I had thought that the problem as discussed - http://www.readynas.com/forum/viewtopic.php?f=65&t=79118&sid=0b9830fdba963be84363284497f3397d&start=75 was the problem however this appears not to be the case.
I first noticed that the internet had gone down and was just making sure it wasn't anything in the property causing the router (BT HomeHub 4) to crash, I could still access items on the LAN but not the router itself, not even responding to pings - though still routing traffic. I can still access both the webui and SSH post the router crashes. All Ethernet traffic is routed through a SamKnows box before router.
I tried the backup TP-LINK TD-8817 but both crash moments after my RN102 (6.21 Final) is turned on. Some analysis of the traffic led to huge amounts of traffic to various external IP addresses (currently all appear to be cloud providers).
I was having trouble finding out which program was sending the packets outwards causing the router to crash so I used tcpdump to watch for the packets and performed -
The NAS uses random ports for every packet sent I checked the port against the IP and sure enough the IP was being bombarded by the NAS sending packets from various ports to it. I attempted to check what exactly the process was or what its purpose is but even Google seems lost.
root@nas:~# ls -l /proc/1145/exe lrwxrwxrwx 1 root root 0 Dec 23 18:56 /proc/1145/exe -> /boot/ndagubygih
Any ideas on what this process is and what I can do to stop it bombarding random websites with empty TCP packets?
No ports forwarded and no UPnP enabled on router. I forget to add to the other forum I have no other apps running apart from Anti-Virus Plus (Checked this in htop as well - No sign of any other installed app running).
chirpa wrote:
You've likely got a rootkit installed on your NAS.
Given the likely implications if there is a rootkit installed. Would anyone moderator wise want to take a look at it before I wipe the NAS?
The data I need is backed up off site, the MD5sums have been checked and the documents do not appear to have been altered. The rest of the data is all media and can be easily replaced.
I have just run RKHunter and it came back with the following -
[11:11:49] System checks summary [11:11:49] ===================== [11:11:49] [11:11:49] File properties checks... [11:11:49] Required commands check failed [11:11:50] Files checked: 126 [11:11:50] Suspect files: 0 [11:11:50] [11:11:50] Rootkit checks... [11:11:50] Rootkits checked : 267 [11:11:50] Possible rootkits: 1 [11:11:50] [11:11:50] Applications checks... [11:11:50] Applications checked: 4 [11:11:50] Suspect applications: 0 [11:11:50] [11:11:50] The system checks took: 3 minutes and 37 seconds [11:11:50] [11:11:50] Info: End date is Wed Dec 24 11:11:50 WET 2014
The possible appears to be a false negative due to an early part of the test failing I can email over the complete log if needed.
I have just been exploring the /boot folder to check what else is in there apart from the object identified yesterday. There are multiple files in there all with apparently random file names -
Are any of these supposed to be present within the boot folder? I will carry on looking into the problem as best I can this end, I am unplugging the modem whilst performing checks to ensure no data is going outwards which is slowing the process but better safe than sorry.
So delete the files? I am really not sure on the next step, if it is rootkit then a factory reset would seem the best option but if there is another cause I would like to get to the bottom of that.
