TS-251 flooding LAN - no internet...?

[dime0000]

I have a weird one..

I've had a TS-251 hooked up to a Netgear router for a couple years now.. just about a month ago, my internet started dropping. After much investigation, I discovered that if I disconnected my QNAP TS-251 from the network, all would work fine. This has been consistent - I've had to regularly pull the plug on the thing. I have 12 other devices on my LAN (both wired and wireless) - not of the other devices are causing issues.

I've tried shutting down every service and add-on I can find on the QNAP device but nothing seems to work - also did firmware updates... Nothing.

A friend of mine suggested I try Wireshark to see if I can see anything.. before I do - any other suggestions?

[rcblackwell]

... any other suggestions?

Run QNAP's Malware Remover and a virus scan

[dolbyman]

we have seen that behavior before

probably a compromised NAS with network scanner / botnet running


did you expose photo station to the internet ?

[dime0000]

I haven't exposed anything to the internet (to my knowledge) and also removed the photo station... but that sounds similar to rcblackwell's approach - would something like that get found with a the QNAP malware / virus scan?

[dolbyman]

that qnap malware scanner is sadly a "black box", so we do not know what it detects

[dime0000]

so I ran the malware scanner and it removed stuff - cool! that said, I'm looking at my router logs and i still see outside IPs hitting my QNAP device on port 22 and 443... Any ideas what else I should be looking at?

[dolbyman]

contact qnap via ticket

[Ericnepean]

so I ran the malware scanner and it removed stuff - cool! that said, I'm looking at my router logs and i still see outside IPs hitting my QNAP device on port 22 and 443... Any ideas what else I should be looking at?

I would start by setting up the router firewall to block ALL outgoing and incoming connections to your QNAP NAS from the WAN side.
You will have to do manual firmware updates and set the time manually, but that's minor compared to whatever else you have happening.

I have shifted the SSH port on my QNAPs from 22 to another port not used by any other service - now I log in with "SSH -l admin -p zzzz 192.168.xxx.xxx" Another obstacle to put in the way of attackers.

Check what other services are enabled - if you don't need Telnet, FTP, AFP (Macs need it), SMB (PCs need it), NFS (for linux/unix) shut them down

Also check that your router has the latest firmware, a strong password, and that the web admin interface on WAN side is locked down. And check if there are any vulnerabilities or advisories against your router. Check if your router might be compromised as well.