Ready NAS RN42400 reformatted to Flex-RAID and renamed itself BITCOIN
ReadyNAS RN42400 firmware 4.2.31; Windows 10 O/S with latest updates; home network.
Security Alert: Woke up Saturday morning to find out my NAS was off-line. Rebooted it and loaded RAIDAR to check log and instead of a multi-share configuration named "NAS-424" i was confronted with a single-share volume named BITCOIN. Turned off immediately and disconnected from network. My Email alerts read like this:
5:09am NAS-424 Volume: Notice "Volume configuration switched to Flex-RAID."
5:30am NAS-424 Volume: Error "Volume data deletion failed."
5:38am BITCOIN System: Notice "The system is shutting down."
One day when I'm feeling brave/stupid I'll hook it up to an ancient latop with built-in RJ-45 port and see what the logs say.
My Email folder was stored on the NAS, and I vaguely remember opening a sus looking Email but I can't find it now after I recovered the folder (story below) - I deleted all the old stuff before I thought to look for it.
Luckily I still have an ancient (2013) Ready NAS Ultra 4 that is somehow still functional that I've been using to make overnight backups of the 424. Looks like I have everything, including all the old folders, filenames, etc. so it's a mess but I'm managing...
The Ultra 4 is acting squirrely also. At first I couldn't even see it in RAIDAR but I remembered that Windows Update resets the CIFS File Sharing support it needs so I had to reenable it, and that may be why it didn't get infected also. Then I accessed the Boot menu and reloaded the BIOS to make sure it wasn't infected. Now when it starts up everything looks fine on front panel and FrontView, but the UPS icon at bottom right corner blinks yellow and reads "Remote error battery charge: 0%, 0min" even though the UPS is at 100%. The Log says it had a "UPS Communication Error" 2 minutes after the 424 shut down so I assume that's the issue. The weird part is that a few times the power light on the NAS went dim after about 5-10 minutes and that error message appeared on the panel, and in FrontView most of the text and graphics was gone from the screen, but I can still access the shares using the "Browse" button on the RAIDAR page. So far today I've had it fired up for almost an hour with no probs.
So far I've contacted ASUS and they issued a brand new router firmware, I've changed the passwords on all my financial accounts (and router), notified my bank to be on the lookout, and this afternoon I have an appointment at Xfinity to see if I can get a new external IP address. Fun times...
but I remembered that Windows Update resets the CIFS File Sharing support it needs so I had to reenable it, and that may be why it didn't get infected also.
FWIW, I keep all file sharing protocols turned off on my backup NAS for precisely this reason (and use "pull" rsync backup). The backup NAS are also on a power schedule (in part because they can't get infected when turned off).
Security Alert: Woke up Saturday morning to find out my NAS was off-line. Rebooted it and loaded RAIDAR to check log and instead of a multi-share configuration named "NAS-424" i was confronted with a single-share volume named BITCOIN. Turned off immediately and disconnected from network. My Email alerts read like this:
5:09am NAS-424 Volume: Notice "Volume configuration switched to Flex-RAID."
5:30am NAS-424 Volume: Error "Volume data deletion failed."
5:38am BITCOIN System: Notice "The system is shutting down."
I am wondering if any other devices were infected (for instance a PC)? Were you forwarding ports in the router to the NAS?
Re: Ready NAS RN42400 reformatted to Flex-RAID and renamed itself BITCOIN
Problems like that are more likely caused by an infected PC being used as a gateway to the NAS than malware in the NAS itself. But yours is an unusual situation in that it's unlikely that a malware bot could accomplish that, so is means somebody probably did it interactively.
Do you have ReadyCloud enabled? Is it possible somebody hacked that account? Or do you share with somebody who may have thought they were doing that on another NAS?
Re: Ready NAS RN42400 reformatted to Flex-RAID and renamed itself BITCOIN
My network is for home use, I live alone, and noone else has access to it.
At one time I set up a share to serve a web site (HTML files) with the outside world, but I thought I disabled that capability a couple of months ago. I seem to remember that I used to be able to type in my WAN IP and it would re-direct to the web share, and when I did that after disabling the feature the redirect failed. I could be wrong because f*ck COVID memory probs.
Among the many things that I recovered from my backup NAS were all my configuration note files, and I color code all setting in RED so I know when I make a change from default. Here's what my RAIDiator configuration notes say:
System | Settings | Services | UpnP - "Are you sure you want to disable this service" (which ReadyCLOUD depends on) is set to NO (default)
System | Settings | Services | HTTP - has "Enable HTTP Admin" checked (default) and I personally redirected access to the share containing my web site.
System | Settings | Services | Antivurus - is enabled (by me)
Shares | Shares - the settings for the web-file share show:
Network Access - SMB in ON (default)
Network Access - HTTP is ON (by me) with "Security Default Access" set to "Read/Write" (by me) with "Security" with all "Read/Write" boxes checked (default). The ON is coded in red to indicate it was a change I made from the default setting, and I must not have paid attention to the default security settings because it appears I should have set security for everyone to "Read only".
File Access | Security - is set to "Everyone - Read Only" (default) and the others are set to "Ready/Write" by default. This is odd because if "Everyone" is set to "Read Only" it implies the other boxes should all be set to "Read only" as well, or grayed out.
Here are the notes for my router (ASUS RT-N66R):
Port forwarding is set up for eMule and uTorrent, which i rarely use anymore.
Local port 46223 is set to TCP protocol
Local port 9257 is set to UDP protocol
Local port 49999 is set to TCP & UDP
Password access is enabled (and I changed my password after incident)
I could have sworn I had to make some setting changes in the Router to enable the re-direct, but I can't see anything to indicate that. Maybe I reset the defaults when I disabled access.
Re: Ready NAS RN42400 reformatted to Flex-RAID and renamed itself BITCOIN
Back in the stone age I lost my Master's thesis to file corruption after a power shortage, so ever since then I've been paranoid about backups. Luckily I had a fresh printout of thesis so I just typed it back in.
Rsync backups were configured on backup NAS to be "pulled" everyday at 4:05 am.
My laptop was turned off from about 1am to 10am, while event happened at 5am. I ran a virus scan with free Malwarebytes shortly after I figured out what was going on.
Here's my comments on port-forwarding in reply to sandshark (which also includes notes on file-sharing:
Port forwarding is set up for eMule and uTorrent, which i rarely use anymore.
Local port 46223 is set to TCP protocol
Local port 9257 is set to UDP protocol
Local port 49999 is set to TCP & UDP
Password access is enabled (and I changed my password after incident)
