NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadyNAS 102 strange behaviour
Lately Im having some issues with my ReadyNAS 102: First, I hear it is doing something very often, like if some app or process would be running all the time, but I havent found out what is it. S...
Do you allow your NAS to be accessed over the internet? If so, how? (port forwarding, VPN, etc?).
You could disconnect your router from the internet.
Then if you have the skills you can access the NAS using ssh and look at what's going on. Or you can just back up the files and do a factory default. That will reformat the drives (including the OS partition), so it will remove any hacks.
After the default, you'll need to reconfigure the NAS, re-load any apps, and restore the files from the backup.
Yes, I have access to the NAS over internet. The NAS is connected behind the router with the ports forwarded and I have a DDNS with https://www.noip.com/ to use my domain.
I have some skills, but i dont know what to look for, and im not so familiar with the file system of the NAS. I have SSH access locally.
what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this?
In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that
What services are listening on the forwarded ports? Also, what firmware are you running?
osilvab wrote:
what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this?
That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443).
You should immediately turn off the port forwarding, and if your router gives you the ability to block outbound internet access for specific devices you should block the NAS. If not, you can try reconfiguring the NAS with a static IP address, and misconfigure the gateway address - that will also prevent outbound internet access. You might also just consider turning the NAS off for now.
You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network).
osilvab wrote:
In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that
Paid support (my.netgear.com) might be able to clean it. However, it's very easy to miss stuff (root kits, etc). So in my opinion you should buy the needed storage (USB drives) right away, back up your data, and then wipe the NAS. I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives.
Consider zeroing the disks using vendor tools in a Windows PC (Seatools for Seagate, Lifeguard for Western Digital) for extra safety.
StephenBwrote:What services are listening on the forwarded ports? Also, what firmware are you running?
That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443).
I have to check which ports I have redirected, but are most probably both required for http and https.
StephenBwrote:You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network).
I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives.
That doesnt sounds good. ok. I will have to do the job. Would it be safe to backup the data from the Snapshots?
How can I be sure that after doing the backup the hacker would not have access? I can't even understand how did they got it in first place.
Thanks a lot, for your help.
osilvab wrote:That doesnt sounds good. ok. I will have to do the job. Would it be safe to backup the data from the Snapshots?
You can just back them up from the main shares. Make sure there is a real-time virus scanner running on the PC you use to do the backup. You might also want to install malware protection (such as Malwarebytes - taking advantage of their free premium trial)
osilvab wrote:
I have to check which ports I have redirected, but are most probably both required for http and https.
You need to be very selective on what ports you forward and also ensure that you have appropriate security on the services that listen on those ports.
osilvab wrote:
How can I be sure that after doing the backup the hacker would not have access? I can't even understand how did they got it in first place.
More than likely they guessed your admin password. Another possibility is that they exploited a security issue in the NAS kernel or web server. Netgear includes security updates in their releases, but if you are running old firmware you won't have the most recent ones.
I wouldn't forward HTTP, and it is a bit better to forward https on a secondary port (and not 443). Right now the only port I forward to the NAS is for plex. Everything else requires a VPN connection.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
