Successful logins by users that dont exist

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
buiz_
Starting out
Posts: 44
Joined: Mon Aug 17, 2015 1:26 am

Successful logins by users that dont exist

Post by buiz_ »

I have noticed regular logins by users such as "anonymous", "Alex", "user" and "server", none of which actually exists as users on my NAS. See attached screenshot. It doesn't state what resource these "ghost" users have accessed. I have not experienced anything untoward on my NAS. Can anyone help me understand what's going on?
You do not have the required permissions to view the files attached to this post.
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Successful logins by users that dont exist

Post by Toxic17 »

looks like your nas is open to the world. have you allowed full access from the internet/upnp etc? I hope you have nothing important on your NAS.

have you run Malware remover and Security Councilor apps yet?
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
buiz_
Starting out
Posts: 44
Joined: Mon Aug 17, 2015 1:26 am

Re: Successful logins by users that dont exist

Post by buiz_ »

Yeah my NAS is exposed but protected with very strong password. I want to be able to access it myself from the internet!

Malware Remover is run daily, all updates done regularly etc, so no basic mistakes.

My question is still how the log can show users that don't exist having successfully logged on my system. That does not make sense. It comes up as a warning in the log, which is another mystery...
User avatar
dolbyman
Guru
Posts: 35019
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Successful logins by users that dont exist

Post by dolbyman »

Passwords don't matter on exploits..as explained and witnessed over and over and over again

So a MAJOR basic mistake (that many paid with their data)

viewtopic.php?f=45&t=160849

If you need to access your NAS from WAN run a VPN server
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Successful logins by users that dont exist

Post by jaysona »

buiz_ wrote: Wed Apr 28, 2021 10:42 pm Yeah my NAS is exposed but protected with very strong password. I want to be able to access it myself from the internet!

Malware Remover is run daily, all updates done regularly etc, so no basic mistakes.

My question is still how the log can show users that don't exist having successfully logged on my system. That does not make sense. It comes up as a warning in the log, which is another mystery...
Unfortunately, QNAP marketing is disingenuous and borders on being outright deceitful. They market their NAS products as a personal cloud for home users and encourage the sharing of photos, files, audio, video, etc via an Internet connected NAS. For the past several years, QTS OS and applications have been successfully used by malware authors and nefarious actors to gain unauthorized remote access to the NASes and either use the NAS for various purposes or hold the data for ransom.

QNAP has been aware that their NASes are wildly attacked and hacked, but QNAP has done nothing (other than spew more marketing bullspit) to improve the security of QTS and its associated applications. Over the past 18 months or so, QTS appears (just based on the number of successful malware attack campaigns) to have become less secure instead of more secure.

If you wish to access your NAS remotely via the Internet, you will need to do so by setting up a VPN server on your home network (preferably on the router or Raspberry Pi) and user a VPN client on your mobile device to access the data on the NAS when you are away from home.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Successful logins by users that dont exist

Post by Toxic17 »

Oh a very strong password, then please forgive all our efforts to tell your NAS is hacked

We must be wrong..

The users must be ghosts and qnap know what they are doing with security.

Sorry for wasting your time reading what we thought was wrong.

Enjoy your NAS like no other.


Sent from my iPhone using Tapatalk
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Successful logins by users that dont exist

Post by OneCD »

Toxic17 wrote: Thu Apr 29, 2021 4:40 am Oh a very strong password, then please forgive all our efforts to tell your NAS is hacked

We must be wrong..

The users must be ghosts and qnap know what they are doing with security.

Sorry for wasting your time reading what we thought was wrong.

Enjoy your NAS like no other.
This post should be linked-to from any online thesauri trying to explain what "dripping-with-sarcasm" looks like. :DD

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: Successful logins by users that dont exist

Post by Skwor »

buiz_ wrote: Wed Apr 28, 2021 10:42 pm Yeah my NAS is exposed but protected with very strong password. I want to be able to access it myself from the internet!

Malware Remover is run daily, all updates done regularly etc, so no basic mistakes.

My question is still how the log can show users that don't exist having successfully logged on my system. That does not make sense. It comes up as a warning in the log, which is another mystery...
Forum moderator with over 5000 posts and 10 years on this board tells you politely you are likely being hacked and suggests you run a few apps to see what your security is. You do not even run all he suggested and post back you are good and made no basic mistakes because you have a strong password.

Step back a moment and consider the input you have been given.

I will guess at a few of your basic mistakes.
1. I suspect you still have the basic admin account active and probably have not changed the password.
2. I would guess you have your UI web interface open via port 8080 to the internet and your router (UPnP is probably enabled on both your router and NAS) is allowing all your NAS ports through.
3. I am also going to guess you have not updated your firmware recently, I guess this because you did not get Qlocker and if you had HBS you probably would have so I suspect you have the old app on your system, ergo an older FW.
4. You are not perceiving that people from those outside IPs are logging into your NAS therefore you seem to not understand that your NAS is exposed.

