Lately Im having some issues with my ReadyNAS 102:
First, I hear it is doing something very often, like if some app or process would be running all the time, but I havent found out what is it.
Second, Im not being able to update the firmware. I have 6.9.2 and it gives "unknown error" when trying to update. to 6.9.3
Third, when I access the admin page the language was changed to Russian.
I use my NAS for my local files but I have an owncloud running, using a no-ip connection. I have some devices syncing things periodically. But I hear it is doing things every minute or so. Im afraid my system could being atacked.
How can I start checking what is doing the NAS?
How could I see why is not updating the firmware?
Thanks a lot!
Model: RN10223D|ReadyNAS 100 Series 2- Bay (2x 3TB Desktop)
Do you allow your NAS to be accessed over the internet? If so, how? (port forwarding, VPN, etc?).
You could disconnect your router from the internet.
Then if you have the skills you can access the NAS using ssh and look at what's going on. Or you can just back up the files and do a factory default. That will reformat the drives (including the OS partition), so it will remove any hacks.
After the default, you'll need to reconfigure the NAS, re-load any apps, and restore the files from the backup.
Yes, I have access to the NAS over internet. The NAS is connected behind the router with the ports forwarded and I have a DDNS with https://www.noip.com/ to use my domain.
I have some skills, but i dont know what to look for, and im not so familiar with the file system of the NAS. I have SSH access locally.
what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this?
In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that
what is this "Application Gate One NT" is there anyway it was installed by the system itself? or it was certainly someone else who did it. what could have that person do with this?
That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443).
You should immediately turn off the port forwarding, and if your router gives you the ability to block outbound internet access for specific devices you should block the NAS. If not, you can try reconfiguring the NAS with a static IP address, and misconfigure the gateway address - that will also prevent outbound internet access. You might also just consider turning the NAS off for now.
You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network).
In the case is needed is there any way to reformat the OS partition without formating the drives? I don't have another storage with enough space to backup all that
Paid support (my.netgear.com) might be able to clean it. However, it's very easy to miss stuff (root kits, etc). So in my opinion you should buy the needed storage (USB drives) right away, back up your data, and then wipe the NAS. I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives.
Consider zeroing the disks using vendor tools in a Windows PC (Seatools for Seagate, Lifeguard for Western Digital) for extra safety.
What services are listening on the forwarded ports? Also, what firmware are you running?
That isn't normally installed. It appears to be a terminal emulator, and I think in your case it confirms that you have been hacked. It would give the hacker SSH access over the web interface (port 443).
I have to check which ports I have redirected, but are most probably both required for http and https.
You should assume that all files on the NAS have been accessed by the hacker. There's a good chance that files on PCs, etc on your local LAN are also compromised (since the hacker could use the NAS to access other equipment on your network).
I'd do the backup over the network, and pull the data over from the PC (not push it via a NAS backup job), in order to minimize the chance that the NAS can write something bad onto the USB drives.
That doesnt sounds good. ok. I will have to do the job. Would it be safe to backup the data from the Snapshots?
How can I be sure that after doing the backup the hacker would not have access? I can't even understand how did they got it in first place.
That doesnt sounds good. ok. I will have to do the job. Would it be safe to backup the data from the Snapshots?
You can just back them up from the main shares. Make sure there is a real-time virus scanner running on the PC you use to do the backup. You might also want to install malware protection (such as Malwarebytes - taking advantage of their free premium trial)
How can I be sure that after doing the backup the hacker would not have access? I can't even understand how did they got it in first place.
More than likely they guessed your admin password. Another possibility is that they exploited a security issue in the NAS kernel or web server. Netgear includes security updates in their releases, but if you are running old firmware you won't have the most recent ones.
I wouldn't forward HTTP, and it is a bit better to forward https on a secondary port (and not 443). Right now the only port I forward to the NAS is for plex. Everything else requires a VPN connection.
I agree that you've been hacked and that you've port forwarded more than you should have.
I would disable the port forwarding and make sure you have a good backup of your data that you've verified, do a factory default (wipes all data, settings, everything) and restore your data from backup.
Thanks i did already disabled the portforwarding and did a reinstall of the OS.
Im planning to do the factory reset as soon as i get a full backup. I dont have backup of some few folders.
Im not expert on this and would like to aks something. You both suggest that I have opened more ports than needed, what would you have done different? I had interest to have internet access to my NAS for the owncloud. and I have many devices using the files on the owncloud, including my mobile.
How can I keep same functionality and avoid and attack like his in the future?
Thanks i did already disabled the portforwarding and did a reinstall of the OS.
Make sure you also manually uninstall the packages we discussed over PM. Even with port forwarding disabled, those packages can allow someone to access your NAS over the internet. That's because the NAS can still make outbound connections through your router, unless you take steps to block that.
Alternatively, disconnect your router from the internet until you complete the backup and do the factory reset.
