Lately Im having some issues with my ReadyNAS 102: First, I hear it is doing something very often, like if some app or process would be running all the time, but I havent found out what is it.Second, Im not being able to update the firmware. I have 6.9.2 and it gives "unknown error" when trying to update. to 6.9.3Third, when I access the admin page the language was changed to Russian. I use my NAS for my local files but I have an owncloud running, using a no-ip connection. I have some devices syncing things periodically. But I hear it is doing things every minute or so. Im afraid my system could being atacked. How can I start checking what is doing the NAS?How could I see why is not updating the firmware? Thanks a lot!

From the Log I have found this things: Thu Mar 8 2018 16:02:25 System: Set locale to ru. No idea how this happend. there is no other event on that single day. Thu Mar 22 2018 0:41:44 System: A new firmware version (6.9.3) is available.Thu Mar 22 2018 0:41:07 System: ReadyNASOS background service started.Thu Mar 22 2018 0:41:00 System: ReadyNASOS service or process was restarted.Thu Mar 22 2018 0:28:31 System: Application Gate One NT is installed successfully.Thu Mar 22 2018 0:28:08 Account: User 'nastools-gateone' was added.Thu Mar 22 2018 0:28:03 Account: Group 'nastools-gateone' was added. Thu Mar 22 2018 1:07:16 System: Application Gate One NT was uninstalled successfully.Thu Mar 22 2018 1:07:04 Account: Group 'nastools-gateone' was deleted.Thu Mar 22 2018 1:06:57 Account: User 'nastools-gateone' was deleted. So a user group and a user was created automatically and deleted. Does someone know abouth that? and in the last 3 days im getting this: Sat Mar 24 2018 8:00:04 Volume: System volume root's usage is 100%. This condition should not occur under normal conditions. Contact technical support. Snapshots are running normally

Do you allow your NAS to be accessed over the internet? If so, how? (port forwarding, VPN, etc?). You could disconnect your router from the internet. Then if you have the skills you can access the NAS using ssh and look at what's going on. Or you can just back up the files and do a factory default. That will reformat the drives (including the OS partition), so it will remove any hacks. After the default, you'll need to reconfigure the NAS, re-load any apps, and restore the files from the backup.

Yes, I have access to the NAS over internet. The NAS is connected behind the router with the ports forwarded and I have a DDNS with https://www.noip.com/ to use my domain. I have some skills, but i dont know what to look for, and im not so familiar with the file system of the NAS. I have SSH access locally. what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this? In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that

What services are listening on the forwarded ports? Also, what firmware are you running? osilvab wrote: what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this? That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443). You should immediately turn off the port forwarding, and if your router gives you the ability to block outbound internet access for specific devices you should block the NAS. If not, you can try reconfiguring the NAS with a static IP address, and misconfigure the gateway address - that will also prevent outbound internet access. You might also just consider turning the NAS off for now. You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network). osilvab wrote: In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that Paid support (my.netgear.com) might be able to clean it. However, it's very easy to miss stuff (root kits, etc). So in my opinion you should buy the needed storage (USB drives) right away, back up your data, and then wipe the NAS. I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives. Consider zeroing the disks using vendor tools in a Windows PC (Seatools for Seagate, Lifeguard for Western Digital) for extra safety.

StephenBwrote:What services are listening on the forwarded ports? Also, what firmware are you running? That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443). I have to check which ports I have redirected, but are most probably both required for http and https. StephenBwrote:You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network). I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives. That doesnt sounds good. ok. I will have to do the job. Would it be safe to backup the data from the Snapshots? How can I be sure that after doing the backup the hacker would not have access? I can't even understand how did they got it in first place. Thanks a lot, for your help.

ReadyNAS 102 strange behaviour | NETGEAR Communities

12 Replies

Replies have been turned off for this discussion

osilvab

Aspirant

Mar 28, 2018

From the Log I have found this things:

Thu Mar 8 2018 16:02:25

System: Set locale to ru.

No idea how this happend. there is no other event on that single day.

Thu Mar 22 2018 0:41:44

System: A new firmware version (6.9.3) is available.

Thu Mar 22 2018 0:41:07		System: ReadyNASOS background service started.
Thu Mar 22 2018 0:41:00		System: ReadyNASOS service or process was restarted.
Thu Mar 22 2018 0:28:31		System: Application Gate One NT is installed successfully.
Thu Mar 22 2018 0:28:08		Account: User 'nastools-gateone' was added.
Thu Mar 22 2018 0:28:03		Account: Group 'nastools-gateone' was added.

Thu Mar 22 2018 1:07:16		System: Application Gate One NT was uninstalled successfully.
Thu Mar 22 2018 1:07:04		Account: Group 'nastools-gateone' was deleted.
Thu Mar 22 2018 1:06:57		Account: User 'nastools-gateone' was deleted.

So a user group and a user was created automatically and deleted. Does someone know abouth that?

and in the last 3 days im getting this:

Sat Mar 24 2018 8:00:04

Volume: System volume root's usage is 100%. This condition should not occur under normal conditions. Contact technical support.

Snapshots are running normally

StephenB
Guru - Experienced User
Mar 28, 2018
Do you allow your NAS to be accessed over the internet? If so, how? (port forwarding, VPN, etc?).

You could disconnect your router from the internet.

Then if you have the skills you can access the NAS using ssh and look at what's going on. Or you can just back up the files and do a factory default. That will reformat the drives (including the OS partition), so it will remove any hacks.

After the default, you'll need to reconfigure the NAS, re-load any apps, and restore the files from the backup.
- osilvab
  Aspirant
  Mar 28, 2018
  Yes, I have access to the NAS over internet. The NAS is connected behind the router with the ports forwarded and I have a DDNS with https://www.noip.com/ to use my domain.
  
  I have some skills, but i dont know what to look for, and im not so familiar with the file system of the NAS. I have SSH access locally.
  
  what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this?
  
  In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that
  - StephenB
    Guru - Experienced User
    Mar 28, 2018
    What services are listening on the forwarded ports? Also, what firmware are you running?
    
    osilvab wrote:
    
    what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this?
    
    That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443).
    
    You should immediately turn off the port forwarding, and if your router gives you the ability to block outbound internet access for specific devices you should block the NAS. If not, you can try reconfiguring the NAS with a static IP address, and misconfigure the gateway address - that will also prevent outbound internet access. You might also just consider turning the NAS off for now.
    
    You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network).
    
    osilvab wrote:
    
    In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that
    
    Paid support (my.netgear.com) might be able to clean it. However, it's very easy to miss stuff (root kits, etc). So in my opinion you should buy the needed storage (USB drives) right away, back up your data, and then wipe the NAS. I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives.
    
    Consider zeroing the disks using vendor tools in a Windows PC (Seatools for Seagate, Lifeguard for Western Digital) for extra safety.

Forum Discussion

ReadyNAS 102 strange behaviour

12 Replies

Related Content

Strange behaviour R7000

NightHawk MR1100 Strange WiFi 2.4 Ghz behaviour

WC7600v2 only connects to one switch / strange behaviour

Rsync Backup job NAS to USB drive suddenly displaying strange behaviour

ReadyNas 426 - Behaviour when upgrading drives

NETGEAR Academy

ProSupport for Business