Was my NAS hacked/pwned?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
waldauf
Starting out
Posts: 26
Joined: Sun Oct 08, 2017 2:29 am

Was my NAS hacked/pwned?

Post by waldauf »

Hello,

I have suspicion that my NAS was hacked/pwned. Because:
  1. I have installed script which sleeps server when is no network activity (according viewtopic.php?t=141294).
  2. In time when I'm not connected to NAS it is still working (you can hear working disks and blinking LED lights).
  3. When I had it connected in another local network without public IP and with access to internet, it did nothing and sleeped without problem.
I would like to discuss it with you. Below you can find some additional information:

My home network:

Code: Select all

{internet} --- [Home router Netgear R6400 with public IP] --- [QNAP TS-253A]
                                                          --- [home laptops, etc. ]
  • On Netgear I have set tunnel for OpenVPN which is managed by QNAP. I tried to shutdown this tunnel and still can see strange hostnames/IP in tcpdump capture
  • My home network is 192.168.111.0/24.
  • Netgear and QNAP have different passwords.

tcpdump
I installed tcpdump (via Entware-ng), captured some packtes (exluded my local network) and there I found out many strange IPs from the whole world. Part of output from tcpdump (Otesanek = my NAS):

Code: Select all

# tcpdump -i any "not ((src net 192.168.111.0/24) and (dst net 192.168.111.0/24))" -tttt -s 0 | grep -v localhost
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
2019-01-06 17:39:44.276857 IP ns3001704.ip-37-59-49.eu.51413 > Otesanek.6881: UDP, length 97
2019-01-06 17:39:44.276857 IP ns3001704.ip-37-59-49.eu.51413 > Otesanek.6881: UDP, length 97
2019-01-06 17:39:44.276971 IP Otesanek > ns3001704.ip-37-59-49.eu: ICMP Otesanek udp port 6881 unreachable, length 133
2019-01-06 17:39:44.276982 IP Otesanek > ns3001704.ip-37-59-49.eu: ICMP Otesanek udp port 6881 unreachable, length 133
2019-01-06 17:39:44.961122 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 488
2019-01-06 17:39:44.961122 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 488
2019-01-06 17:39:44.961331 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:44.961346 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:44.961353 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:45.451019 IP 145.255.1.144.dynamic.ufanet.ru.39048 > Otesanek.6881: UDP, length 106
2019-01-06 17:39:45.451019 IP 145.255.1.144.dynamic.ufanet.ru.39048 > Otesanek.6881: UDP, length 106
2019-01-06 17:39:45.451129 IP Otesanek > 145.255.1.144.dynamic.ufanet.ru: ICMP Otesanek udp port 6881 unreachable, length 142
2019-01-06 17:39:45.451141 IP Otesanek > 145.255.1.144.dynamic.ufanet.ru: ICMP Otesanek udp port 6881 unreachable, length 142
2019-01-06 17:39:45.465967 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 516
2019-01-06 17:39:45.755898 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 502
2019-01-06 17:39:45.755898 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 502
2019-01-06 17:39:45.756128 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 509
2019-01-06 17:39:45.756158 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 509
2019-01-06 17:39:45.756166 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 509
2019-01-06 17:39:45.756128 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 509
2019-01-06 17:39:45.756162 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 509
2019-01-06 17:39:45.795535 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:45.795562 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:45.795569 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:45.795535 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:45.795565 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:45.925771 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 500
2019-01-06 17:39:45.925771 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 500
2019-01-06 17:39:45.926029 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 507
2019-01-06 17:39:45.926060 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 507
2019-01-06 17:39:45.926068 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 507
2019-01-06 17:39:45.926029 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 507
2019-01-06 17:39:45.926063 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 507
2019-01-06 17:39:46.159851 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 436
2019-01-06 17:39:46.159851 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 436
2019-01-06 17:39:46.160139 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 443
2019-01-06 17:39:46.160161 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 443
2019-01-06 17:39:46.160169 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 443
2019-01-06 17:39:46.160139 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 443
2019-01-06 17:39:46.160164 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 443
2019-01-06 17:39:46.235614 IP 41.58.98.23.26165 > Otesanek.6881: UDP, length 103
2019-01-06 17:39:46.235614 IP 41.58.98.23.26165 > Otesanek.6881: UDP, length 103
2019-01-06 17:39:46.235728 IP Otesanek > 41.58.98.23: ICMP Otesanek udp port 6881 unreachable, length 139
2019-01-06 17:39:46.235738 IP Otesanek > 41.58.98.23: ICMP Otesanek udp port 6881 unreachable, length 139
2019-01-06 17:39:46.612603 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 445
2019-01-06 17:39:46.612603 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 445
2019-01-06 17:39:46.612771 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:46.612789 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:46.612797 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:46.612771 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:46.612793 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:47.962055 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 488
2019-01-06 17:39:47.962055 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 488
2019-01-06 17:39:47.962290 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:47.962307 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:47.962315 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:47.962290 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:47.962310 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:48.466539 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 516
