NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

jimbo123's avatar
jimbo123
Aspirant
Dec 23, 2014

Following OS6.2.1 update LAN / WAN issues

I had thought that the problem as discussed - http://www.readynas.com/forum/viewtopic.php?f=65&t=79118&sid=0b9830fdba963be84363284497f3397d&start=75 was the problem however this appears not to be the case.

I first noticed that the internet had gone down and was just making sure it wasn't anything in the property causing the router (BT HomeHub 4) to crash, I could still access items on the LAN but not the router itself, not even responding to pings - though still routing traffic. I can still access both the webui and SSH post the router crashes. All Ethernet traffic is routed through a SamKnows box before router.

I tried the backup TP-LINK TD-8817 but both crash moments after my RN102 (6.21 Final) is turned on. Some analysis of the traffic led to huge amounts of traffic to various external IP addresses (currently all appear to be cloud providers).

I was having trouble finding out which program was sending the packets outwards causing the router to crash so I used tcpdump to watch for the packets and performed - 

root@nas:~# lsof -i TCP:10000-50000
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ndagubygi 1145   root    3u  IPv4  11960      0t0  TCP nas:36296->162.211.182.121:2833 (ESTABLISHED)
upnphttpd 1821 daemon    3w  IPv4   6345      0t0  TCP *:webmin (LISTEN)
curl      3341   root    5u  IPv4  11982      0t0  TCP nas:36764->206.16.42.185:https (ESTABLISHED)


The NAS uses random ports for every packet sent I checked the port against the IP and sure enough the IP was being bombarded by the NAS sending packets from various ports to it. I attempted to check what exactly the process was or what its purpose is but even Google seems lost.


root@nas:~# ls -l /proc/1145/exe
lrwxrwxrwx 1 root root 0 Dec 23 18:56 /proc/1145/exe -> /boot/ndagubygih


Any ideas on what this process is and what I can do to stop it bombarding random websites with empty TCP packets?
Installation & Upgrade

10 Replies

Replies have been turned off for this discussion
  • jimbo123's avatar
    jimbo123
    Aspirant
    Dec 24, 2014
    mdgm wrote:
    Do you have any ports forwarded to your NAS?


    No ports forwarded and no UPnP enabled on router. I forget to add to the other forum I have no other apps running apart from Anti-Virus Plus (Checked this in htop as well - No sign of any other installed app running).

    chirpa wrote:
    You've likely got a rootkit installed on your NAS.


    Given the likely implications if there is a rootkit installed. Would anyone moderator wise want to take a look at it before I wipe the NAS?
  • jimbo123's avatar
    jimbo123
    Aspirant
    Dec 24, 2014
    mdgm wrote:
    Do you have a backup of your data?


    The data I need is backed up off site, the MD5sums have been checked and the documents do not appear to have been altered. The rest of the data is all media and can be easily replaced.

    I have just run RKHunter and it came back with the following -

    [11:11:49] System checks summary
    [11:11:49] =====================
    [11:11:49]
    [11:11:49] File properties checks...
    [11:11:49] Required commands check failed
    [11:11:50] Files checked: 126
    [11:11:50] Suspect files: 0
    [11:11:50]
    [11:11:50] Rootkit checks...
    [11:11:50] Rootkits checked : 267
    [11:11:50] Possible rootkits: 1
    [11:11:50]
    [11:11:50] Applications checks...
    [11:11:50] Applications checked: 4
    [11:11:50] Suspect applications: 0
    [11:11:50]
    [11:11:50] The system checks took: 3 minutes and 37 seconds
    [11:11:50]
    [11:11:50] Info: End date is Wed Dec 24 11:11:50 WET 2014


    The possible appears to be a false negative due to an early part of the test failing I can email over the complete log if needed.

    I have just been exploring the /boot folder to check what else is in there apart from the object identified yesterday. There are multiple files in there all with apparently random file names - 

    root@nas:/# cd boot
    root@nas:/boot# ls
    dgilyydlff  hfoiqmgiuf  ikzyxanjay  mjntkohmfq  pvcfncudct  rylomtamis  tjqyhdntwa
    exnkoixahd  ieugwzyxzn  inwwcpsfnt  ndagubygih  qphejjhrwp  sczlddtuwn  wlkwajhvrw
    fzokpyuciw  igtdbjjjox  lyarglvtqd  pmctrpysah  qukhjkjmdj  sibhejtroq  xnsxvdaipy


    Are any of these supposed to be present within the boot folder? I will carry on looking into the problem as best I can this end, I am unplugging the modem whilst performing checks to ensure no data is going outwards which is slowing the process but better safe than sorry.
  • jimbo123's avatar
    jimbo123
    Aspirant
    Dec 24, 2014
    mdgm wrote:
    The /boot directory should be empty.


    So delete the files? I am really not sure on the next step, if it is rootkit then a factory reset would seem the best option but if there is another cause I would like to get to the bottom of that.
  • mdgm-ntgr's avatar
    mdgm-ntgr
    NETGEAR Employee Retired
    Dec 24, 2014
    Rootkits can be very difficult to remove, so yes a factory default would probably be best.
  • jimbo123's avatar
    jimbo123
    Aspirant
    Dec 24, 2014
    mdgm wrote:
    Rootkits can be very difficult to remove, so yes a factory default would probably be best.


    Okay thank you for the help in the matter, I will get to performing the factory reset.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More