Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Somebody tried to login to my QNAP


  • Please log in to reply
9 replies to this topic

#1 Gorbulan

Gorbulan

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 16 March 2017 - 11:38 AM

...and then I logged into his. Here's the story:

 

Today when I started work I checked the System Connection Logs, as I always do. Sometimes I find somebody trying to login to our QNAP. Today was no different, however, I made a mistake, sort of.

 

While looking up the IP address, I accidentally pasted it into my browser address bar. So out of curiosity I hit Return. It worked, I found...a QNAP web interface? Still curious (and apparently feeling mischievous) I tried to login, with admin/admin as the credentials. It worked. O_O

 

It authenticated and then began rendering the appropriate pages and at that point I stopped. I closed the browser window. I know "admin" is the master administration account because QNAP has that by default and its permissions can not be changed.

 

What should I do? I already perma-blocked the offending IP address. Should I login and try to help this lousy "hacker"? I am seriously worried for the security of his 'NAP. I mean, people hit us with a login attempt about once a month now, so it is only a matter of time until he is attacked too.



BC AdBot (Login to Remove)

 


#2 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 16 March 2017 - 01:07 PM

Hmm that's kind of concerning. So is your QNAP assigned a static public IP facing the internet or is behind a nat router? Maybe changing the default port to something else will help stop the attempts, If the config will allow that. Maybe put the entire setup behind a VPN or SSH tunnel with a public 2 key pair authentication. Change SSH port to something other than port 22 or you will get hits on that too. Block root access to the SSH. That will button down any remote access service. I even run RDP through SSH tunnels. No key no access, plus they have to know the user name login and root has been completely disabled. That is strange that the Ip trying to connect to you has a unsecured connection LOL. Maybe theirs is hacked with a bot running on it. Are you 100% positive it wasn't your own local network IP?



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 16 March 2017 - 01:54 PM

Should I login and try to help this lousy "hacker"?

 

No. In many countries login in to that system would be illegal. You can try to inform their ISP, but I doubt they would do much about it.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 16 March 2017 - 04:22 PM

 

Should I login and try to help this lousy "hacker"?

 

No. In many countries login in to that system would be illegal. You can try to inform their ISP, but I doubt they would do much about it.

 

 

That's what I figured.

 

Can't mess with many settings technonymous, it would be too easy to lose our access to the server. Qnap is behind a nat router. I don't remember clearly, but I think Qnap's have their SSH settings more or less locked down. Can't add users to SSH on it, only admin can SSH to a Qnap. It can be changed with the optware package but I think that is out of date with the latest Qnap firmware/OS.

 

 

That is strange that the Ip trying to connect to you has a unsecured connection LOL. Maybe theirs is hacked with a bot running on it. Are you 100% positive it wasn't your own local network IP?

 

Oh gee, they could be compromised with a bot. Hmmm. 100% positive we do not have any IP addresses like the one I pasted. Also their web interface is set up differently than ours. Their's looks like the defaults, actually.


Edited by Gorbulan, 17 March 2017 - 01:04 PM.


#5 JohnnyJammer

JohnnyJammer

  • Members
  • 1,118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:10 PM

Posted 16 March 2017 - 05:02 PM

Turn uPnP off on your router because these systems tend to open a port  by default allowing anyone to access the web interface.



#6 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 16 March 2017 - 05:54 PM

UPnP is off.



#7 awesomeoverload

awesomeoverload

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:10:10 AM

Posted 16 March 2017 - 08:29 PM

Use a password management software to protect your passwords and accounts.



#8 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 18 March 2017 - 01:24 PM

Just need to talk to the admin that can change settings. If all this is behind a SSH then change the default port 22 to like 62 or something. It's really simple to do in the SSH server config. Then all knocks on the back door will stop.

 

Edit: Disable root too and instead create a new super user if needed. That way you're not getting brute forced on root all day long.


Edited by technonymous, 18 March 2017 - 01:28 PM.


#9 Gorbulan

Gorbulan
  • Topic Starter

  • Members
  • 832 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 20 March 2017 - 01:44 PM

The attacks originate over HTTP, not SSH. Nobody has tried an attack via SSH, yet.



#10 technonymous

technonymous

  • Members
  • 2,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:10 PM

Posted 20 March 2017 - 09:29 PM

Well you're going to see lot of incoming http syn ack scans there is nothing you can do about that.


Edited by technonymous, 20 March 2017 - 09:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users