Multple Guest Access in Logs via FTP and Login Ok

FTP Server, File Server, DDNS, SAMBA, AFP, NFS
Javier67
New here
Posts: 3
Joined: Tue Sep 11, 2018 11:27 pm

Multple Guest Access in Logs via FTP and Login Ok

Postby Javier67 » Tue Sep 11, 2018 11:33 pm

Hi,

We noticed some strange activity with our QNAP NAS where during the evenings over the last few days there are hundreds of attempts to access via FTP using a guest account. All the logins say OK, but we have no idea what this is and what has been accessed. All the source IPs seem to be from other NAS around the world and they are repeatidly changed and a new attempt occurs every few seconds.

Attached is an example where i have hidden the last few numbers.

Can anyone provide information to what this is and what needs to be modified in our security settings? We dont see a Guest user in our list.

ftpaccess.jpg
You do not have the required permissions to view the files attached to this post.

User avatar
Don
Guru
Posts: 11242
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York
Contact:

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby Don » Wed Sep 12, 2018 1:29 am

Remove guest access.

As long as you have ports open to the internet hacking attempts will be made.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.5.0728 | 40GB | 2 x M.2 SATA RAID 1 (System) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.3.5.0728 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

Javier67
New here
Posts: 3
Joined: Tue Sep 11, 2018 11:27 pm

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby Javier67 » Wed Sep 12, 2018 1:53 am

how do i remove guest access? looked everywhere and this user does not exist.

I am worried that my data has been compromised, but i dont see what they would have seen. There is no accessed resource in any of the attempts.

User avatar
schumaku
Guru
Posts: 43596
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby schumaku » Thu Sep 13, 2018 2:11 am

In the FTP context it's called anonymous access - so disable the anonymous access on your FTP server service.

FTP server disable anonymous.PNG
You do not have the required permissions to view the files attached to this post.

williamwza
Starting out
Posts: 11
Joined: Thu Dec 22, 2016 5:03 am

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby williamwza » Thu Sep 13, 2018 6:00 pm

I have found a similar rash of FTP guest logins on the 9th September 2018. Anonymous access was disabled. I have now disallowed FTP access.

User avatar
schumaku
Guru
Posts: 43596
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby schumaku » Thu Sep 13, 2018 8:02 pm

Put a random password on the guest account, just in case.

[~] # paswd guest
...

williamwza
Starting out
Posts: 11
Joined: Thu Dec 22, 2016 5:03 am

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby williamwza » Fri Sep 14, 2018 3:25 am

At the same time that the ftp attempts started, the router has been experiencing intermittent problems: very slow connections, other devices disconnect. Perhaps a coincidence? For now the NAS is off the network while I track the connections of the other devices.

ncoc018
New here
Posts: 4
Joined: Sun Aug 17, 2014 8:01 pm

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby ncoc018 » Sat Sep 15, 2018 12:16 am

Same situation here. FTP port suddenly changed to 49832 and anonymous login was enabled. A lot of guest login OK record was found.
I use FTP every day and I clearly sure that i have disabled anonymous login. Is it a problem/bug related to live update?

JPL09
First post
Posts: 1
Joined: Thu Nov 10, 2011 9:00 pm

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby JPL09 » Mon Sep 24, 2018 4:22 am

Same situation here. FTP port suddenly changed to 49832 and anonymous login was enabled. A lot of guest login OK record was found.
And I don't find any strange file on the server.

dolbyman
Guru
Posts: 10508
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby dolbyman » Mon Sep 24, 2018 6:51 am

what services did you expose?

time to start your system from scratch and never expose it again

Javier67
New here
Posts: 3
Joined: Tue Sep 11, 2018 11:27 pm

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby Javier67 » Tue Sep 25, 2018 6:53 am

I have also disabled FTP access completely and i cant see any more attacks. However, i have been shutting it down overnight since the 14th as almost all the accesses were from 10pm - 4am.

Will leave it on overnight now and report back if they still show up.

what services did you expose?


Not sure what you mean by this?

scoops98
First post
Posts: 1
Joined: Fri Oct 19, 2018 4:06 am

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby scoops98 » Fri Oct 19, 2018 4:12 am

I have noticed exactly the same thing yesterday. logon using guest over ftp from multiple locations. The issue is i don't have a guest account in the users section and FTP is not enabled! I am shutting down the NAS until i find out more.

dolbyman
Guru
Posts: 10508
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Multple Guest Access in Logs via FTP and Login Ok

Postby dolbyman » Fri Oct 19, 2018 4:40 am

same question to you waht services are you exposing to the web ?

QTS admin
Photo station
Video station
etc.


Return to “File Sharing”

Who is online

Users browsing this forum: No registered users and 2 guests