Hacked with no cloud acct or port forwarding???
-
gwbaker99
- New here
- Posts: 8
- Joined: Sat Nov 28, 2020 2:32 am
Hacked with no cloud acct or port forwarding???
So my QNAP tvs-873e does not have a cloud account nor any port forwarding from the home router. Yet last night I get notified that someone tried to break in remotely from another continent. They were unsuccessful as they got locked out. But how did they see my my NAS if it's not sticking its neck out.
-
jaysona
- Been there, done that
- Posts: 854
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Hacked with no cloud acct or port forwarding???
How were you notified that there was an access attempt?
What was the vector that the hack attempt was made on?
Do you have UPnP enable on the NAS and router?
As for how did they "see" you NAS, it was not seen, it was found. There constant scans being made all the time. Some scans are more sophisticated than others and can determine when a network attached device exists but is being blocked. This also depends on the router/firewall being used. ISP provided equipment is typically the least secure and readily leak potential hosts on the LAN.
The best home router firewall to use are ones that can run Merlin-WRT (select Asus only), FreshTomato, OpenWRT and DD-WRT. Those firmware use iptables and the "drop" command for all disallowed packets. The drop is effectively the same as if no device exists at all. Many ISP provided type of equipment use something like "deny" or "reject" which lets the scanner know that something is there.
What was the vector that the hack attempt was made on?
Do you have UPnP enable on the NAS and router?
As for how did they "see" you NAS, it was not seen, it was found. There constant scans being made all the time. Some scans are more sophisticated than others and can determine when a network attached device exists but is being blocked. This also depends on the router/firewall being used. ISP provided equipment is typically the least secure and readily leak potential hosts on the LAN.
The best home router firewall to use are ones that can run Merlin-WRT (select Asus only), FreshTomato, OpenWRT and DD-WRT. Those firmware use iptables and the "drop" command for all disallowed packets. The drop is effectively the same as if no device exists at all. Many ISP provided type of equipment use something like "deny" or "reject" which lets the scanner know that something is there.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
gwbaker99
- New here
- Posts: 8
- Joined: Sat Nov 28, 2020 2:32 am
Re: Hacked with no cloud acct or port forwarding???
As for which vector, https, ssh, not sure. The nas notification system sent this:
NAS Name: qnapnas
Severity: Error
Date/Time: 2021/01/05 01:30:18
App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 37.120.213.xxx
What I don't understand is how the traffic was routed to the NAS through the router when I do not have any ports forwarded to the NAS? Router is mesh netgear RBS850.
NAS Name: qnapnas
Severity: Error
Date/Time: 2021/01/05 01:30:18
App Name: Users
Category: Login
Message: [Users] Failed to log in via user account "admin". Source IP address: 37.120.213.xxx
What I don't understand is how the traffic was routed to the NAS through the router when I do not have any ports forwarded to the NAS? Router is mesh netgear RBS850.
-
dolbyman
- Guru
- Posts: 35249
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Hacked with no cloud acct or port forwarding???
as asked before, is uPnP disabled ? .. if not, the QNAP can do it's own port forwarding
-
jaysona
- Been there, done that
- Posts: 854
- Joined: Tue Dec 02, 2008 11:26 am
- Location: Somewhere in the Great White North
Re: Hacked with no cloud acct or port forwarding???
That looks like a login attempt via the QTS admin web page.
This means your NAS is exposed to the Internet, either on port 8080, 443 or both. Check to make sure both the NAS, router and any other network devices have UPnP disabled.
Use one of the following links below to check to see if specific ports are being forwarded by your router.
https://www.portcheckers.com/canyouseeme
https://portchecker.co/canyouseeme
https://www.canyouseeme.org/
Finally, remove the HelpDesk app, install it only when you actually need to use it.
Edit: I just looked up your router, you may want to consider using something else. there are numerous vulnerabilities for the Netgear Orbi's out there. There a a few 0-days for the Orbi as well, so tread carefully.
This means your NAS is exposed to the Internet, either on port 8080, 443 or both. Check to make sure both the NAS, router and any other network devices have UPnP disabled.
Use one of the following links below to check to see if specific ports are being forwarded by your router.
https://www.portcheckers.com/canyouseeme
https://portchecker.co/canyouseeme
https://www.canyouseeme.org/
Finally, remove the HelpDesk app, install it only when you actually need to use it.
Edit: I just looked up your router, you may want to consider using something else. there are numerous vulnerabilities for the Netgear Orbi's out there. There a a few 0-days for the Orbi as well, so tread carefully.
RAID is not a Back-up!
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
-
gwbaker99
- New here
- Posts: 8
- Joined: Sat Nov 28, 2020 2:32 am
Re: Hacked with no cloud acct or port forwarding???
Thanks all, must have been UPnP.. turning off...