Multple Guest Access in Logs via FTP and Login Ok

[Javier67]

Hi,

We noticed some strange activity with our QNAP NAS where during the evenings over the last few days there are hundreds of attempts to access via FTP using a guest account. All the logins say OK, but we have no idea what this is and what has been accessed. All the source IPs seem to be from other NAS around the world and they are repeatidly changed and a new attempt occurs every few seconds.

Attached is an example where i have hidden the last few numbers.

Can anyone provide information to what this is and what needs to be modified in our security settings? We dont see a Guest user in our list.

ftpaccess.jpg

[Don]

Remove guest access.

As long as you have ports open to the internet hacking attempts will be made.

[Javier67]

how do i remove guest access? looked everywhere and this user does not exist.

I am worried that my data has been compromised, but i dont see what they would have seen. There is no accessed resource in any of the attempts.

[schumaku]

In the FTP context it's called anonymous access - so disable the anonymous access on your FTP server service.

FTP server disable anonymous.PNG

[williamwza]

I have found a similar rash of FTP guest logins on the 9th September 2018. Anonymous access was disabled. I have now disallowed FTP access.

[schumaku]

Put a random password on the guest account, just in case.

[~] # paswd guest
...

[williamwza]

At the same time that the ftp attempts started, the router has been experiencing intermittent problems: very slow connections, other devices disconnect. Perhaps a coincidence? For now the NAS is off the network while I track the connections of the other devices.

[ncoc018]

Same situation here. FTP port suddenly changed to 49832 and anonymous login was enabled. A lot of guest login OK record was found.
I use FTP every day and I clearly sure that i have disabled anonymous login. Is it a problem/bug related to live update?

[JPL09]

Same situation here. FTP port suddenly changed to 49832 and anonymous login was enabled. A lot of guest login OK record was found.
And I don't find any strange file on the server.

[dolbyman]

what services did you expose?

time to start your system from scratch and never expose it again

[Javier67]

I have also disabled FTP access completely and i cant see any more attacks. However, i have been shutting it down overnight since the 14th as almost all the accesses were from 10pm - 4am.

Will leave it on overnight now and report back if they still show up.

what services did you expose?

Not sure what you mean by this?

[scoops98]

I have noticed exactly the same thing yesterday. logon using guest over ftp from multiple locations. The issue is i don't have a guest account in the users section and FTP is not enabled! I am shutting down the NAS until i find out more.

[dolbyman]

same question to you waht services are you exposing to the web ?

QTS admin
Photo station
Video station
etc.