Phantom Admin account logged in?? Security issue?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
chrisray1985
New here
Posts: 3
Joined: Fri Jul 12, 2019 6:22 am

Phantom Admin account logged in?? Security issue?

Post by chrisray1985 » Fri Jul 12, 2019 6:35 am

Hello all,

Whenever I log into my Qnap it seems there is always an admin logged in even though I have the admin account disabled. I do have plex and a few other things installed and am guessing its a system thing, however there is always that feeling that ransomware is encrypting my drive as we speak.. Does anyone else know what this is?? If you have seen this let me know! if you have never seen this also let me know!

Thanks in advance :)

Regards,

--Chris


Image

dolbyman
Guru
Posts: 14096
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Phantom Admin account logged in?? Security issue?

Post by dolbyman » Fri Jul 12, 2019 7:16 am

is that IP 8.37.180.2 known to you ?

in any case your web login seems to be reachable from the WAN, a very bad security issue

chrisray1985
New here
Posts: 3
Joined: Fri Jul 12, 2019 6:22 am

Re: Phantom Admin account logged in?? Security issue?

Post by chrisray1985 » Fri Jul 12, 2019 7:46 am

dolbyman wrote:
Fri Jul 12, 2019 7:16 am
is that IP 8.37.180.2 known to you ?

in any case your web login seems to be reachable from the WAN, a very bad security issue
Hi, Thanks for the reply! Yea, that's me logged in from work. I think disabling web login from WAN seems like a great idea. I did a quick search but couldn't find how to do this, could you point me in the right direction?

I disabled SSH Telnet etc. Disabled default admin account, IP banning and timeout.

Thanks again!

eguitton
Starting out
Posts: 10
Joined: Thu Jul 11, 2019 12:46 am
Location: Bordeaux, FRANCE

Re: Phantom Admin account logged in?? Security issue?

Post by eguitton » Fri Jul 12, 2019 8:02 am

you either activated some dyndns in your nas to reach him through dns resolution, or you activated port redirection in your wan router to redirect incoming wan connexion on a specific port (i guess 80/443) to your nas.
you'd better deactivate that and set up a VPN SSL/IPSEC on your router/firewall and from that vpn grant access to you desired host/whole lan. This way, you're not exposing possible flaw of web engine of your nas to internet.

regarding the admin account : no shown ip, and connected since 15h57. what bugs me is thant its not from localhost (seeing 127.0.0.1 would have been reassuring like "ho that must be local system") is that time corresponding to uptime ?
Just a random Data & Network tech guy.

chrisray1985
New here
Posts: 3
Joined: Fri Jul 12, 2019 6:22 am

Re: Phantom Admin account logged in?? Security issue?

Post by chrisray1985 » Fri Jul 12, 2019 8:24 am

eguitton wrote:
Fri Jul 12, 2019 8:02 am
you either activated some dyndns in your nas to reach him through dns resolution, or you activated port redirection in your wan router to redirect incoming wan connexion on a specific port (i guess 80/443) to your nas.
you'd better deactivate that and set up a VPN SSL/IPSEC on your router/firewall and from that vpn grant access to you desired host/whole lan. This way, you're not exposing possible flaw of web engine of your nas to internet.

regarding the admin account : no shown ip, and connected since 15h57. what bugs me is thant its not from localhost (seeing 127.0.0.1 would have been reassuring like "ho that must be local system") is that time corresponding to uptime ?
that extra admin account logs in the moment I power up the qnap. Which makes me think its not someone connecting, rather something being launched at startup. I do use myqnapcloud as my dyndns, and port forwarding to the QNAP because some of my family uses QSync as backup. Thanks for the tip! So do you think just removing the port forwarding trigger for web access on 8080 via the router is the proper method to disable WAN access?

eguitton
Starting out
Posts: 10
Joined: Thu Jul 11, 2019 12:46 am
Location: Bordeaux, FRANCE

Re: Phantom Admin account logged in?? Security issue?

Post by eguitton » Fri Jul 12, 2019 8:34 am

Yep, you can either :

disable port forwarding from your router, and manually re-enable it when needed (or leave the rule intact but just deactivate/re-activate it when needed), and this is enough to secure your nas and lan (no external packets allowed to be redirected to your lan, except when you reactivate the rule). But that also might mean that you have to let your admin page accessible from internet in order to change that rule when not at home : be carefull ! (or dont allow wan access to admin page, and use teamviewer or equivalent to access directly to your home computer when you need to change the rule from your LAN where admin page is always available)

or setup a vpn on your router/firewall instead of using port forwarding : credentials or certificate are required to establish connexion on your router, and traffic to you LAN will be encrypted (more secure because tunneling + credentials (please use strong password) for vpn + different credentials of your nas). But... you either need a static ip, or a domain name + dyndns or equivalent to be sure to reach your router. Which you apparently are already doing, minus the vpn.

and for the admin account, if it is effectively always connected as soon as you boot up the NAS, I wouldn't be bothered. unless a more educated NAS expert says we should be :)
Just a random Data & Network tech guy.

elvisimprsntr
Know my way around
Posts: 162
Joined: Thu Apr 06, 2017 6:07 am

Phantom Admin account logged in?? Security issue?

Post by elvisimprsntr » Fri Jul 12, 2019 4:25 pm

With all the active threats in the news, why anyone still exposes NAS services to a WAN is beyond me.

https://brica.de/alerts/alert/public/12 ... s-devices/

Never, ever, do that! Even briefly. That includes myQNAPcloud, UPnP, forwarding.

Just because you can do something, doesn’t mean you should.
[Hourly] TS-453A-16G, R5x4x2TB Seagate ST2000VN000, Crucial CT2KIT102464BF160B
[Daily] TS-253A-16G, R1x2x4TB Seagate ST4000VN008, Crucial CT2KIT102464BF160B
[Weekly] USB3, 1x4TB Seagate STDR4000901, 45 min fire rated safe
[WAN1] ATT Fiber
[WAN2] SpeedTalk SIM in Netgear LTE Modem
[Firewall] pfSense on Protectli
[NTP] GPS NTP Server
[WLAN] OpenWRT on Linksys WRT3200ACM
[UPS] APC Back-UPS BX1500G

bigjezza
First post
Posts: 1
Joined: Wed Jun 05, 2019 7:25 pm

Re: Phantom Admin account logged in?? Security issue?

Post by bigjezza » Tue Jul 16, 2019 7:23 pm

I observed this once I enabled Q Center, or its agent. Do you have qcenter enabled?

Post Reply

Return to “Miscellaneous”