× NETGEAR will be terminating ReadyCLOUD service by July 1st, 2023. For more details click here.

Start a New Discussion

Start a New Discussion

Orbi WiFi 7 RBE973
Reply

Re: ReadyNas 3200 hacked

karex
Aspirant
Aspirant
‎2015-03-29 09:09 AM
‎2015-03-29 09:09 AM

ReadyNas 3200 hacked

Hi,

Our ReadyNas 3200 is hacked to send Dos attacks. RN constantly contacting servers in China, network was blocked by communications. I stopped it on our firewall. Could you help me, how can I identify and correct it? Log from firewall is attached.

Thanks,Karel


18:29:53 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47194->120.24.57.79:45000, len 60
18:31:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:33 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:31:51 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:32:15 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:03 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47195->120.24.57.79:45000, len 60
18:33:28 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->209.249.181.53:123, len 76
18:33:30 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto UDP, 192.168.3.227:123->206.16.42.153:123, len 76
18:34:39 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:42 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
18:34:48 firewall,info NAS forward: in:LAN out:WAN-Internet, src-mac 00:30:48:b9:12:80, proto TCP (SYN), 192.168.3.227:47196->120.24.57.79:45000, len 60
Message 1 of 6
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2015-03-29 10:28 AM
‎2015-03-29 10:28 AM

Re: ReadyNas 3200 hacked

The safest way is a factory reset, followed by rebuilding the NAS/restoring from backup. You might want to install the latest beta firmware (4.2.28 T6) as that has a couple of recent security patches.
Message 2 of 6
0 Kudos
Reply
karex
Aspirant
Aspirant
‎2015-03-29 10:51 AM
‎2015-03-29 10:51 AM

Re: ReadyNas 3200 hacked

I understand, trying to find another solution. I've got a full 12 TB.
Message 3 of 6
0 Kudos
Reply
StephenB
Guru Guru
Guru
‎2015-03-29 11:24 AM
‎2015-03-29 11:24 AM

Re: ReadyNas 3200 hacked

karex wrote:
I understand, trying to find another solution. I've got a full 12 TB.
Basically you'd need to ssh into the NAS, figure out what changes were made, and attempt to undo them.

You might not find everything that was done.
Message 4 of 6
0 Kudos
Reply
karex
Aspirant
Aspirant
‎2015-03-29 11:35 AM
‎2015-03-29 11:35 AM

Re: ReadyNas 3200 hacked

Yes, I connect by ssh and now I know what happened - Linux.BackDoor.Gates.5.
I need original
/bin
/sbin
/usr/bin
/usr/sbin
/etc/init.d
Could you help me?
Message 5 of 6
0 Kudos
Reply
karex
Aspirant
Aspirant
‎2015-03-30 12:01 AM
‎2015-03-30 12:01 AM

Re: ReadyNas 3200 hacked

System is cleaned, I hope. I restored the original files in directories bin sbin... The last problem is, after starting of system some process contact the server 203.214.176.104 in Malaysia. I catch it at the firewall, can't identify it.
Message 6 of 6
0 Kudos
Reply
Top Contributors
See All
Discussion stats
  • 5 replies
  • ‎2015-03-29 09:09 AM
  • 2021 views
  • 0 kudos
  • 2 in conversation
Announcements