NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
nas hacked?
so I forgot to disable ssh port map on my router at some point, and today I was trying to ssh in and check something and could not log in.
I thought maybe I changed my root password but nothing I could remember worked.
so i ran enable ssh again and rebooted, was able to get in, then downloaded all logs
in the auth.log i find a bunch of failed log in attempts then I see this
i'm not linux security expert, but that looks pretty suspious.
not sure what else I should look or do at but any ideas would be appreciated
I thought maybe I changed my root password but nothing I could remember worked.
so i ran enable ssh again and rebooted, was able to get in, then downloaded all logs
in the auth.log i find a bunch of failed log in attempts then I see this
Jun 18 16:02:52 sauron sshd[6899]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Jun 18 16:02:53 sauron sshd[6899]: WARNING: /etc/ssh/moduli does not exist, using fixed modulus
Jun 18 16:03:02 sauron sshd[6899]: reverse mapping checking getaddrinfo for 79-112-138-182.rdsnet.ro failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 16:03:05 sauron sshd[6899]: Accepted password for root from 79.112.138.182 port 3440 ssh2
Jun 18 16:03:05 sauron sshd[6903]: (pam_unix) session opened for user root by root(uid=0)
Jun 18 16:05:55 sauron userdel[7059]: delete user `sshd'
Jun 18 16:05:55 sauron useradd[7060]: new group: name=sshd, GID=101
Jun 18 16:05:55 sauron useradd[7060]: new user: name=sshd, UID=0, GID=101, home=/home/sshd, shell=/bin/sh
Jun 18 16:06:01 sauron passwd[7061]: (pam_unix) password changed for sshd
Jun 18 16:06:01 sauron passwd[7061]: (pam_unix) Password for sshd was changed
Jun 18 16:06:04 sauron passwd[7062]: (pam_unix) password changed for root
Jun 18 16:06:04 sauron passwd[7062]: (pam_unix) Password for root was changed
Jun 18 16:08:01 sauron CRON[7123]: (pam_unix) session opened for user root by (uid=0)
Jun 18 16:08:01 sauron CRON[7123]: (pam_unix) session closed for user root
Jun 18 16:08:06 sauron sshd[7128]: error: Could not load host key: /etc/ssh/ssh_host_dsa_key
Jun 18 16:08:07 sauron sshd[7128]: WARNING: /etc/ssh/moduli does not exist, using fixed modulus
Jun 18 16:08:11 sauron sshd[7128]: reverse mapping checking getaddrinfo for 79-112-138-182.rdsnet.ro failed - POSSIBLE BREAK-IN ATTEMPT!
Jun 18 16:08:16 sauron sshd[7128]: Accepted password for root from 79.112.138.182 port 3466 ssh2
Jun 18 16:08:17 sauron sshd[7138]: (pam_unix) session opened for user root by root(uid=0)
Jun 18 16:09:37 sauron chsh[8075]: changed user `bin' shell to `/bin/bash'
Jun 18 16:09:37 sauron sshd[1817]: Received signal 15; terminating.
Jun 18 16:09:37 sauron sshd[8088]: Server listening on 0.0.0.0 port 22.
Jun 18 16:09:37 sauron sshd[8088]: Received signal 15; terminating.
Jun 18 16:09:37 sauron sshd[8103]: Server listening on 0.0.0.0 port 22.
Jun 18 16:11:59 sauron smbd: (pam_unix) session closed for user tekno
Jun 18 16:12:01 sauron CRON[8338]: (pam_unix) session opened for user root by (uid=0)
Jun 18 16:12:01 sauron CRON[8338]: (pam_unix) session closed for user root
Jun 18 16:13:01 sauron CRON[8368]: (pam_unix) session opened for user root by (uid=0)
Jun 18 16:13:01 sauron CRON[8368]: (pam_unix) session closed for user root
Jun 18 16:14:01 sauron CRON[8392]: (pam_unix) session opened for user root by (uid=0)
Jun 18 16:14:01 sauron CRON[8392]: (pam_unix) session closed for user root
Jun 18 16:15:01 sauron CRON[8409]: (pam_unix) session opened for user root by (uid=0)
Jun 18 16:15:01 sauron CRON[8409]: (pam_unix) session closed for user root
Jun 18 16:16:01 sauron CRON[8428]: (pam_unix) session opened for user root by (uid=0)
Jun 18 16:16:01 sauron CRON[8428]: (pam_unix) session closed for user root
Jun 18 16:16:18 sauron sshd[7128]: syslogin_perform_logout: logout() returned an error
i'm not linux security expert, but that looks pretty suspious.