2019-01-06 17:39:48.466539 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 516
2019-01-06 17:39:48.466740 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 523
2019-01-06 17:39:48.466756 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 523
2019-01-06 17:39:48.466764 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 523
2019-01-06 17:39:48.466740 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 523
2019-01-06 17:39:48.466760 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 523
2019-01-06 17:39:48.503589 IP 118-163-49-242.HINET-IP.hinet.net.6889 > Otesanek.6881: UDP, length 101
2019-01-06 17:39:48.503589 IP 118-163-49-242.HINET-IP.hinet.net.6889 > Otesanek.6881: UDP, length 101
2019-01-06 17:39:48.503664 IP Otesanek > 118-163-49-242.HINET-IP.hinet.net: ICMP Otesanek udp port 6881 unreachable, length 137
2019-01-06 17:39:48.503672 IP Otesanek > 118-163-49-242.HINET-IP.hinet.net: ICMP Otesanek udp port 6881 unreachable, length 137
2019-01-06 17:39:48.756464 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 502
2019-01-06 17:39:49.131017 IP net-37-159-170-206.cust.vodafonedsl.it.6889 > Otesanek.6881: UDP, length 101
2019-01-06 17:39:49.131017 IP net-37-159-170-206.cust.vodafonedsl.it.6889 > Otesanek.6881: UDP, length 101
2019-01-06 17:39:49.131133 IP Otesanek > net-37-159-170-206.cust.vodafonedsl.it: ICMP Otesanek udp port 6881 unreachable, length 137
2019-01-06 17:39:49.131144 IP Otesanek > net-37-159-170-206.cust.vodafonedsl.it: ICMP Otesanek udp port 6881 unreachable, length 137
2019-01-06 17:39:49.166417 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 436
2019-01-06 17:39:49.224244 IP nat-207-141.dragon.cz.12146 > Otesanek.6881: UDP, length 103
2019-01-06 17:39:49.224244 IP nat-207-141.dragon.cz.12146 > Otesanek.6881: UDP, length 103
2019-01-06 17:39:49.224347 IP Otesanek > nat-207-141.dragon.cz: ICMP Otesanek udp port 6881 unreachable, length 139
2019-01-06 17:39:49.224358 IP Otesanek > nat-207-141.dragon.cz: ICMP Otesanek udp port 6881 unreachable, length 139
2019-01-06 17:39:49.486961 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.487023 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.487035 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.486961 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.487028 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.491695 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.491723 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.491733 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.491695 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.491726 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.501886 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.501906 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.501913 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.501886 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.501909 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502202 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502224 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502235 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502202 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502251 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502262 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.502267 IP 192.168.111.10.17500 > 255.255.255.255.17500: UDP, length 229
2019-01-06 17:39:49.616530 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 445
2019-01-06 17:39:49.616530 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 445
2019-01-06 17:39:49.616849 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:49.616874 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:49.616882 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:49.616849 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:49.616878 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 452
2019-01-06 17:39:49.788514 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:49.788544 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:49.788552 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:49.788514 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:49.788548 IP6 fe80::5c4f:6c21:7855:6bc5.49996 > ff02::c.1900: UDP, length 146
2019-01-06 17:39:50.540215 IP 31.10.149.45.38473 > Otesanek.6881: UDP, length 97
2019-01-06 17:39:50.540215 IP 31.10.149.45.38473 > Otesanek.6881: UDP, length 97
2019-01-06 17:39:50.540324 IP Otesanek > 31.10.149.45: ICMP Otesanek udp port 6881 unreachable, length 133
2019-01-06 17:39:50.540334 IP Otesanek > 31.10.149.45: ICMP Otesanek udp port 6881 unreachable, length 133
2019-01-06 17:39:50.647300 IP m11373.contaboserver.net.12006 > Otesanek.6881: UDP, length 97
2019-01-06 17:39:50.647300 IP m11373.contaboserver.net.12006 > Otesanek.6881: UDP, length 97
2019-01-06 17:39:50.647426 IP Otesanek > m11373.contaboserver.net: ICMP Otesanek udp port 6881 unreachable, length 133
2019-01-06 17:39:50.647437 IP Otesanek > m11373.contaboserver.net: ICMP Otesanek udp port 6881 unreachable, length 133
2019-01-06 17:39:50.837122 IP 154.238.106.25.6881 > Otesanek.6881: UDP, length 65
2019-01-06 17:39:50.837122 IP 154.238.106.25.6881 > Otesanek.6881: UDP, length 65
2019-01-06 17:39:50.837236 IP Otesanek > 154.238.106.25: ICMP Otesanek udp port 6881 unreachable, length 101
2019-01-06 17:39:50.837248 IP Otesanek > 154.238.106.25: ICMP Otesanek udp port 6881 unreachable, length 101
2019-01-06 17:39:50.962510 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 488
2019-01-06 17:39:50.962510 IP 192.168.111.10.1900 > 239.255.255.250.1900: UDP, length 488
2019-01-06 17:39:50.962877 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:50.962908 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:50.962919 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:50.962877 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
2019-01-06 17:39:50.962914 IP6 fe80::5c4f:6c21:7855:6bc5.1900 > ff02::c.1900: UDP, length 495
There are services on ports:
  • Port 1900 ... SSDP service
  • Port 6881 ... DSD service whish is turned off.
Suspicion IPs:
List of all processes

