Reply

Re: Verify filesystem against known good?

someoldguy1
Aspirant

Verify filesystem against known good?

Found: ReadyNas with many services enabled including ssh, living on heavily compromised network. Password could have been keylogged or easily brute forced.

I am concerned it has been compromised with stealthy evil binaries which will phone home or attempt to reinfect the network. I'd like to avoid a factory reset for now but that is my long term plan.

For now, is anyone aware of a good way to verify the filesystem binaries against known good hashes or something similar?

Edit: I've port scanned the nas and verified the ports against what netstat shows listening, they're in sync and I see nothing odd but that does not mean its not compromised. Port knocking and rootkits are very popular these days to hide services.

Mitigation: Listing some mitigation tactics for anyone else that finds themselves in a similar situation.

Create port filter on router to prevent NAS from reaching the Internet
Create port filter on router to prevent NAS from reaching the router config port or DNS forwarder on the router
Create static ARP entry on router for NAS to prevent NAS switching IPs to evade port filters.
Disable Binding of SMB server to LAN/WLAN interface on all Windows PCs.

If there is malware, it might try to use the DNS forwarder or switch IPs to evade filters on the router to communicate with a base, this is becoming more popular. If smbd and nmbd are hacked, its possible your windows machines can be reinfected via C$ every time they join the network and broadcast. These suggestions are all based on past incidents. Your mileage may vary depending on a large number of factors such as password reuse across systems.
Message 1 of 11
vandermerwe
Master

Re: Verify filesystem against known good?

Why do you think your nas has been compromised?
The opening line of your message is a little cryptic.

Provide more details about what has actually happened for you to be concerned.

Back it up. Use UPS.
Infrant Readynas NV+ | Readynas Ultra 6 Plus | Readynas 316
Message 2 of 11
someoldguy1
Aspirant

Re: Verify filesystem against known good?

I am involved with virtual currency mining and storage, some details are private. This looks like an APT and I want to end it. Several of my machines were infected with custom malware and generating unknown traffic. These machines do not have WWW browsers, I don't know how they became infected yet. The ReadyNAS shares the same network segment with these machines. I have to assume it is compromised based on the skill level of the attackers and weak password on the nas.

So in the event of a serious readynas compromise, is there a recommended procedure to assess the filesystem? I realize I need to clean the stored files on the box because they're probably part of a watering hole attack as well at this point. For now I'd like to find and document any malicious binaries running on the readynas if possible. If that makes sense?
Message 3 of 11
vandermerwe
Master

Re: Verify filesystem against known good?

There will be someone on the forums later who can advise you.

Back it up. Use UPS.
Infrant Readynas NV+ | Readynas Ultra 6 Plus | Readynas 316
Message 4 of 11
mdgm-ntgr
NETGEAR Employee Retired

Re: Verify filesystem against known good?

Well the data might not be infected and just the OS partition. Though it does depend on the nature of the malware.
Message 5 of 11
StephenB
Guru

Re: Verify filesystem against known good?

SHA or MD5 hash codes for the OS and a utility to check them would be a nice thing to have, but AFAIK netgear hasn't provided it.

One option is to power down the NAS, and remove the disks (labeling by slot). Then install an unformatted scratch disk, and do a factory install.

Then you can compare the potentially compromised OS partition against the clean one. This assumes that the hackers didn't compromise the flash itself.
Message 6 of 11
someoldguy1
Aspirant

Re: Verify filesystem against known good?

> This assumes that the hackers didn't compromise the flash itself.

This is one of my many questions swirling around in my mind. Is it possible the flash could be compromised so that a factory reset with fresh disks would still contain malware?

I'm probably going to buy myself a new fresh 516 for xmas and use that until I find a way to trust the hacked box again.
Message 7 of 11
StephenB
Guru

Re: Verify filesystem against known good?

mdgm perhaps can comment on the possibility of compromising the flash. There are procedures for reloading it over USB which Netgear can give you. There is some risk, so they aren't generally available.

If you do get another 516 (a bit higher than my usual Christmas presents!) you can of course do the factory reset on both and compare the two OS partitions.
Message 8 of 11
mdgm-ntgr
NETGEAR Employee Retired

Re: Verify filesystem against known good?

The flash is unlikely to have been compromised, though it is possible.
Message 9 of 11
xeltros
Apprentice

Re: Verify filesystem against known good?

First thing is to change the password (obvious), second to check the logs (particularly bash), to check unknown users with valid shell, check the processes, check the network. That's not 100%, but that will rule out many things. If you need thorough forensic analysis, you should clone the disks and then work on the copy (mount the disks in readonly while cloning so that timestamp are not updated), you may want to refer to a specialist if you really need forensic analysis.
You may want to activate iptables too (both directions) if you filtered only on your router.
An OS reinstall will overwrite some files while keeping the data.
I agree with mdgm on the flash, it would require some specific targeting towards flash-enabled devices, probably only Netgear's for it to work, but since we update the flash each time we change the version of the system, this probably is possible.

You should backup the data if not already done, in this case a non-networked device would be great.

The best way is of course to erase everything on the drives (low level format) and start fresh, even with this, there is not a 100% certitude that things will be cleansed (you mentioned the flash, the network...).
Backup is crucial : Learn more here
Message 10 of 11
mdgm-ntgr
NETGEAR Employee Retired

Re: Verify filesystem against known good?

The firmware is signed so non-NETGEAR firmware would be rejected by the system.
Message 11 of 11
Top Contributors
Discussion stats
  • 10 replies
  • 1750 views
  • 0 kudos
  • 5 in conversation
Announcements