not sure what else I should look or do at but any ideas would be appreciated
7 Replies
- A few questions:
1. What day did you re-install the SSH add-on (ie. June 18 at 16:05)?
If this is the date & time, then these entries were created when re-installing the SSH add-on:Jun 18 16:05:55 sauron userdel[7059]: delete user `sshd'
Jun 18 16:05:55 sauron useradd[7060]: new group: name=sshd, GID=101
Jun 18 16:05:55 sauron useradd[7060]: new user: name=sshd, UID=0, GID=101, home=/home/sshd, shell=/bin/sh
Jun 18 16:06:01 sauron passwd[7061]: (pam_unix) password changed for sshd
Jun 18 16:06:01 sauron passwd[7061]: (pam_unix) Password for sshd was changed
Jun 18 16:06:04 sauron passwd[7062]: (pam_unix) password changed for root
Jun 18 16:06:04 sauron passwd[7062]: (pam_unix) Password for root was changed
2. What IP address were you trying to login from (i.e. 79.112.138.182)? dbott67 wrote: 1. What day did you re-install the SSH add-on (ie. June 18 at 16:05)?
If this is the date & time, then these entries were created when re-installing the SSH add-on:
Not ín my life ;)
If you take a look at your /etc/passwd file, you'll see that the 'sshd' user not only has a completely different homedir but also that he's got a 'nologin' shell. So, yes, TJ is right in that his system was broken into.dbott67 wrote: 2. What IP address were you trying to login from (i.e. 79.112.138.182)?
I doubt he's from Romania ;)
Anyway: I'd do a Firmware re-install for most likely a hacked/modified version of the SSH daemon was installed on the system. At least the reloading of the SSH daemon points to that conclusion. Since a "clean start" is easily possible with a firmware re-install, that'd be my choice of action.
Next I'd opt for picking a better password. And from the log excerpts I'd say checking the /etc/crontab, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.hourly and /etc/cron.monthly directories / files for suspicious entries would be in order.
Also after the re-install check the settings for the sshd user in /etc/passwd and /etc/group. They should look like this:readypro:~# grep sshd /etc/passwd
sshd:x:40:65534::/var/local/:/usr/sbin/nologin
readypro:~# id sshd
uid=40(sshd) gid=65534(nogroup) groups=65534(nogroup)
-Stefan- yeah it was fubar'd.
I'm no expert, something was keep connecting out to various IRC servers in romania and elsewhere.
Just had to backup data and defaulted it. - Even after defaulting it, please go through the (very basic) checklist I outlined above. Just to make sure there's no residual malware left on the system. And keep a close eye on the NAS for the next couple of days. If possible tell your firewall to block any outgoing connections originating from the ReadyNAS.
-Stefan - So you had SSH enabled. Did you change the default root password? If you don't change admin users password, default will be netgear1, which is too generic to port forward that to the public.
chirpa wrote: So you had SSH enabled. Did you change the default root password? If you don't change admin users password, default will be netgear1, which is too generic to port forward that to the public.
Personally I think the "inner workings" of SSH are too abstract for the majority of users:
"If you enable SSH the password will be your admin password."
"If you have enabled SSH and changed the default admin password afterwards, the SSH password for root will stay unchanged"
"If you change the admin password *before* enabling SSH access, the SSH password will be the same as the admin password"
"If you change the admin password *after* enabling SSH access, the SSH password will remain the same password as it was before"
I think the "coupling/de-coupling" of the respective passwords isn't clear enough here. I know that there has to be a default somewhere. But for the ... ummm, well ... average user it just isn't obvious that once you have enabled SSH access the password management for "admin" (as used in Frontview) and "root" (as used for SSH access) is de-coupled and that you have to change the root password seperately. And yes, if I knew a better way of doing this aside from writing it in 68pt letters on the user's screen, I'd tell you ;) Because on the good side, SSH access is what makes the ReadyNAS great for developers and advanced users and on the other hand it's a major gateway for breaking into the system. I guess it's a "when the cat is out of the bag, it's out of the bag" situation.
-Stefan- Just a quick FYI for future reference, I would suspect that after your system was hacked, the hacker did a apt-get update;apt-get upgrade, because my nas hasn't been hacked, but I have done that, and have some similar issues ...
ie, the missing moduli file, sshd being reloaded, lots of problems with pam... That's how I found this post...
Regards,
Adam
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
