Router was port scanned, Remote Desktop port for W10 VM shows remote access attempted in logs, what should I do?

[jmwilsoND]

A little background, I noticed an attempted WHOIS on an IRC chat that revealed my public IP (I know stupid me, has since been resolved by routing through tor), but I immediately went to my router logs and noticed an attempted port scan happening.  I disconnected my modem immediately, and put another router in between the router that was port scanned thus giving me a new public IP.  There were no more remote attempts for 2 weeks while the intermediary router was in place.  Figuring my ip reservation expired (have attempted this before and received a new ip in 7 days) I disconnected the intermediary router after the 2 weeks and went back to the original configuration.  Immediately, I saw no more port scanning being attempted but instead just a steady remote access attempt on the ip and port for my remote desktop.  I put the intermediary router in between again and it all stopped.  So I downloaded syslog and attached it for the time that the remote access attempts were made on the VM.  The VM is only used for remote access to files but is only done through a VPN run through the router that logs in locally, so would not show a remote access.  The IP used belonged to a UK security firm who has a big banner on the front of their page saying that hackers have used their IP and to contact UKs fraud division, so ya ugh.  This VM is also used to run a nightly sync between the router's NAS and a versioned backup on unraid.  However, the VM showed no usage because it was shut down due to W10 having initiated an update a few days earlier and logging, in I was greeted by the update installing.  Oh and I should add that when I put the config back, my internet connection slowed to a crawl due to bandwidth being consumed by whatever happened (back to normal after putting the other router back in between).  So is what is compromised?  What should my next course of action be?  I really appreciate anyone spending the time to read through this and give me your input.  Thanks.

syslog.txt

[trurl]

That syslog is incomplete and is mostly just about problems with your disk cabling. You should go to Tools - Diagnostics and post the complete diagnostics zip.

 

Not sure I follow what you are doing, or have done. Are you trying to give your server a public IP? Don't.

[jmwilsoND]

Yes I understand it is not the complete log.  The complete log had sensitive information displayed because a backup of business files where the customers' names are displayed in the titles occurred.  However, I am confident that it was not compromised at the time because my router logs showed no remote access.  I'm sorry for not being able to post the entirety, but I can say with certainty that the logs posted included the entirety of the time that there were remote access attempts.  I do not want my server to have a public IP.  I have one port forwarded for the IP for the windows 10 vm that was added as a part of the RDP install process.  Now, I'm not sure that the port needs to be forwarded since as I noted, I use a VPN to acces it remotely with a local IP.  Should I just delete that port forward?  It's interesting because those cabling errors only show up at the time that my router logs show remote access attempts.  I am thinking it was a brute force attempt at accessing the VM that shouldn't have been successful since the VM was shut down due to the update.  Would this be a rational conclusion?  The libvert and docker logs do not have any activity during these times as well.  Thanks for looking at everything.  I do appreciate it.

[trurl]

The complete diagnostics zip file I asked for likely doesn't contain any sensitive information. Many parts of it are anonymized, and you can examine it yourself before posting it, it is all text files. The diagnostics zip includes the anonymized syslog and other files that might give us more of a clue about how your network is configured. 

[trurl]

Also, check in Settings - Scheduler - Mover Settings and make sure mover logging is turned off. That will prevent filenames from showing up in the syslog due to mover.

[jmwilsoND]

Ok, I understand.  Unfortunately, since I stopped much of the access to my files that would be backed up automatically by the VM, I did a manual copy to a different share and all the file names that were copied showed in the syslog, so I can say it definitely is not anonymous.  I do appreciate your attention and will do my best to get you the entirety that I can by deleting any reference to those files.  It should just take me a few minutes.  Thanks for your patience

[jmwilsoND]

Oh ok, that's even better, that's probably why these showed up.  I will do so and post asap.

[trurl]

The mover log I was referring to only applies to the built-in mover function, which moves files between cache and array. It normally happens on a schedule, but you can also invoke it manually. Any change you make to that setting only affects mover logs going forward. And it has no effect on anything logged by some other method. I'm not sure which other methods log filenames.

[jmwilsoND]

Attached are the logs w files manually removed.

tower-diagnostics-20180218-2126.zip

[Squid]

Outside of the initial bootup, the syslogs are nothing but error after error after error of drive resets which cannot be caused by any intrusion.  If you're noticing a slowdown, its definitely because of them.

 

Those drive resets caused disk 1 to have read errors (which were corrected), but another drive (parity)  suffers from it every second on the second.

 

Reset all cabling to all drives.

[digiblur]

Why not just unforward the port and use a VPN that is securely setup? I recommend the Openvpn plugin over the Openvpn-as container as it had quite a few security issues.

Also if you change your Wan Mac ID to something else on the router you can change IPs without swapping the router.

[jmwilsoND]

Thanks for the input yall, I think that's spot on. Thing is, I only connect to RDP through the vpn on my router that establishes a local connection, so with the VPN running separately on the router, I think I should be able to just delete the port forward that RDP had me open on setup.  My main concern was that my system wasn't compromised since my router logs clearly showed attempts by a remote ip on the one port that was forwarded (not to help my paranoia, tracing the ip leads to a uk security firm with that has a huge banner on their website saying we have been compromised by hackers, please talk to UK fraud division etc etc... way to get my heart beating).  Since the VM was shut down at the time and the errors you mentioned are totally separate, I think I will do what yall said and can hopefully be confident nothing was compromised.  BTW, the cabling and parity drive issues make a lot of sense.  I just swapped the parity drive for smart errors, and pulling the hd cage out always leaves a mess (cable management not on point).  Going back in and securing all that now. Thanks for all your help.

[jmwilsoND]

Oh and btw, I understand what you are saying about the IPs, but I did not change my router.  I simply added another router between my modem and my current router which forces a new public ip from the modem. 

[Jcloud]

On 2/19/2018 at 8:44 PM, jmwilsoND said:

Thing is, I only connect to RDP through the vpn on my router that establishes a local connection, so with the VPN running separately on the router, I think I should be able to just delete the port forward that RDP had me open on setup

Sounds right to me.

 

If you really need an open forwarded port, and your router supports it, you could apply a white-list of allowed remote networks. If you're road-warrior and need it to be wide open to 0.0.0.0 you could have two rules: A white-list rule for most-every-day use, and a secondary rule (probably just as it is now) which is disabled most of the time, but you enable before you go on the road.