Reply
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: ReadyNas 3200 hacked
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-29
09:09 AM
2015-03-29
09:09 AM
ReadyNas 3200 hacked
Hi,
Our ReadyNas 3200 is hacked to send Dos attacks. RN constantly contacting servers in China, network was blocked by communications. I stopped it on our firewall. Could you help me, how can I identify and correct it? Log from firewall is attached.
Thanks,Karel
18:29:53 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47194->120.24.57.79:45000, len 60
18:31:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:33 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:51 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:32:15 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:03 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:28 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->209.249.181.53:123, len 76
18:33:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->206.16.42.153:123, len 76
18:34:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:42 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:48 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
Our ReadyNas 3200 is hacked to send Dos attacks. RN constantly contacting servers in China, network was blocked by communications. I stopped it on our firewall. Could you help me, how can I identify and correct it? Log from firewall is attached.
Thanks,Karel
18:29:53 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47194->120.24.57.79:45000, len 60
18:31:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:33 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:51 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:32:15 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:03 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:28 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->209.249.181.53:123, len 76
18:33:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->206.16.42.153:123, len 76
18:34:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:42 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:48 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
Message 1 of 6
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-29
10:28 AM
2015-03-29
10:28 AM
Re: ReadyNas 3200 hacked
The safest way is a factory reset, followed by rebuilding the NAS/restoring from backup. You might want to install the latest beta firmware (4.2.28 T6) as that has a couple of recent security patches.
Message 2 of 6
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-29
10:51 AM
2015-03-29
10:51 AM
Re: ReadyNas 3200 hacked
I understand, trying to find another solution. I've got a full 12 TB.
Message 3 of 6
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-29
11:24 AM
2015-03-29
11:24 AM
Re: ReadyNas 3200 hacked
Basically you'd need to ssh into the NAS, figure out what changes were made, and attempt to undo them.
karex wrote: I understand, trying to find another solution. I've got a full 12 TB.
You might not find everything that was done.
Message 4 of 6
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-29
11:35 AM
2015-03-29
11:35 AM
Re: ReadyNas 3200 hacked
Yes, I connect by ssh and now I know what happened - Linux.BackDoor.Gates.5.
I need original
/bin
/sbin
/usr/bin
/usr/sbin
/etc/init.d
Could you help me?
I need original
/bin
/sbin
/usr/bin
/usr/sbin
/etc/init.d
Could you help me?
Message 5 of 6
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-03-30
12:01 AM
2015-03-30
12:01 AM
Re: ReadyNas 3200 hacked
System is cleaned, I hope. I restored the original files in directories bin sbin... The last problem is, after starting of system some process contact the server 203.214.176.104 in Malaysia. I catch it at the firewall, can't identify it.
Message 6 of 6