1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NAS200 hacked?

Discussion in 'Cisco/Linksys Network Storage Devices' started by leijona, Nov 25, 2009.

  1. leijona

    leijona Addicted to LI Member

    Hello ,
    i have the NAS200 with jac2b firmware on. Tonight by chance I run netstat -a from ssh prompt and saw this:

    tcp 0 0 192.168.2.2:telnet 85-20-208-172-dyna:3861 ESTABLISHED
    tcp 0 892 192.168.2.2:ssh netxx9.xxxx.xxxx:6617 ESTABLISHED
    tcp 0 0 192.168.2.2:telnet client-200.106.106:3634 ESTABLISHED
    tcp 0 0 192.168.2.2:telnet 190.43.161.70:2586 ESTABLISHED
    tcp 0 0 192.168.2.2:telnet 190.43.129.229:4693 ESTABLISHED

    The ssh is me but i dont know who the hell or even how they connected to telnet when there is no NAT from outside to port 23 on the NAS IP. Is there a chance this connections initiated from NAS itself ?

    Any ideas ??
     
  2. Treah

    Treah Addicted to LI Member

    If you are not using telnet turn it off. It looks like they are not connecting via port23 but though a high level port that you may not have blocked. This is def someone in your box.
     
  3. jac_goudsmit

    jac_goudsmit Super Moderator Staff Member Member

    No, the NAS never initiates outgoing Telnet connections (besides, even if it would, they would show up differently in the netstat output).

    Do not leave your Telnet port open to the Internet. You should always use a firewall/router between your LAN and the Internet and you should not forward port 23 on your router.

    If you don't need Telnet, disable it in my firmware by creating or removing the appropriate file in the config partition (this functionality changed between firmware versions, check the documentation for your version).

    You really shouldn't need Telnet for any reason, you should use SSH to do everything that needs a shell prompt. If you insist on having it enabled, you should make sure your network is well protected. Probably one of the first things hackers will try when they get to your network is to log in through Telnet, and they will immediately notice that they don't need a password and they are root. Even though there might be nothing much they can do on a NAS200, they can still cause a lot of damage with a simple command or two. They will even be able to find other computers on your network and wreak havoc to them. The least damage they might cause is to log in to Telnet a few times simultaneously so you won't be able to get a terminal to kick them out!

    Even if you only expose SSH to the Internet, you should still make sure that you choose a strong root password. I've seen many attempts to break into my NAS through SSH, just by guessing the root password...

    The Internet is an evil place, unfortunately...

    ===Jac

    PS Treah's comment is not applicable: the high random ports that he is talking about are the ports on the remote computer. You can't (and don't have to) block any traffic based on the remote port, you just need to block traffic to port 23.
     
  4. leijona

    leijona Addicted to LI Member

    Thank you for replying, I will disable the telnet in your firmware Jac, i oversaw it... but still if try to connect from the outside to port 23 of my home ip address i get nothing. Also in the router interface there is no NAT rule to forward port 23 to anywhere inside my LAN.... i still can't understand how these sockets were created ! I only can think from the inside to those IP addresses (in italy btw)
     
  5. jac_goudsmit

    jac_goudsmit Super Moderator Staff Member Member

    I assure you that there's nothing in my firmware that would make OUTGOING connections FROM the telnet port to random addresses and ports in Italy or wherever... The only way that there can be a Telnet port open is if somehow Those Nasty Italians managed to connect to your NAS, not the other way around.

    ===Jac
     
  6. leijona

    leijona Addicted to LI Member

    I have to apologize for letting suspicion that the sockets were created from your firmware Jac. I only have thanks to give to you. Those nasty Italians may found a gap hole in my router and exploit it.
     
  7. Treah

    Treah Addicted to LI Member

    I just looked at this again and your right Jac I must have been intoxicated this day or something.
     

Share This Page