Tuumke Posted October 29, 2020 Share Posted October 29, 2020 (edited) I was running adguard and also have a UDM pro, when i noticed that stuff was getting blocked from my nas. I immediatly closed port 22, then saw this in the syslog: Oct 29 09:42:54 NAS sshd[9909]: error: connect_to payy.co.com port 80: failed. Oct 29 09:42:54 NAS sshd[9909]: channel_by_id: 0: bad id: channel free Oct 29 09:42:54 NAS sshd[9909]: Disconnecting user adm 89.39.104.123 port 4746: oclose packet referred to nonexistent channel 0 Oct 29 09:42:54 NAS sshd[9909]: Connection reset by user adm 89.39.104.123 port 4746 Oct 29 09:44:19 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known) Oct 29 09:44:19 NAS sshd[24421]: error: connect_to b.stats.paypal.com: unknown host (Name or service not known) Oct 29 09:44:20 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known) Oct 29 09:44:32 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known) Oct 29 09:44:51 NAS sshd[24421]: error: connect_to t.paypal.com: unknown host (Name or service not known) Oct 29 09:46:23 NAS webGUI: Successful login user root from 192.168.2.1 Uh.. should i be worried? And how to further check my nas for compromises? -edit- Saw some more things and i thought, i should be running under user adm then right? root 776 7449 0 09:18 ? 00:00:00 sshd: adm [priv] adm 778 776 0 09:18 ? 00:00:00 sshd: adm root 7645 7449 0 08:32 ? 00:00:00 sshd: adm [priv] adm 7647 7645 0 08:32 ? 00:00:15 sshd: adm root 10553 7449 0 09:40 ? 00:00:00 sshd: adm [priv] adm 10555 10553 0 09:40 ? 00:00:00 sshd: adm root 19024 8802 0 10:00 pts/0 00:00:00 grep adm root 23428 7449 0 Oct25 ? 00:00:00 sshd: adm [priv] adm 23430 23428 0 Oct25 ? 00:00:00 sshd: adm root 26296 7449 0 09:10 ? 00:00:00 sshd: adm [priv] adm 26310 26296 0 09:10 ? 00:00:00 sshd: adm root 30985 7449 0 Oct28 ? 00:00:00 sshd: adm [priv] adm 30988 30985 0 Oct28 ? 00:00:01 sshd: adm root 31687 7449 0 Oct26 ? 00:00:00 sshd: adm [priv] adm 31689 31687 0 Oct26 ? 00:00:07 sshd: adm I'm rebooting it right now just to be safe. Edited October 29, 2020 by Tuumke Quote Link to comment
Michael_P Posted October 29, 2020 Share Posted October 29, 2020 Your Unraid box was exposed to the internet? Quote Link to comment
Tuumke Posted October 29, 2020 Author Share Posted October 29, 2020 Just now, Michael_P said: Your Unraid box was exposed to the internet? Indirectly. Had port 22 forwarded (as wel as 80 en 443) Quote Link to comment
Michael_P Posted October 29, 2020 Share Posted October 29, 2020 That's pretty directly lol - leaving 22 80 and 443 is terribad - that's like saying you locked up your house but went ahead and left the front door, garage door, and back door wide open. Wipe clean and start fresh, once it's compromised it can't be trusted Quote Link to comment
Tuumke Posted October 30, 2020 Author Share Posted October 30, 2020 On 10/29/2020 at 10:27 AM, Michael_P said: That's pretty directly lol - leaving 22 80 and 443 is terribad - that's like saying you locked up your house but went ahead and left the front door, garage door, and back door wide open. Wipe clean and start fresh, once it's compromised it can't be trusted Lol, so many data on it.. i can't just wipeclean... Quote Link to comment
Michael_P Posted October 30, 2020 Share Posted October 30, 2020 Start with the OS and go from there Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.