My firewall logs show the NAS has been contacting a number of different IPs around the world using the BITTORRENT protocol. This began right after I upgraded to the above mentioned version of ADM. SInce then, it has been contacting these random IPs every hour. Each seems to be unique, although I'm still looking through the logs.
These IPs include: 87.98.162.88 (FR), 178.191.209.84 (AT), 80.17.193.51 (IT), 110.143.154.66 (AU), 178.136.119.67(RU), 129.122.209.2(AO), 82.72.239.86(NL), 51.178.141.205 (GB), 178.62.148.22 (NL), 51.255.92.186(FR)
None of these IPs have WhoIs information associated with them.
I think that ADM has been hacked and is sending out my NAS's data to a botnet.
I have disconnected my NAS from the outside world for the interim until this is explained and corrected
HACK ALERT: After updqate to 3.5.3.RBH1 NAS connects to random IPs using BITTORRENT
-
RainCaster
- Posts: 19
- youtube meble na wymiar Warszawa
- Joined: Mon Feb 06, 2017 11:37 pm
-
RainCaster
- Posts: 19
- Joined: Mon Feb 06, 2017 11:37 pm
Re: HACK ALERT: After updqate to 3.5.3.RBH1 NAS connects to random IPs using BITTORRENT
I turned up the logging on my firewall and I see a much larger number of accesses. 275 over the course of 35 minutes. This is crap.
A short log file is attached
A short log file is attached
-
Nazar78
- Posts: 2068
- Joined: Wed Jul 17, 2019 10:21 pm
- Location: Singapore
- Contact:
Re: HACK ALERT: After updqate to 3.5.3.RBH1 NAS connects to random IPs using BITTORRENT
You sure you don't have any torrent running? You can easily find the culprit PID/process printed on the last column, run and monitor below in SSH as root screen maximized, CTRL+c to return.
Code: Select all
watch -n1 'netstat -natp|grep /|sort -rn|head'I only checked the first IP.None of these IPs have WhoIs information associated with them.
Code: Select all
...
route: 87.98.128.0/17
descr: OVH ISP
descr: Paris, France
origin: AS16276
mnt-by: OVH-MNT
created: 2009-11-13T10:24:53Z
last-modified: 2009-11-13T10:24:53Z
source: RIPE # Filtered
...AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps
When posting, consider checking the box "Notify me when a reply is posted" to get faster response
-
RainCaster
- Posts: 19
- Joined: Mon Feb 06, 2017 11:37 pm
Re: HACK ALERT: After updqate to 3.5.3.RBH1 NAS connects to random IPs using BITTORRENT
Looks like it's Transmission, which has never behaved like that before. It hasn't been used for several years, but never disabled until now.
As soon as I disabled that, the traffic went away. Then re-enabled to see what would happen. Six minutes and no more odd accesses. Disabled, and uninstalled to reduce surface area.
Thanks for the help!
As soon as I disabled that, the traffic went away. Then re-enabled to see what would happen. Six minutes and no more odd accesses. Disabled, and uninstalled to reduce surface area.
Thanks for the help!