Found: ReadyNas with many services enabled including ssh, living on heavily compromised network. Password could have been keylogged or easily brute forced.
I am concerned it has been compromised with stealthy evil binaries which will phone home or attempt to reinfect the network. I'd like to avoid a factory reset for now but that is my long term plan.
For now, is anyone aware of a good way to verify the filesystem binaries against known good hashes or something similar?
Edit: I've port scanned the nas and verified the ports against what netstat shows listening, they're in sync and I see nothing odd but that does not mean its not compromised. Port knocking and rootkits are very popular these days to hide services.
Mitigation: Listing some mitigation tactics for anyone else that finds themselves in a similar situation.
Create port filter on router to prevent NAS from reaching the Internet Create port filter on router to prevent NAS from reaching the router config port or DNS forwarder on the router Create static ARP entry on router for NAS to prevent NAS switching IPs to evade port filters. Disable Binding of SMB server to LAN/WLAN interface on all Windows PCs.
If there is malware, it might try to use the DNS forwarder or switch IPs to evade filters on the router to communicate with a base, this is becoming more popular. If smbd and nmbd are hacked, its possible your windows machines can be reinfected via C$ every time they join the network and broadcast. These suggestions are all based on past incidents. Your mileage may vary depending on a large number of factors such as password reuse across systems.
I am involved with virtual currency mining and storage, some details are private. This looks like an APT and I want to end it. Several of my machines were infected with custom malware and generating unknown traffic. These machines do not have WWW browsers, I don't know how they became infected yet. The ReadyNAS shares the same network segment with these machines. I have to assume it is compromised based on the skill level of the attackers and weak password on the nas.
So in the event of a serious readynas compromise, is there a recommended procedure to assess the filesystem? I realize I need to clean the stored files on the box because they're probably part of a watering hole attack as well at this point. For now I'd like to find and document any malicious binaries running on the readynas if possible. If that makes sense?
> This assumes that the hackers didn't compromise the flash itself.
This is one of my many questions swirling around in my mind. Is it possible the flash could be compromised so that a factory reset with fresh disks would still contain malware?
I'm probably going to buy myself a new fresh 516 for xmas and use that until I find a way to trust the hacked box again.
mdgm perhaps can comment on the possibility of compromising the flash. There are procedures for reloading it over USB which Netgear can give you. There is some risk, so they aren't generally available.
If you do get another 516 (a bit higher than my usual Christmas presents!) you can of course do the factory reset on both and compare the two OS partitions.
First thing is to change the password (obvious), second to check the logs (particularly bash), to check unknown users with valid shell, check the processes, check the network. That's not 100%, but that will rule out many things. If you need thorough forensic analysis, you should clone the disks and then work on the copy (mount the disks in readonly while cloning so that timestamp are not updated), you may want to refer to a specialist if you really need forensic analysis. You may want to activate iptables too (both directions) if you filtered only on your router. An OS reinstall will overwrite some files while keeping the data. I agree with mdgm on the flash, it would require some specific targeting towards flash-enabled devices, probably only Netgear's for it to work, but since we update the flash each time we change the version of the system, this probably is possible.
You should backup the data if not already done, in this case a non-networked device would be great.
The best way is of course to erase everything on the drives (low level format) and start fresh, even with this, there is not a 100% certitude that things will be cleansed (you mentioned the flash, the network...).