Code: Select all

# ps aux vvv
PID  Uid     VmSize Stat Command
    1 admin      1940 S   init
    2 admin           SW  [kthreadd]
    3 admin           SW  [ksoftirqd/0]
    5 admin           SW< [kworker/0:0H]
    7 admin           SW  [rcu_sched]
    8 admin           SW  [rcu_bh]
    9 admin           SW  [migration/0]
   10 admin           SW  [migration/1]
   11 admin           SW  [ksoftirqd/1]
   13 admin           SW< [kworker/1:0H]
   14 admin           SW  [migration/2]
   15 admin           SW  [ksoftirqd/2]
   17 admin           SW< [kworker/2:0H]
   18 admin           SW  [migration/3]
   19 admin           SW  [ksoftirqd/3]
   21 admin           SW< [kworker/3:0H]
   22 admin           SW< [khelper]
   23 admin           SW  [kdevtmpfs]
   24 admin           SW< [netns]
   27 admin           SW< [perf]
  435 admin           SW< [writeback]
  438 admin           SWN [ksmd]
  439 admin           SW< [crypto]
  440 admin           SW< [kintegrityd]
  441 admin           SW< [bioset]
  442 admin           SW< [kblockd]
  453 admin      2436 S   /bin/sh /share/CE_CACHEDEV1_DATA/.qpkg/CloudLink/bin/tunnel_agent_daemon.sh
  578 admin           SW  [kworker/u8:4]
  631 admin       236 S N /share/CE_CACHEDEV1_DATA/.qpkg/CodexPack/fuse/hdsfusemnt /share/CE_CACHEDEV1_DATA/.qpkg/CodexPack/share --mount_type cdx
  649 admin           SW< [tifm]
  655 admin           SW< [ata_sff]
  673 admin           SW< [md]
  785 admin           SW< [rpciod]
  786 admin           SW  [kworker/2:1]
  815 admin           SW  [kswapd0]
  816 admin           SW  [fsnotify_mark]
  817 admin           SW  [ecryptfs-kthrea]
  819 admin           SW< [nfsiod]
  820 admin           SW< [cifsiod]
  854 admin           SW< [kthrotld]
 1448 admin           SW< [nvme]
 1486 admin           SW< [kmpath_rdacd]
 1499 admin           SW  [scsi_eh_0]
 1500 admin           SW< [scsi_tmf_0]
 1503 admin           SW  [scsi_eh_1]
 1504 admin           SW< [scsi_tmf_1]
 1560 admin           SW  [rc0]
 1566 admin           SW< [raid5wq]
 1568 admin           SW< [dm-block-clone]
 1570 admin           SW< [dm_bufio_cache]
 1571 admin           SW< [kmpathd]
 1572 admin           SW< [kmpath_handlerd]
 1576 admin           SW  [irq/16-mmc0]
 1580 admin           SW  [irq/18-mmc1]
 1584 admin           SW  [irq/304-0000:00]
 1620 admin           SW  [i915/signal:0]
 1621 admin           SW  [i915/signal:1]
 1622 admin           SW  [i915/signal:2]
 1623 admin           SW  [i915/signal:4]
 1715 admin           SW< [deferwq]
 1955 admin           SW< [bioset]
 1956 admin           SW< [kcopyd]
 1957 admin           SW< [bioset]
 1958 admin           SW< [kcopyd_tracked]
 1959 admin           SW< [bioset]
 1964 admin           SW< [bioset]
 1965 admin           SW< [drbd-reissue]
 1975 admin           SW  [scsi_eh_2]
 1976 admin           SW< [scsi_tmf_2]
 1977 admin           SW  [usb-storage]
 1987 admin           SW< [kworker/0:1H]
 2003 admin           SW< [kworker/3:1H]
 2004 admin           SW< [kworker/2:1H]
 2006 admin           SW< [kworker/1:1H]
 2056 admin      1552 S < udevd --daemon
 2139 admin           SW< [bioset]
 2140 admin           SW  [md9_raid1]
 2153 admin           SW  [kjournald]
 2169 admin           SW< [bioset]
 2170 admin           SW  [md13_raid1]
 2268 admin      8876 S   /sbin/hal_daemon -f
 2331 admin           SW< [bioset]
 2332 admin           SW  [md256_raid1]
 2355 admin           SW< [bioset]
 2356 admin           SW  [md322_raid1]
 2358 admin     34172 S   python /share/CE_CACHEDEV1_DATA/.qpkg/CloudDriveSync/bin/daemonmgr.pyc CGId start
 2389 admin           SW< [bioset]
 2390 admin           SW  [md1_raid1]
 2419 admin           SW< [drbd1_submit]
 2427 admin           SW  [drbd_w_r1]
 2534 admin           SW< [kdmflush]
 2536 admin           SW< [bioset]
 2543 admin           SW< [kdmflush]
 2544 admin           SW< [bioset]
 2551 admin           SW< [kdmflush]
 2552 admin           SW< [bioset]
 2558 admin           SW< [kdmflush]
 2559 admin           SW< [bioset]
 2564 admin           SW< [kdmflush]
 2570 admin           SW< [bioset]
 2578 admin           SW< [kdmflush]
 2580 admin           SW< [bioset]
 2581 admin           SW< [kcopyd]
 2582 admin           SW< [bioset]
 2583 admin           SW< [dm-thin]
 2584 admin           SW< [dm-thin-paralle]
 2585 admin           SW< [dm-convert-thin]
 2586 admin           SW< [dm-tier]
 2587 admin           SW< [dm-tier]
 2588 admin           SW< [dm-tier]
 2589 admin           SW< [dm-tier]
 2590 admin           SW< [dm-tier-discard]
 2591 admin           SW< [kcopyd]
 2592 admin           SW< [bioset]
 2593 admin           SW< [dm-tier-cache-t]
 2594 admin           SW< [bioset]
 2600 admin           SW< [kdmflush]
 2602 admin           SW< [bioset]
 2608 admin           SW< [kdmflush]
 2610 admin           SW< [bioset]
 2874 admin           SW< [kdmflush]
 2876 admin           SW< [bioset]
 2949 admin           SW< [kdmflush]
