Hacked with no cloud acct or port forwarding???

Post your questions about myQNAPcloud service here.
Post Reply
gwbaker99
New here
Posts: 7
Joined: Sat Nov 28, 2020 2:32 am

Hacked with no cloud acct or port forwarding???

Post by gwbaker99 » Tue Jan 05, 2021 11:40 pm

So my QNAP tvs-873e does not have a cloud account nor any port forwarding from the home router. Yet last night I get notified that someone tried to break in remotely from another continent. They were unsuccessful as they got locked out. But how did they see my my NAS if it's not sticking its neck out.

User avatar
jaysona
Easy as a breeze
Posts: 452
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Hacked with no cloud acct or port forwarding???

Post by jaysona » Wed Jan 06, 2021 12:06 am

How were you notified that there was an access attempt?

What was the vector that the hack attempt was made on?

Do you have UPnP enable on the NAS and router?

As for how did they "see" you NAS, it was not seen, it was found. There constant scans being made all the time. Some scans are more sophisticated than others and can determine when a network attached device exists but is being blocked. This also depends on the router/firewall being used. ISP provided equipment is typically the least secure and readily leak potential hosts on the LAN.

The best home router firewall to use are ones that can run Merlin-WRT (select Asus only), FreshTomato, OpenWRT and DD-WRT. Those firmware use iptables and the "drop" command for all disallowed packets. The drop is effectively the same as if no device exists at all. Many ISP provided type of equipment use something like "deny" or "reject" which lets the scanner know that something is there.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

gwbaker99
New here
Posts: 7
Joined: Sat Nov 28, 2020 2:32 am

Re: Hacked with no cloud acct or port forwarding???

Post by gwbaker99 » Wed Jan 06, 2021 12:22 am

As for which vector, https, ssh, not sure. The nas notification system sent this:

NAS Name: qnapnas
Severity: Error
Date/Time: 2021/01/05 01:30:18

App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 37.120.213.xxx

What I don't understand is how the traffic was routed to the NAS through the router when I do not have any ports forwarded to the NAS? Router is mesh netgear RBS850.

User avatar
dolbyman
Guru
Posts: 21157
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Hacked with no cloud acct or port forwarding???

Post by dolbyman » Wed Jan 06, 2021 12:29 am

as asked before, is uPnP disabled ? .. if not, the QNAP can do it's own port forwarding

User avatar
jaysona
Easy as a breeze
Posts: 452
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Hacked with no cloud acct or port forwarding???

Post by jaysona » Wed Jan 06, 2021 12:31 am

That looks like a login attempt via the QTS admin web page.

This means your NAS is exposed to the Internet, either on port 8080, 443 or both. Check to make sure both the NAS, router and any other network devices have UPnP disabled.

Use one of the following links below to check to see if specific ports are being forwarded by your router.

https://www.portcheckers.com/canyouseeme
https://portchecker.co/canyouseeme
https://www.canyouseeme.org/

Finally, remove the HelpDesk app, install it only when you actually need to use it.

Edit: I just looked up your router, you may want to consider using something else. there are numerous vulnerabilities for the Netgear Orbi's out there. There a a few 0-days for the Orbi as well, so tread carefully.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

gwbaker99
New here
Posts: 7
Joined: Sat Nov 28, 2020 2:32 am

Re: Hacked with no cloud acct or port forwarding???

Post by gwbaker99 » Wed Jan 06, 2021 12:51 am

Thanks all, must have been UPnP.. turning off...

Post Reply

Return to “myQNAPcloud service”