A Hidden User On Your Asustor NAS
-
- Posts: 74
- youtube meble na wymiar Warszawa
- Joined: Sat Mar 11, 2017 2:17 am
A Hidden User On Your Asustor NAS
I was reading the forums this morning when I came across a post that discussed an unknown user account for our NAS devices. Anyone can login to the NAS with the username of nvradmin for both username and password. See here viewtopic.php?f=71&t=9593
-
- Posts: 82
- Joined: Tue Jun 27, 2017 1:05 pm
Re: A Hidden User On Your Asustor NAS
Have read in here probably that sometimes support would need to connect remotely to solve something or for whatever other reason, supposedly with the NAS owner's informed consent.
Maybe this is the hidden user real usage, surely they could have done better with the password thing but I have seen before such back door implementations for legit support use to have even more ridiculous passwords.
Above only applies if legit use was intended and such. Cause if it ain't...
Just my 2c.
Maybe this is the hidden user real usage, surely they could have done better with the password thing but I have seen before such back door implementations for legit support use to have even more ridiculous passwords.
Above only applies if legit use was intended and such. Cause if it ain't...
Just my 2c.
-
- Posts: 917
- Joined: Fri May 15, 2015 1:56 am
Re: A Hidden User On Your Asustor NAS
I just tried to do this with my own system through WinSCP, and wasn't able to log in with that user ID/Password. So that leads to ask a question:
What apps do those of you with this issue have installed? Do any of you have some sort of camera apps running?
What apps do those of you with this issue have installed? Do any of you have some sort of camera apps running?
-
- Posts: 224
- Joined: Sun Jun 16, 2013 5:00 pm
Re: A Hidden User On Your Asustor NAS
I had this issue and locked the account.
No camera app used here. I don't have ASUSTOR Portal app installed either as I don't us HDMI output.
Just updated ADM to 3.1.1.RGG1. Maybe that fixed the issue.
No camera app used here. I don't have ASUSTOR Portal app installed either as I don't us HDMI output.
Just updated ADM to 3.1.1.RGG1. Maybe that fixed the issue.
My NAS: Flashtor 6 FS6706T ADM: 4.3.0.RSB1 Router: Technicolor CGM4331COM (XB7)
-
- Posts: 395
- Joined: Tue Aug 25, 2015 9:23 pm
Re: A Hidden User On Your Asustor NAS
nope.wde wrote:....Just updated ADM to 3.1.1.RGG1. Maybe that fixed the issue.
-
- Posts: 74
- Joined: Sat Mar 11, 2017 2:17 am
Re: A Hidden User On Your Asustor NAS
I can confirm that using the Web interface this user is still able to log in to the AS6202T running the latest ADM 3.1.1.RGG1. How about it Asustor, what's up with this?
- mafredri
- Posts: 371
- Joined: Sat Mar 22, 2014 8:41 am
Re: A Hidden User On Your Asustor NAS
Yeah, this is pretty unacceptable. Any form of remote login (no matter how limited) is a chance to escape the sandbox and escalate privileges.MonsMagnus wrote:I can confirm that using the Web interface this user is still able to log in to the AS6202T running the latest ADM 3.1.1.RGG1. How about it Asustor, what's up with this?
EDIT: Furthermore, if someone has once logged in and manages to keep the session alive, disabling the user or changing the password won't help. They won't be logged out. This just illustrates the above point that no system is secure, or designed without faults and limiting access is key.
Hi, I'm new here. Looking to be active in the community and help with development .
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
Storage: AS-604T with 3GB RAM (Kingston KVR1333D3S8S9/2G)
-
- Posts: 395
- Joined: Tue Aug 25, 2015 9:23 pm
Re: A Hidden User On Your Asustor NAS
you cannot change password from webinterface, but you can edit /etc/shadow from terminal once logged in has root. I just removed the first encrypted character, and logging in with this hidden account has become impossible.
we must now verify that this modification is permanent and will outlive reboot.
we must now verify that this modification is permanent and will outlive reboot.
-
- Posts: 74
- Joined: Sat Mar 11, 2017 2:17 am
Re: A Hidden User On Your Asustor NAS
Because I have no idea why Asustor would create this account I am reluctant to do anything that would risk corrupting or removing it because it could break something else. Asustor needs to advise all of us why it's there, what if anything its used for, and how or even if we can safely remove it.sksbir wrote:you cannot change password from webinterface, but you can edit /etc/shadow from terminal once logged in has root. I just removed the first encrypted character, and logging in with this hidden account has become impossible.
we must now verify that this modification is permanent and will outlive reboot.
-
- Posts: 52
- Joined: Sun Sep 24, 2017 11:30 pm
Re: A Hidden User On Your Asustor NAS
Here's the answer support gave me:
You can safely disable it by following command:
It shows level of commitment to product security at Asustor.The NVR ADM account is a back door testing account normally we do not share it with our end users.
If you look in carefully the account does not have any privileges nor account access right.
Therefore even if log in you are not able to see any content in the NAS.
This account was created and was used internally for testing purpose.
You can safely disable it by following command:
Code: Select all
passwd -l nvradmin