 2951 admin           SW< [bioset]
 2952 admin           SW< [kcryptd_io]
 2953 admin           SW< [kcryptd]
 2954 admin           SW  [dmcrypt_write]
 2955 admin           SW< [bioset]
 3167 admin           SW< [vfio-irqfd-clea]
 3184 admin      1004 S   /sbin/lvmetad
 3247 admin           SWN [kcp_p]
 3248 admin           DWN [kcp_c]
 3344 admin           SW  [jbd2/md13-8]
 3345 admin           SW< [ext4-rsv-conver]
 3699 admin      3620 S   /sbin/daemon_mgr.nvr
 3863 admin           SW  [notify thread]
 3871 admin       748 S < qWatchdogd: keeping alive every 5 seconds...
 3957 admin           SW< [ipv6_addrconf]
 4056 admin      1376 S   /sbin/netwatchdog -d
 4265 admin       756 S   /sbin/modagent
 4723 admin      4744 S   /sbin/daemon_mgr
 5136 admin      3448 S   bash
 5203 admin       716 S   /usr/local/network/bin/logrotate /var/log/network/err.log 102400
 5205 admin      1028 S   tail -f /var/log/network/err_log
 5206 admin       656 S   /usr/local/network/bin/logrotate /var/log/network/events.log 102400
 5209 admin       988 S   tail -f /var/log/network/events_log
 5440 admin     38584 S   /mnt/ext/opt/Python/bin/python ./manage.pyc runfcgi method=threaded socket=/tmp/netmgr.sock pidfile=/tmp/netmgr.pid
 5454 guest     11396 S N proftpd: (accepting connections)
 5465 admin      1016 S N proftpd: (RPC)
 5480 admin      3464 S   /mnt/ext/opt/netmgr/util/redis/redis-server *:0
 5490 admin     27808 S   /mnt/ext/opt/Python/bin/python /mnt/ext/opt/netmgr/api/core/asd.pyc
 5841 admin           SW  [kworker/u8:3]
 5972 admin      3392 S N /bin/sh /usr/local/mariadb/bin/mysqld_safe --defaults-file=/etc/qbox-mariadb.cnf --basedir=/usr/local/mariadb --datadir=/share/CE_CACHEDEV1_DATA/.qbox/mysql/data --user=admin --default-storage-engine=MyISAM --wait_timeout=
 6071 admin           SW< [bond0]
 6093 admin           SW< [bond1]
 6334 admin     66232 S N /usr/local/mariadb/bin/mysqld --defaults-file=/etc/qbox-mariadb.cnf --basedir=/usr/local/mariadb --datadir=/share/CE_CACHEDEV1_DATA/.qbox/mysql/data --plugin-dir=/usr/local/mariadb/lib/plugin --user=admin --default-storage
 6739 admin           SW  [kworker/3:1]
 6899 admin       108 S   /sbin/rdnssd -r /var/lib/rdnssd/ -p /var/run/network/rdnssd.pid -u admin
 6900 admin      1608 S   /sbin/rdnssd -r /var/lib/rdnssd/ -p /var/run/network/rdnssd.pid -u admin
 6904 admin      6692 S   /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf
 6961 admin      9040 S   /usr/sbin/dhclient -4 -nw -D CLID -cf /etc/dhcp/dhclient.conf -lf /etc/config/dhclient/br0.leases -pf /var/lib/dhclient/br0.pid br0
 7045 admin      9448 S N /usr/local/sbin/dhcpd -cf /etc/dhcp/dhcpd_docker0.conf -lf /var/state/dhcp/dhcpd_docker0.leases -pf /var/lib/dhcpd/docker0.pid
 7047 admin      9452 S N /usr/local/sbin/dhcpd -cf /etc/dhcp/dhcpd_lxcbr0.conf -lf /var/state/dhcp/dhcpd_lxcbr0.leases -pf /var/lib/dhcpd/lxcbr0.pid
 7068 admin     21744 S   python /usr/local/network/nmd/nmd.pyc
 7078 admin     16608 S   python /usr/local/network/nmd/nmd.pyc
 7079 admin     18808 S   python /usr/local/network/nmd/nmd.pyc
 7168 admin      6924 S N /sbin/qsyncsrv_dbm -b
 7259 httpdusr   4388 S N /usr/local/apache/bin/fcgi-p -k start -c PidFile /var/lock/apache.pid -f /etc/config/apache/apache.conf
 7264 httpdusr  11476 S N /usr/local/apache/bin/apache -k start -c PidFile /var/lock/apache.pid -f /etc/config/apache/apache.conf
 7435 admin      9500 S N /sbin/qsyncsrv_man -b
 7451 admin      9180 S N /sbin/qsyncsrvd -n 1 -b -d0
 7457 admin      4340 S N /usr/local/bin/qsyncsrv_monitor -pid:7451 -reg:/share/CE_CACHEDEV1_DATA/.team_folder -client:qbox -filter:0x6763 -b
 7492 admin      8960 S N /sbin/qsyncsrvd -n 0 -b -d0
 7499 admin      4332 S N /usr/local/bin/qsyncsrv_monitor -pid:7492 -reg:/share/homes -client:qbox -filter:0x6763 -b
 7512 admin           SW  [kworker/0:1]
 7603 admin      5800 S N /sbin/versiond
 7610 admin      5948 S N /sbin/versiond
 7694 guest      3220 S   avahi-daemon: running [Otesanek.local]
 8189 admin           SW< [iscsi_eh]
 8216 admin           SW  [qnap_et]
 8227 admin      1300 S   /sbin/iscsid --config=/etc/config/iscsi/sbin/iscsid.conf --initiatorname=/etc/iscsi/initiatorname.iscsi
 8228 admin      2720 S < /sbin/iscsid --config=/etc/config/iscsi/sbin/iscsid.conf --initiatorname=/etc/iscsi/initiatorname.iscsi
 8237 admin      5808 S   /sbin/vdd_control -d
 8240 admin     19444 S   python /usr/local/network/nmd/nmd.pyc
 8241 admin     20252 S   python /usr/local/network/nmd/nmd.pyc
 8242 admin     18328 S   python /usr/local/network/nmd/nmd.pyc
 8243 admin     15656 S   python /usr/local/network/nmd/nmd.pyc
 8245 admin     17912 S   python /usr/local/network/nmd/nmd.pyc
 8246 admin     17996 S   python /usr/local/network/nmd/nmd.pyc
 8247 admin     15376 S   python /usr/local/network/nmd/nmd.pyc
 8248 admin     15164 S   python /usr/local/network/nmd/nmd.pyc
 8251 admin     18788 S   python /usr/local/network/nmd/nmd.pyc
