Port scanning on 22

xeltros wrote:

Officially you can't. Well officially you should have a backup which means that you never lose data because of the reset because you can always pull it from somewhere else. Officiously this should be possible but really risky. It would involve SSH into the box, erasing everything except your data and doing a reinstall (since there is nothing on /, all files should be created). That said I am not sure that : 1 - the reinstall will be enough for the system to reboot 2 - that no data will be erased in the process 3 - that the virus/worm will not reinstall himself from the data partition

Isn't that basically the same as doing and OS reinstall? What does the OS reinstall process do, if not recreate all the OS files? I guess I just assumed that's what it does under the hood.

An OS reinstall doesn't reinstall all the files, it is more selective. So xeltros' first step might result in an OS reinstall that fails.

There's a 4th risk
4 - if there is a root kit, it will not be removed.

An OS reinstall means that it replaces some files, it doesn't delete anything,
The problem with that technique is that I'm not sure if the flash will be erased, and I'm not sure if the OS reinstall will get you a bootable system. It is meant to patch a non-booting NAS so I guess it should but I have not tested it.
Of course, I meant (with a big English mistake ;) ) that the worm could come back. It could be from the DATA partition, the bootloader, the flash or anywhere that has the actual capability to store the worm's data.

see viewtopic.php?p=196365#p196365 if you want to proceed anyway. Given the date it is not for OS6, but linux (particularly Debian) being a champion when it comes to retro-compatibility, it should work. /C is now /data on OS6 I think. But once again, not advised.

I would personally factory reset and wipe the disks, this is the safest method and actually the cleanest too. The fact that you don't want to do it means that you didn't backup the data (if this ressource was downtime critical you would have actually said it in the first post, and you could have patched things temporarily with iptables because you seem to already have SSH enabled). So I insist, backup is crucial, what if the supposed worm destroyed you files ? And that's just an exemple, I could give you some more quite easily...

xeltros wrote:
It could be from the DATA partition, the bootloader, the flash or anywhere that has the actual capability to store the worm's data.

I personally haven't seen a boot flash infected, since the boot flash is hidden from normal mounting while the unit is in active mode.

Well, I have a good knowledge of Linux, but my knowledge of the ReadyNAS modifications to the base Debian is quite limited.
As far as I know, NAS have a flash and it can be accessed while the NAS is running because when we update the flash is also updated too. There is also some kind of sqlite database that handles some things (don't know what they are) and of course there are a few commands that are added (rn_shutdown for example), some configuration files are also changed (and placed elsewhere) and of course unused packages are deleted and packages essential for server are added. Past that, I'm guessing. I considered that if flash is writeable, then it can host the worm. That said, not many devices have flash so it would make more sense to have a worm that can infect the maximum number of machines.

When you do a firmware update you have to reboot. One reason the reboot is required is because the flash is hidden.

Also rn_shutdown and sqlite3 are used by OS6. RAIDiator-x86 4.2.x is different.