I had interest to have internet access to my NAS for the owncloud. and I have many devices using the files on the owncloud, including my mobile.
How can I keep same functionality and avoid and attack like his in the future?
What ports did you forward? If you need to forward 443, it is important to use a strong admin password. It'd be wise to change that password periodically (every couple of months). If you need to forward port 80, you should go to system->settings->services and disable admin access via http. You'll still be able to use the web admin interface through https (port 443).
Are you using owncloud simply for your own use? Or are you using it to share files with friends/family?
If you just wanting remote access for your own devices, then a VPN is a better way to go. OpenVPN is built into many routers (including Nighthawk) - though some older nighthawks might not support iOS or Android, so you should confirm that you get the right version using the home networking forum here. It is possible to install ZeroTier on the NAS. There are apps for both of these for iOS, Android, Windows, and Mac. Both ZeroTier and OpenVPN are free, and neither requires port forwarding.
Resilio Sync is another possibility, if you are specifically interested in mobile device access. It can be set up to back up photos and videos on your mobile devices to the NAS, and it can also give you read-only selective sync to NAS shares. You then can download a file remotely, and open it in the desired mobile app. Though you might find that works better if you run it on an always-on PC (sharing folders on the NAS). No port forwarding is needed.
Another option is to use ReadyCloud, which has similar features to Owncloud but doesn't require port forwarding. Though lots of folks here have found ReadyCloud to be problematic (issues with performance, and bugs).
Make sure you also manually uninstall the packages we discussed over PM. Even with port forwarding disabled, those packages can allow someone to access your NAS over the internet. That's because the NAS can still make outbound connections through your router, unless you take steps to block that.
Yes, I uninstall all those packages. I also run malwarebytes in the devices at the LAN and didnt find anything.
@StephenBwrote: What ports did you forward? If you need to forward 443, it is important to use a strong admin password. It'd be wise to change that password periodically (every couple of months). If you need to forward port 80, you should go to system->settings->services and disable admin access via http. You'll still be able to use the web admin interface through https (port 443).
Are you using owncloud simply for your own use? Or are you using it to share files with friends/family?
The ports I had open were 80,443,3306 for owncloud. I use it for my own data (file storage, calendar, etc), others at home also use it and also other relatives out of home.
This brings me to another topic and its the SSL certificate, I had a lets'encrypt running but in some update it stopped renewing and I couldnt generate new one anymore. Since that moment the https connections gave the certificates warning and I guess it was also generating vulnerability to MIM attacks, even worse when some browsers doesnt allow to add exceptions easily.
Also I remember trying to make the https connection to owncloud in other port but I didnt succeed. is it possible to change it? would it work without certificate?
If you just wanting remote access for your own devices, then a VPN is a better way to go. OpenVPN is built into many routers (including Nighthawk) - though some older nighthawks might not support iOS or Android, so you should confirm that you get the right version using the home networking forum here. It is possible to install ZeroTier on the NAS. There are apps for both of these for iOS, Android, Windows, and Mac. Both ZeroTier and OpenVPN are free, and neither requires port forwarding.
I got a Nighthawk a couple of months ago but had to return it as was causing me disconnections in games. After tracking down the issue it was the router. So I came back to an old one from other brand but it doesnt support VPN
Resilio Sync is another possibility, if you are specifically interested in mobile device access. It can be set up to back up photos and videos on your mobile devices to the NAS, and it can also give you read-only selective sync to NAS shares. You then can download a file remotely, and open it in the desired mobile app. Though you might find that works better if you run it on an always-on PC (sharing folders on the NAS). No port forwarding is needed.
This looks like a good alternative, thou not so sure the free version will fulfill my needs, i will read about it. My mobile calendar is sync with the owncloud calendar, not so sure I can do that with Resilio but it looks good. Question is again if it is a secure connection, and how they deal with privacy. but worth checking.
I did the factory reset and the backup, It is behaving well now. I changed my old router and got a god one. With this one I can create a VPN server what would allow me to access from the public internet. Is that a good idea? for sure it's better than port forwarding as I had it before, but how vulnerable is the VPN? which precautions should I have?
OpenVPN is quite secure, and when issues do show up they are patched quickly. There are no cloud servers involved in establishing the connection, the server and client are in your home equipment.
I haven't seen as much written up on ZeroTier, though it should be secure. It is managed from the ZeroTier servers, so you need to make sure you use a strong password there, and you should change if from time to time. Also, you are trusting ZeroTier to keep those servers secure.
There isn't anything written on ReadyCloud's approach to security. It is managed by Netgear's servers, so (like ZeroTier) you need to use a strong password on the ReadyCloud account(s) (and change if from time to time). And with ReadyCloud, you are also trusting Netgear to keep the servers secure.
In all cases, you want to keep the software used up to date, so you will get any security patches. That includes your router and NAS firmware, as well as client apps/software.