 8252 admin      2748 S   /usr/local/bin/rates_monitor_start
 8318 admin           SW  [kworker/1:0]
 8436 admin           SW  [kworker/0:2]
 9606 admin      1488 S   /usr/sbin/inotifywait -e close_write -e create --format %w -t 300 /etc/config/uLinux.conf /etc/config/qid.conf
 9708 admin     10756 S   /sbin/qpkgd -d0
10221 admin     30680 S   /usr/local/sbin/ncdb --defaults-file=/mnt/ext/opt/NotificationCenter/etc/nc-mariadb.conf
10248 admin     16892 S   /usr/local/sbin/ncd
10767 admin      3328 S N /usr/local/sbin/qboostd -b
10940 admin           Z   [manaRequest.cgi]
10941 admin           Z   [appRequest.cgi]
10942 admin           Z   [_thttpd_]
10956 admin           Z   [chartReq.cgi]
10965 admin      2456 R   ps aux vvv
11158 admin      3124 S N /usr/bin/rsyncd --daemon --sever-mode=1 --qnap-bwlimit
11207 admin           SW  [jbd2/dm-9-8]
11208 admin           SW< [ext4-rsv-conver]
11557 admin           SW  [kworker/2:0]
11673 guest      2192 S   /usr/sbin/dbus-daemon --system
13099 admin     11288 S   /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13101 admin      5832 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13102 admin      5832 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13141 admin      8768 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13143 admin      6344 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13144 admin      5856 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13145 admin      5856 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13146 admin      5856 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13147 admin      5856 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13148 admin      5856 S N /usr/local/samba/sbin/smbd -l /var/log -D -s /etc/config/smb.conf
13278 admin      4336 S   qooba --service spotlight
13514 admin      6652 S   /usr/local/sbin/_thttpd_ -p 58080 -nor -nos -u admin -d /home/httpd -c **.* -h 127.0.0.1 -i /var/lock/._thttpd_.pid
13582 admin      5852 S N /usr/local/samba/sbin/nmbd -l /var/log -D -s /etc/config/smb.conf
13666 admin     12248 S   php-fpm: master process (/etc/php-fpm-sys-proxy.conf)
13667 admin     22460 S   php-fpm: pool www
13668 admin     22952 S   php-fpm: pool www
13745 admin      8284 S < /usr/local/apache/bin/apache_proxy -k start -f /etc/apache-sys-proxy.conf
13901 admin      4232 S < /usr/local/apache/bin/fcgi-pm      -k start -f /etc/apache-sys-proxy.conf
13903 admin     13616 S < /home/httpd/cgi-bin/qsync/qsyncsrv.fcgi
13906 admin     16956 S < /usr/local/apache/bin/apache_proxy -k start -f /etc/apache-sys-proxy.conf
13937 admin     15940 S N /mnt/ext/opt/Python/bin/python2 /sbin/wsd.py
14093 admin      7812 S   /usr/local/sbin/remote_folder_daemon --reset
14360 admin      4924 S   /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon ovpn-server
14378 admin     13712 S < /home/httpd/cgi-bin/qsync/qsyncsrv.fcgi
14421 admin           SW< [krfcommd]
14530 admin      3488 S   /usr/sbin/ntpdated
14559 admin      1856 S   /sbin/dnsmasq
14591 admin      2644 S   /usr/local/sbin/qvpnd -d -p /var/run/qvpnd.pid
14592 admin      2020 S   /usr/local/sbin/rated
14691 admin      6568 S   /usr/sbin/upsutil
14737 admin      8024 S   /usr/sbin/sshd -f /etc/config/ssh/sshd_config -p 22
14809 admin      2236 S N /usr/bin/portmap
15036 admin      1692 S   /IPSEC/libexec/ipsec/starter --daemon charon
15037 admin      5792 S   /IPSEC/libexec/ipsec/charon --use-syslog
15063 admin       208 S   /usr/sbin/xl2tpcd -c /etc/xl2tpd/xl2tpcd.conf -p /var/run/xl2tpcd.pid -C /tmp/xl2tpd/xl2tpc-control
15129 admin       140 S N /usr/sbin/rpc.rquotad -p 30002
15140 admin      8164 S   sshd: admin@pts/2
15142 admin      3384 S   -sh
15154 admin      3448 S   bash
15164 admin     13512 S   /sbin/bcclient
15327 admin      7768 S N /usr/sbin/rpc.mountd -p 30000 -F
15331 admin      1560 S N /sbin/acpid
15449 admin           SW< [nfsd4]
15450 admin           SW< [nfsd4_callbacks]
15451 admin           SW  [lockd]
15452 admin           SW  [nfsd]
15453 admin           SW  [nfsd]
15454 admin           SW  [nfsd]
15455 admin           SW  [nfsd]
15456 admin           SW  [nfsd]
15457 admin           SW  [nfsd]
15458 admin           SW  [nfsd]
15459 admin           SW  [nfsd]
15616 admin      5220 S N /usr/sbin/rpc.statd -p 30001
15739 admin      2448 S   /sbin/gen_bandwidth -r -i 5
15743 admin      4424 S   /usr/local/bin/ql_daemon -d 7
15971 admin      5976 S   qLogEngined: Write log is enabled...
15974 admin      2440 S   /bin/sh /etc/init.d/klogd.sh start
15987 admin      4900 S   /sbin/qShield
15991 admin      4076 S   qNoticeEngined: Write notice is enabled...
15998 admin      4712 S   /sbin/qsyslogd
16083 admin       984 S   /bin/dd if /proc/kmsg of /mnt/HDA_ROOT/.logs/kmsg bs 1 count 1024000
16350 admin      8204 S   sshd: admin@pts/0
16352 admin      3404 S   -sh
16466 admin      6196 S   /sbin/sdmd --daemon
17350 admin      9172 S   ./qnas_console_install
17553 admin     33396 S   /mnt/ext/opt/Python/bin/python /mnt/ext/opt/netmgr/api/core/ip_monitor.pyc