I could speculate more but just those 4 already are "basic mistakes" you likely have made
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Successful logins by users that dont exist

Post by Toxic17 »

OneCD wrote: Thu Apr 29, 2021 5:16 am This post should be linked-to from any online thesauri trying to explain what "dripping-with-sarcasm" looks like. :DD
was it that obvious? :lol:
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Successful logins by users that dont exist

Post by jaysona »

OneCD wrote: Thu Apr 29, 2021 5:16 am This post should be linked-to from any online thesauri trying to explain what "dripping-with-sarcasm" looks like. :DD
+1 :lol:
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
buiz_
Starting out
Posts: 44
Joined: Mon Aug 17, 2015 1:26 am

Re: Successful logins by users that dont exist

Post by buiz_ »

Thanks for your dripping sarcasm and your thoughtful education of me. When you are done with all that, it would be wonderful if you could actually address the question I'm asking here: why is my log showing users that don't exist log in to my NAS? That's a pretty specific question which none of you have answered.
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Successful logins by users that dont exist

Post by Toxic17 »

Solution is easy

Wipe your nas and start over.

Your NAS has been compromised.

You cannot trust those accounts. When you you see account they you say don’t exist but are logged in you should be worried.

Once you reinitialise the NAS restore your data from backups.


Sent from my iPhone using Tapatalk
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: Successful logins by users that dont exist

Post by Skwor »

buiz_ wrote: Thu Apr 29, 2021 2:44 pm Thanks for your dripping sarcasm and your thoughtful education of me. When you are done with all that, it would be wonderful if you could actually address the question I'm asking here: why is my log showing users that don't exist log in to my NAS? That's a pretty specific question which none of you have answered.
It was answered, since you gave no real details all we could do is guess. I answered some very basic possibilities in my post above.

First follow Toxic17's instruction.

Now as to what I wrote, all possibilities as to why you are getting those logins;
I will guess at a few of your basic mistakes.
1. I suspect you still have the basic admin account active and probably have not changed the password.
2. I would guess you have your UI web interface open via port 8080 to the internet and your router (UPnP is probably enabled on both your router and NAS) is allowing all your NAS ports through.
3. I am also going to guess you have not updated your firmware recently, I guess this because you did not get Qlocker and if you had HBS you probably would have so I suspect you have the old app on your system, ergo an older FW.
4. You are not perceiving that people from those outside IPs are logging into your NAS therefore you seem to not understand that your NAS is exposed.
As such :
1. Check your admin account, change the password if you have not, then disable your admin account and create a new account with a unique user id and give it the appropriate privilege's and a strong password.
2. Disable all services you do not need running, change ports for the services you do need to have running and to repeat turn off all services you do not need, there are a lot of them, TELNET, SSH, FTP, HTTP/HTTPS, DNLA(Media Server), HBS3 (RTTR) just to name a few. Seriously expecting someone to write a detailed guide for you is a bit presumptuous, there are a lot of posts and QNAP bulletins, search them out on this issue.
* Check UPnP on both your router and NAS, turn them both off, if you must have a port open, only port forward the service you have to use.
* Seriously consider getting a firewall and put it between your router and your home network or use a router with a firewall.
* Best practice would be to VPN into your router for any service you need, see suggestion for firewall above.
3. If you have not, update your FW then update all your apps.
4. Have an open mind, try assuming others may be right first and see where that leads you when you research an issue, if you find otherwise at least you have a better understanding of what you know.

There is a principle which is a bar against all information, which is proof against all argument, and which cannot fail to keep man in everlasting ignorance. That principle is condemnation before investigation.
—Edmund Spencer
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Successful logins by users that dont exist

Post by jaysona »

buiz_ wrote: Thu Apr 29, 2021 2:44 pm Thanks for your dripping sarcasm and your thoughtful education of me. When you are done with all that, it would be wonderful if you could actually address the question I'm asking here: why is my log showing users that don't exist log in to my NAS? That's a pretty specific question which none of you have answered.
and it is a question that has been asked oh so many times here, in oh so any threads, with oh so many answers - all of which are essentially the same answer.

viewtopic.php?t=160849&p=786790#p786813
viewtopic.php?t=159175&p=777711#p777736

TL;DR - if the QNAP NAS QTS web admin page and associated QTS applications is accessible from the Internet, the NAS will eventually be compromised. Admin/user password strength is useless against exploits of poor QNAP coding practices.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
buiz_
Starting out
Posts: 44
Joined: Mon Aug 17, 2015 1:26 am

Re: Successful logins by users that dont exist

Post by buiz_ »

Those threads and the other posts in this thread deal with the many vulnerabilities of QTS. I get that. I got that before I started this thread. I know what I'm dealing with and I take the risks I want to take and that I find acceptable in relation to the importance of what I have on my NAS. I'm not a n00b throwing my vital data in the hands of hackers without caution or backup.

So if we can put that aside along with the dripping sarcasm then what I'm still looking for is an actual answer to my actual question. How can users that don't exist on my NAS show up as having successfully logged on my NAS? I showed a screenshot that also shows that those users did not actually seem to use/access any resources on my NAS. Compromized or not, I would assume that for a user called "Alex" to successfully log on to my NAS, that user should actually be existing on my NAS, yet that seems to not be the case. Anyone has some insights to this? And to be clear, I'm now looking for something more insightful than "your NAS is compromised, wipe it".
Post Reply

Return to “Miscellaneous”