were no actions prior to a couple days ago. I'm not sure I believe that but that's all they show.
All logs I looked at including http were reset at the start of the year, ie they say logs begin Fri 12-31-2021 and they've been running for years.
The logs are rotated, otherwise they'd fill the OS partition.
I suspect those rsyslog commands are very old (old enough that perhaps you actually did install it yourself). But there's no way to prove that. Personally I doubt that the NAS was hacked (especially if the only thing you see are the rsyslog install attempts), but it's hard to be certain.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