17883 admin           SW  [kworker/3:0]
19750 admin      8312 S   sshd: admin@pts/3
19752 admin      3460 S   -sh
20174 admin      5544 S   /usr/local/samba/sbin/winbindd -s /etc/config/smb.conf
22032 admin     16384 S   container-station/python2.7 /usr/local/container-station/python/bin/.libs/supervisord -c /share/CE_CACHEDEV1_DATA/.qpkg/container-station/etc/supervisord.conf
22180 admin      7736 S N /usr/local/apache/bin/apache-dav -k start -f /etc/apache-dav-sys.conf
22189 admin      5652 S N /usr/local/apache/bin/apache-dav -k start -f /etc/apache-dav-sys.conf
22323 admin     12096 S N php-fpm: master process (/etc/config/apache/php-fpm.conf)
22324 httpdusr  14440 S N php-fpm: pool www
22325 httpdusr  13068 S N php-fpm: pool www
22335 admin      5440 S   container-station/qbusd
22336 admin      3864 S   container-station/redis-server *:0
22515 admin     10104 S N /usr/local/apache/bin/apache -k start -c PidFile /var/lock/apache.pid -f /etc/config/apache/apache.conf
22625 admin     40384 S   container-station/dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/system-docker.sock --bridge=docker0 --storage-driver=overlay2 --default-address-pools scope=local,base=172.30.0.0/16,size=22 --dns 10.0.5.1 --graph=/var/
22662 admin     10276 S   container-station/docker-containerd -l unix:///var/run/system-docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/system-docker/libcontainerd/containerd --shim docker-co
22698 admin     21800 S   container-station/python2.7 run.pyc
22784 admin     51968 S   container-station/python2.7 web.pyc
22834 admin     49320 S   container-station/python2.7 plugins.pyc
22835 admin     42224 S   container-station/dockerd -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock --bridge=lxcbr0 --tlsverify --tlscacert=/etc/docker/tls/ca.pem --tlscert=/etc/docker/tls/server.pem --tlskey=/etc/docker/tls/server-key.pem --s
22886 admin     11172 S   container-station/docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim 
23390 admin     35072 S   container-station/python2.7 lxc-monitor.pyc
23391 admin     48280 S   container-station/python2.7 docker-monitor.pyc
23392 admin      3348 S N /bin/sh /usr/local/mariadb/bin/mysqld_safe --defaults-file=/usr/local/mariadb/my-mariadb.cnf --basedir=/usr/local/mariadb --datadir=/share/CE_CACHEDEV1_DATA/.system/data --user=admin --default-storage-engine=MyISAM --wait_
23458 admin      2064 S   container-station/lxc-monitor -n .*
23461 admin       808 S   container-station/inotifywait -m -e create,delete,modify,move /var/lib/lxc/
23467 admin      2272 S   container-station/lxc-monitord /var/lib/lxc 4
23474 admin       760 S   container-station/inotifywait -m -e create,delete,modify,move /share/CE_CACHEDEV1_DATA/.qpkg/container-station/ctstation/config/../../var/image/lxc/
23583 admin      2236 S   container-station/docker-containerd-shim 096288f06d4cf09d67eaf3db9a720f35912a7cae7b5811d80c9f4e81506f2631 /var/run/docker/libcontainerd/096288f06d4cf09d67eaf3db9a720f35912a7cae7b5811d80c9f4e81506f2631 docker-runc
23612 admin      3136 S   /bin/bash
23775 admin     62996 S N /usr/local/mariadb/bin/mysqld --defaults-file=/usr/local/mariadb/my-mariadb.cnf --basedir=/usr/local/mariadb --datadir=/share/CE_CACHEDEV1_DATA/.system/data --plugin-dir=/usr/local/mariadb/lib/plugin --user=admin --default
24458 admin      1760 S N /usr/sbin/crond -l 9 -c /tmp/cron/crontabs
24717 httpdusr   4016 S N /sbin/lpb_scheduler -d
25251 admin      5936 S N /sbin/genthd
25313 admin      8300 S   sshd: admin@pts/4
25315 admin      3320 S   -sh
25333 admin      3452 S   bash
25436 admin           SW  [kworker/u8:0]
25784 admin      3576 S N /usr/bin/lunportman
25819 admin      5276 S N /usr/bin/qsyncman
25927 admin      7516 S N /usr/bin/qsnapman
26150 admin      7336 S N /usr/bin/qsnapman-alive
26323 admin      8112 S N /usr/bin/qsnapman-recyc
26342 admin      7804 S   /sbin/upnpcd -i 300
26454 admin      1176 S   /sbin/mcelog --daemon
26541 admin      1852 S   /sbin/getty 115200 tty1
26542 admin      1800 S   /sbin/getty 115200 tty2
26547 admin      1956 S   /sbin/getty -L ttyS0 115200 vt100
26618 admin      8328 R   sshd: admin@pts/5
26620 admin      3368 S   -sh
26655 admin      3472 S   bash
28555 admin           SW  [kworker/1:2]
29437 admin      2460 S   /usr/sbin/bluetoothd
29446 admin      1312 S   /usr/sbin/agent --adapter hci0
31047 admin       140 S N [kworker/0:1]
31231 admin     19756 S   /mnt/ext/opt/apache/bin/php /share/CE_CACHEDEV1_DATA/.qpkg/PhotoStation/ws/app/ps_websocket
31564 admin      3372 S   /usr/sbin/cupsd -C /etc/config/cups/cupsd.conf -s /etc/config/cups/cups-files.conf
31674 admin      2480 S   /usr/sbin/SCREEN -dmS MYTRANSCODE /usr/local/medialibrary/bin/mytranscodesvr -u -debug -db /share/CE_CACHEDEV1_DATA
31676 admin     10032 S   /usr/local/medialibrary/bin/mytranscodesvr -u -debug -db /share/CE_CACHEDEV1_DATA
31788 admin      3560 S   /usr/bin/alice -d
Open ports

