Hacked with no cloud acct or port forwarding???
-
gwbaker99
- New here
- Posts: 7
- Joined: Sat Nov 28, 2020 2:32 am
Hacked with no cloud acct or port forwarding???
So my QNAP tvs-873e does not have a cloud account nor any port forwarding from the home router. Yet last night I get notified that someone tried to break in remotely from another continent. They were unsuccessful as they got locked out. But how did they see my my NAS if it's not sticking its neck out.
-
jaysona
- Easy as a breeze
- Posts: 452
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Hacked with no cloud acct or port forwarding???
How were you notified that there was an access attempt?
What was the vector that the hack attempt was made on?
Do you have UPnP enable on the NAS and router?
As for how did they "see" you NAS, it was not seen, it was found. There constant scans being made all the time. Some scans are more sophisticated than others and can determine when a network attached device exists but is being blocked. This also depends on the router/firewall being used. ISP provided equipment is typically the least secure and readily leak potential hosts on the LAN.
The best home router firewall to use are ones that can run Merlin-WRT (select Asus only), FreshTomato, OpenWRT and DD-WRT. Those firmware use iptables and the "drop" command for all disallowed packets. The drop is effectively the same as if no device exists at all. Many ISP provided type of equipment use something like "deny" or "reject" which lets the scanner know that something is there.
What was the vector that the hack attempt was made on?
Do you have UPnP enable on the NAS and router?
As for how did they "see" you NAS, it was not seen, it was found. There constant scans being made all the time. Some scans are more sophisticated than others and can determine when a network attached device exists but is being blocked. This also depends on the router/firewall being used. ISP provided equipment is typically the least secure and readily leak potential hosts on the LAN.
The best home router firewall to use are ones that can run Merlin-WRT (select Asus only), FreshTomato, OpenWRT and DD-WRT. Those firmware use iptables and the "drop" command for all disallowed packets. The drop is effectively the same as if no device exists at all. Many ISP provided type of equipment use something like "deny" or "reject" which lets the scanner know that something is there.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
-
gwbaker99
- New here
- Posts: 7
- Joined: Sat Nov 28, 2020 2:32 am
Re: Hacked with no cloud acct or port forwarding???
As for which vector, https, ssh, not sure. The nas notification system sent this:
NAS Name: qnapnas
Severity: Error
Date/Time: 2021/01/05 01:30:18
App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 37.120.213.xxx
What I don't understand is how the traffic was routed to the NAS through the router when I do not have any ports forwarded to the NAS? Router is mesh netgear RBS850.
NAS Name: qnapnas
Severity: Error
Date/Time: 2021/01/05 01:30:18
App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 37.120.213.xxx
What I don't understand is how the traffic was routed to the NAS through the router when I do not have any ports forwarded to the NAS? Router is mesh netgear RBS850.
-
dolbyman
- Guru
- Posts: 21157
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Hacked with no cloud acct or port forwarding???
as asked before, is uPnP disabled ? .. if not, the QNAP can do it's own port forwarding
-
jaysona
- Easy as a breeze
- Posts: 452
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Hacked with no cloud acct or port forwarding???
That looks like a login attempt via the QTS admin web page.
This means your NAS is exposed to the Internet, either on port 8080, 443 or both. Check to make sure both the NAS, router and any other network devices have UPnP disabled.
Use one of the following links below to check to see if specific ports are being forwarded by your router.
https://www.portcheckers.com/canyouseeme
https://portchecker.co/canyouseeme
https://www.canyouseeme.org/
Finally, remove the HelpDesk app, install it only when you actually need to use it.
Edit: I just looked up your router, you may want to consider using something else. there are numerous vulnerabilities for the Netgear Orbi's out there. There a a few 0-days for the Orbi as well, so tread carefully.
This means your NAS is exposed to the Internet, either on port 8080, 443 or both. Check to make sure both the NAS, router and any other network devices have UPnP disabled.
Use one of the following links below to check to see if specific ports are being forwarded by your router.
https://www.portcheckers.com/canyouseeme
https://portchecker.co/canyouseeme
https://www.canyouseeme.org/
Finally, remove the HelpDesk app, install it only when you actually need to use it.
Edit: I just looked up your router, you may want to consider using something else. there are numerous vulnerabilities for the Netgear Orbi's out there. There a a few 0-days for the Orbi as well, so tread carefully.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
-
gwbaker99
- New here
- Posts: 7
- Joined: Sat Nov 28, 2020 2:32 am
Re: Hacked with no cloud acct or port forwarding???
Thanks all, must have been UPnP.. turning off...