NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadyNas 3200 hacked
Hi,
Our ReadyNas 3200 is hacked to send Dos attacks. RN constantly contacting servers in China, network was blocked by communications. I stopped it on our firewall. Could you help me, how can I identify and correct it? Log from firewall is attached.
Thanks,Karel
18:29:53 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47194->120.24.57.79:45000, len 60
18:31:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:33 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:51 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:32:15 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:03 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:28 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->209.249.181.53:123, len 76
18:33:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->206.16.42.153:123, len 76
18:34:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:42 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:48 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
Our ReadyNas 3200 is hacked to send Dos attacks. RN constantly contacting servers in China, network was blocked by communications. I stopped it on our firewall. Could you help me, how can I identify and correct it? Log from firewall is attached.
Thanks,Karel
18:29:53 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47194->120.24.57.79:45000, len 60
18:31:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:33 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:51 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:32:15 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:03 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:28 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->209.249.181.53:123, len 76
18:33:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->206.16.42.153:123, len 76
18:34:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:42 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:48 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
5 Replies
Replies have been turned off for this discussion
- The safest way is a factory reset, followed by rebuilding the NAS/restoring from backup. You might want to install the latest beta firmware (4.2.28 T6) as that has a couple of recent security patches.
- I understand, trying to find another solution. I've got a full 12 TB.
Basically you'd need to ssh into the NAS, figure out what changes were made, and attempt to undo them.karex wrote: I understand, trying to find another solution. I've got a full 12 TB.
You might not find everything that was done.- Yes, I connect by ssh and now I know what happened - Linux.BackDoor.Gates.5.
I need original
/bin
/sbin
/usr/bin
/usr/sbin
/etc/init.d
Could you help me? - System is cleaned, I hope. I restored the original files in directories bin sbin... The last problem is, after starting of system some process contact the server 203.214.176.104 in Malaysia. I catch it at the firewall, can't identify it.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