Code: Select all

# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:23310         0.0.0.0:*               LISTEN      6334/mysqld
tcp        0      0 127.0.0.1:3310          0.0.0.0:*               LISTEN      23775/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      14809/portmap
tcp        0      0 0.0.0.0:30000           0.0.0.0:*               LISTEN      15327/rpc.mountd
tcp        0      0 127.0.0.1:7505          0.0.0.0:*               LISTEN      14360/openvpn
tcp        0      0 0.0.0.0:30001           0.0.0.0:*               LISTEN      15616/rpc.statd
tcp        0      0 0.0.0.0:30002           0.0.0.0:*               LISTEN      15129/rpc.rquotad
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      14559/dnsmasq
tcp        0      0 10.0.5.1:53             0.0.0.0:*               LISTEN      14559/dnsmasq
tcp        0      0 10.0.3.1:53             0.0.0.0:*               LISTEN      14559/dnsmasq
tcp        0      0 10.10.10.1:53           0.0.0.0:*               LISTEN      14559/dnsmasq
tcp        0      0 0.0.0.0:9813            0.0.0.0:*               LISTEN      31788/alice
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      14737/sshd
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      31564/cupsd
tcp        0      0 0.0.0.0:52763           0.0.0.0:*               LISTEN      31047/0:1]
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      13099/smbd
tcp        0      0 127.0.0.1:58080         0.0.0.0:*               LISTEN      13514/_thttpd_
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6050          0.0.0.0:*               LISTEN      22784/python2.7
tcp        0      0 127.0.0.1:6051          0.0.0.0:*               LISTEN      22784/python2.7
tcp        0      0 127.0.0.1:40740         0.0.0.0:*               LISTEN      31231/php
tcp        0      0 0.0.0.0:35204           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6053          0.0.0.0:*               LISTEN      22335/qbusd
tcp        0      0 127.0.0.1:2375          0.0.0.0:*               LISTEN      22625/dockerd
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      22180/apache-dav
tcp        0      0 0.0.0.0:873             0.0.0.0:*               LISTEN      11158/rsyncd
tcp        0      0 127.0.0.1:5001          0.0.0.0:*               LISTEN      22180/apache-dav
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      13099/smbd
tcp        0      0 :::111                  :::*                    LISTEN      14809/portmap
tcp        0      0 :::30000                :::*                    LISTEN      15327/rpc.mountd
tcp        0      0 :::80                   :::*                    LISTEN      7259/fcgi-p
tcp        0      0 :::8080                 :::*                    LISTEN      13745/apache_proxy
tcp        0      0 :::30001                :::*                    LISTEN      15616/rpc.statd
tcp        0      0 :::8081                 :::*                    LISTEN      7259/fcgi-p
tcp        0      0 :::21                   :::*                    LISTEN      5454/proftpd: (acce
tcp        0      0 :::22                   :::*                    LISTEN      14737/sshd
tcp        0      0 :::631                  :::*                    LISTEN      31564/cupsd
tcp        0      0 :::38648                :::*                    LISTEN      -
tcp        0      0 :::52763                :::*                    LISTEN      31047/0:1]
tcp        0      0 :::445                  :::*                    LISTEN      13099/smbd
tcp        0      0 :::2049                 :::*                    LISTEN      -
tcp        0      0 :::2376                 :::*                    LISTEN      22835/dockerd
tcp        0      0 :::873                  :::*                    LISTEN      11158/rsyncd
tcp        0      0 :::139                  :::*                    LISTEN      13099/smbd
udp        0      0 0.0.0.0:30000           0.0.0.0:*                           15327/rpc.mountd
udp        0      0 0.0.0.0:30001           0.0.0.0:*                           15616/rpc.statd
udp        0      0 0.0.0.0:30002           0.0.0.0:*                           15129/rpc.rquotad
udp        0      0 0.0.0.0:46412           0.0.0.0:*                           7694/avahi-daemon: 
udp        0      0 0.0.0.0:42414           0.0.0.0:*                           13937/python2
udp        0      0 0.0.0.0:50612           0.0.0.0:*                           13937/python2
udp    19968      0 0.0.0.0:3702            0.0.0.0:*                           13937/python2
udp        0      0 192.168.111.2:1702      0.0.0.0:*                           15063/xl2tpcd
udp        0      0 0.0.0.0:10117           0.0.0.0:*                           7047/dhcpd
udp     2304      0 255.255.255.255:8097    0.0.0.0:*                           15164/bcclient
udp     2304      0 255.255.255.255:8097    0.0.0.0:*                           15164/bcclient
udp     2304      0 255.255.255.255:8097    0.0.0.0:*                           15164/bcclient
udp        0      0 255.255.255.255:8097    0.0.0.0:*                           15164/bcclient
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           -
udp        0      0 127.0.1.1:53            0.0.0.0:*                           14559/dnsmasq
udp        0      0 10.0.5.1:53             0.0.0.0:*                           14559/dnsmasq
udp        0      0 10.0.3.1:53             0.0.0.0:*                           14559/dnsmasq
udp        0      0 10.10.10.1:53           0.0.0.0:*                           14559/dnsmasq
udp        0      0 0.0.0.0:55358           0.0.0.0:*                           13937/python2
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7047/dhcpd
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7045/dhcpd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           6961/dhclient
udp        0      0 0.0.0.0:111             0.0.0.0:*                           14809/portmap
udp        0      0 0.0.0.0:59506           0.0.0.0:*                           13937/python2
udp        0      0 169.254.255.255:137     0.0.0.0:*                           13582/nmbd
udp        0      0 169.254.100.100:137     0.0.0.0:*                           13582/nmbd
udp        0      0 192.168.111.255:137     0.0.0.0:*                           13582/nmbd
udp        0      0 192.168.111.2:137       0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.3.255:137          0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.3.1:137            0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.5.255:137          0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.5.1:137            0.0.0.0:*                           13582/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           13582/nmbd
udp        0      0 169.254.255.255:138     0.0.0.0:*                           13582/nmbd
udp        0      0 169.254.100.100:138     0.0.0.0:*                           13582/nmbd
udp        0      0 192.168.111.255:138     0.0.0.0:*                           13582/nmbd
udp        0      0 192.168.111.2:138       0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.3.255:138          0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.3.1:138            0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.5.255:138          0.0.0.0:*                           13582/nmbd
udp        0      0 10.0.5.1:138            0.0.0.0:*                           13582/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           13582/nmbd
udp        0      0 0.0.0.0:4500            0.0.0.0:*                           15037/charon
udp        0      0 0.0.0.0:500             0.0.0.0:*                           15037/charon
udp        0      0 0.0.0.0:59950           0.0.0.0:*                           -
udp        0      0 0.0.0.0:60152           0.0.0.0:*                           14559/dnsmasq
udp        0      0 0.0.0.0:15165           0.0.0.0:*                           7045/dhcpd
udp        0      0 0.0.0.0:43862           0.0.0.0:*                           13937/python2
udp        0      0 127.0.0.1:952           0.0.0.0:*                           15616/rpc.statd
udp        0      0 0.0.0.0:56276           0.0.0.0:*                           6961/dhclient
udp        0      0 0.0.0.0:985             0.0.0.0:*                           14809/portmap
udp        0      0 0.0.0.0:1194            0.0.0.0:*                           14360/openvpn
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           7694/avahi-daemon: 
udp        0      0 :::30000                :::*                                15327/rpc.mountd
udp        0      0 :::30001                :::*                                15616/rpc.statd
udp        0      0 :::34580                :::*                                6961/dhclient
udp        0      0 :::10117                :::*                                7045/dhcpd
udp        0      0 :::2049                 :::*                                -
udp        0      0 :::38945                :::*                                -
udp        0      0 :::111                  :::*                                14809/portmap
udp        0      0 :::26811                :::*                                7047/dhcpd
udp        0      0 :::4500                 :::*                                15037/charon
udp        0      0 :::500                  :::*                                15037/charon
udp        0      0 :::985                  :::*                                14809/portmap
If you need more additional information ask me. I appreciate any help with this analysis.
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Was my NAS hacked/pwned?

