NAS Compromised


Tuumke

Recommended Posts

I was running adguard and also have a UDM pro, when i noticed that stuff was getting blocked from my nas. I immediatly closed port 22, then saw this in the syslog:

 

Oct 29 09:42:54 NAS sshd[9909]: error: connect_to payy.co.com port 80: failed.
Oct 29 09:42:54 NAS sshd[9909]: channel_by_id: 0: bad id: channel free
Oct 29 09:42:54 NAS sshd[9909]: Disconnecting user adm 89.39.104.123 port 4746: oclose packet referred to nonexistent channel 0
Oct 29 09:42:54 NAS sshd[9909]: Connection reset by user adm 89.39.104.123 port 4746
Oct 29 09:44:19 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known)
Oct 29 09:44:19 NAS sshd[24421]: error: connect_to b.stats.paypal.com: unknown host (Name or service not known)
Oct 29 09:44:20 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known)
Oct 29 09:44:32 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known)
Oct 29 09:44:51 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known)
Oct 29 09:46:23 NAS webGUI: Successful login user root from 192.168.2.1

Uh.. should i be worried? And how to further check my nas for compromises?

-edit-

 

Saw some more things and i thought, i should be running under user adm then right?

root       776  7449  0 09:18 ?        00:00:00 sshd: adm [priv]
adm        778   776  0 09:18 ?        00:00:00 sshd: adm
root      7645  7449  0 08:32 ?        00:00:00 sshd: adm [priv]
adm       7647  7645  0 08:32 ?        00:00:15 sshd: adm
root     10553  7449  0 09:40 ?        00:00:00 sshd: adm [priv]
adm      10555 10553  0 09:40 ?        00:00:00 sshd: adm
root     19024  8802  0 10:00 pts/0    00:00:00 grep adm
root     23428  7449  0 Oct25 ?        00:00:00 sshd: adm [priv]
adm      23430 23428  0 Oct25 ?        00:00:00 sshd: adm
root     26296  7449  0 09:10 ?        00:00:00 sshd: adm [priv]
adm      26310 26296  0 09:10 ?        00:00:00 sshd: adm
root     30985  7449  0 Oct28 ?        00:00:00 sshd: adm [priv]
adm      30988 30985  0 Oct28 ?        00:00:01 sshd: adm
root     31687  7449  0 Oct26 ?        00:00:00 sshd: adm [priv]
adm      31689 31687  0 Oct26 ?        00:00:07 sshd: adm

I'm rebooting it right now just to be safe.

Edited by Tuumke
Link to comment
On 10/29/2020 at 10:27 AM, Michael_P said:

That's pretty directly lol - leaving 22 80 and 443 is terribad - that's like saying you locked up your house but went ahead and left the front door, garage door, and back door wide open.

 

Wipe clean and start fresh, once it's compromised it can't be trusted

Lol, so many data on it.. i can't just wipeclean...

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.