Post by Don »

Looks like you have download station enabled. That would account for the activity.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
waldauf
Starting out
Posts: 26
Joined: Sun Oct 08, 2017 2:29 am

Re: Was my NAS hacked/pwned?

Post by waldauf »

Don wrote: Mon Jan 07, 2019 3:13 am Looks like you have download station enabled. That would account for the activity.
I don't use NAS like download station. My download manager (DSD) is turned off. But I'll check if there is another download app.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Was my NAS hacked/pwned?

Post by Moogle Stiltzkin »

waldauf wrote: Mon Jan 07, 2019 12:55 am Suspicious IPs :D

Code: Select all

176.108.195.29
https://geoiptool.com


the russians :O ....
https://arstechnica.com/information-tec ... ing-knife/
NETGEAR is aware of a piece of malware called VPNFilter that might target some NETGEAR devices. According to our understanding of Cisco Talos’s investigation, this malware most likely targets existing vulnerabilities for which we have already released firmware fixes.

Based on observations made by Cisco Talos and law enforcement, we believe that the following devices might be vulnerable:

-R6400
https://kb.netgear.com/000058814/Securi ... AR-Devices


just a suspicion but when was the last time you updated your router? like... ever?

router needs to be kept up to date or bad things happen :S


while at it, keep everything updated (stable releases), OS, QTS, router, anti virus, anti malware....etc 8)
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
waldauf
Starting out
Posts: 26
Joined: Sun Oct 08, 2017 2:29 am

Re: Was my NAS hacked/pwned?

Post by waldauf »

Thx for your answer Moogle Stiltzkin. I read about VPNfilter before, but now I'll keep it in my head because my Netgear.
Moogle Stiltzkin wrote: just a suspicion but when was the last time you updated your router? like... ever?

router needs to be kept up to date or bad things happen :S

Yes, just suspicion no direct proof (tcpdump didn't capture any big data packets). I haven't been using router/NAS for half year and now (before 2-3 weeks) I connected to internet. First thing which I did was update all firmwares, which I do regularly. For example you can see picture with logs from my QNAP NAS. Netgear also has last firmware update.

For me is strange that I see communication on port 6881 which belongs to DSD servise which is turned off (additionally NAS is behind NAT). As I wrote I don't use NAS like downloading server, just like backup server.
You do not have the required permissions to view the files attached to this post.
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Was my NAS hacked/pwned?

Post by Don »

If you don’t use download station then don’t forward the port(s) needed and turn off uPnP.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
waldauf
Starting out
Posts: 26
Joined: Sun Oct 08, 2017 2:29 am

Re: Was my NAS hacked/pwned?

Post by waldauf »

Don wrote: Tue Jan 08, 2019 9:47 pm If you don’t use download station then don’t forward the port(s) needed and turn off uPnP.
I don't have any forwarded port. I had just one for OpenVPN but I closed it. And I still see communication on 6881 and 1900 ports (as you can see in tcpdump output).
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Was my NAS hacked/pwned?

Post by Don »

If you have incoming traffic from the internet then the port is forwarded.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: Was my NAS hacked/pwned?

Post by AlastairStevenson »

If you have incoming traffic from the internet then the port is forwarded.
Absolutely.

Worth checking 'All service ports' and a custom range covering those you have seen using the very good service ShieldsUp! here :
https://www.grc.com/x/ne.dll?bh0bkyd2
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
waldauf
Starting out
Posts: 26
Joined: Sun Oct 08, 2017 2:29 am

Re: Was my NAS hacked/pwned?

Post by waldauf »

Hmm, you were right - I had turned on uPnP on the router. I disabled it.

@AlastairStevenson: Thx for ShieldsUp! I checked my router and it finished with result (I run this test before I disabled uPnP on the router):

Code: Select all

"THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!".
During weekend I'll try to install "Malware Remover" on my QNAP, test it and I'll write the result. I have it disconnected because I'm painting my flat :].
User avatar
dolbyman
Guru
Posts: 35019
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Was my NAS hacked/pwned?

Post by dolbyman »

i dont think there is many devices still vulnerable for external upnp requests

a full portscan via shields up would be more useful
AlastairStevenson
Experience counts
Posts: 2415
Joined: Wed Jan 08, 2014 10:34 pm

Re: Was my NAS hacked/pwned?

Post by AlastairStevenson »

@AlastairStevenson: Thx for ShieldsUp! I checked my router and it finished with result (I run this test before I disabled uPnP on the router):
No - that's not the check to use, it just tells you what you already know.
Worth checking 'All service ports' and a custom range covering those you have seen
Would have been worth doing this before changing the router configuration, just toy be sure which LAN devices were opening the ports on the router.
For example, many / most surveillance cameras have UPnP enabled by default as people often want to see them when away from home.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
waldauf
Starting out
Posts: 26
Joined: Sun Oct 08, 2017 2:29 am

Re: Was my NAS hacked/pwned?

Post by waldauf »

Hello to all,

thx for your advices. I'm sorry but in this time I'm rebuilding my flat and don't have possibility to check my NAS now. I'll continue in this topic after I'll finish rebuilding.
Post Reply

Return to “Miscellaneous”