AM I HACKED??? Something attempting to Login via SSH *Inside* my LAN Network on BOTH my DS918+'s and blocked

[Captainfingerbang]

 

2x DS918+ 1.04b   2x B365M HD3 mobo,   8gb ram.   1 with/10tb and 1 with/7tb

 

Something appears to be trying to login into both my ds918+'s from INTERNAL IP via SSH!!! But Synology is blocking it.. I've not used SSH in months, until i ran netstat 2 hours ago. Both NAS's had DDNS on them and were exposed to internet but I just removed everything,  changed admin and user account login info, disabled ssh, removed port forwards and any DHCP IP reservations in router and a host of other things. 

 

You can see the issue/problem in images below.(attached) This issue is happening for both Nas's, and at the same time last night. 

 

The problem is i cannot diagnose which IP it is. The symptoms that led me to factory reset my routers happened PRIOR to me getting this error msg from DSM(in below image), hence giving ALL my 30+ devices new ip addresses (therefore i cannot trace yet) For all I know, whatever did this has a new ip given by router.

I have a guess that it may have came from a wifi thermostat ip or possibly from my 21 year old's pc or himself, he was up at this hour when this happened. He isnt the smartest pc guy and i don't even think he knows what SSH is. He can sometimes download weird stuff, but he went and wiped his win 10 pc today for me so idk.

 

A very senior member(imho) here said i should be very worried about this and to do netstat commands, also turn on logging in dsm so i did. 

But I don't know how far to go from here. Today I got new router, changing all network settings, then all my passwords for everything.

I'm making extra backups currently to usb, then to wipe both nas boxes eventually.

 

My fear is that whoever they are, are ready to Ransomware, and already own me and all my data etc.  The data is backed up so not worried, but changing passwords will be a pain and calling my thermostat company(Honeywell) to change info is never a treat, but manageable. I may even get newer thermostats for home.

 

• Has anyone heard of this?
• Should I be very, very worried like the other member said?
• Is this some weird DSM thing? Could this not be from an actor?
• What lengths must I go to flush this bad actor out if so??
• Am I overreacting? 
• Can anyone provide me some good advice? I'll buy ya a coffee for your troubles

 

 

 

[jensmander]

Usually breaches from different devices occur only if they‘re exposed to the internet (NAT). Otherwise most routers/firewalls are only traversal in one traffic direction, from inside your lan to outside. 

 

Of course there‘re other attack vectors. Compromised cloud services or update servers for IoT stuff, router firmware bugs, etc. I can only guess but I think in your case it seems that your son(?) infected his PC with whatever evil stuff (remote shell, trojan, …). If you‘re lucky and he really completely wiped his system then you should be safe (again) but you never can be sure. Maybe it‘s a good time to think about using a real firewall like pfsense/opnsense or anything similar behind your soho router and diverting your network into VLANs with restricted access (if your switching hardware supports this). Put your 21 years old‘ PC into a separate VLAN and deny any access to your network except internet access. 

 

Most breaches occur from the inside when users with or even without full privileges can do what they want and click on every sh*t (mail attachments, obscure links, etc.).

 

I think nobody can give you the ultimate advise in this case. To be absolutely sure then you should run malware checks on every system and change your passwords.  Wiping systems and changing every password is the ultimate solution but that’s up to you.

 

Just my 2 cents

[IG-88]

17 hours ago, Captainfingerbang said:

Both NAS's had DDNS on them and were exposed to internet but I just removed everything,

you did that yourself (the DDNS)? then you should only have expose one or two ports/services (like photostation) or more? (usually you dont expose everything and with it the admin gui)

 

17 hours ago, Captainfingerbang said:

You can see the issue/problem in images below.(attached) This issue is happening for both Nas's, and at the same time last night. 

 

17 hours ago, Captainfingerbang said:

I have a guess that it may have came from a wifi thermostat ip

you would need to check if there are know attacks or vulnerabilities on the thermostat or its infrastructure (home base in you network or cloude base) - unlikely that you would not be the first to hit with a 0-day exploit/attack

 

Quote

or possibly from my 21 year old's pc or himself, he was up at this hour when this happened.

that seems the most likely source, beside malware, he might have tried a probing or scriptkid's tool (answers from "users" are not always honest or covering every aspect, there can be different reasons for this)

 

17 hours ago, Captainfingerbang said:

The problem is i cannot diagnose which IP it is. The symptoms that led me to factory reset my routers happened PRIOR to me getting this error msg from DSM(in below image), hence giving ALL my 30+ devices new ip addresses (therefore i cannot trace yet) For all I know, whatever did this has a new ip given by router.

I have a guess that it may have came from a wifi thermostat ip or possibly from my 21 year old's pc or himself, he was up at this hour when this happened. He isnt the smartest pc guy and i don't even think he knows what SSH is. He can sometimes download weird stuff, but he went and wiped his win 10 pc today for me so idk.

you already see your problem here, its called IT forensic, the task of evaluating the damage and finding the reason gets more important with complex environments, it gets more and more challenging when the only plan is to reinstall or buy new things, you need to pin down what was hitting you to evaluate the measures to take, it can bind some resources when assuming the max. capability attacker was at work

you just panicked, 1st thing to do would be disconnecting things from network, disabling a potential attackers ability's to remote access and also disabling installed softwares capabilities to spread or doing harm in the network

next would have been to access the nas arp cache and dhcp server to check on the IP's mac address, the 1st half of that is the vendor ID, often giving you a clue what device it was, even if its not one of yours (like your neighbor lurking in your wifi unknowingly), a phone, a tablet a pc, that system would be next to check

you would also have checked the win10 pc's log and make scan of the system with a system separately booted up (like a different computer booted from a safe media or using a computer that was offline at the time of the events)

 

anyway, not much you can do now after removing most of the evidence

you might think about segmenting the internal network with vlan's and even might use internal firewall(s) to limit access from one segment to another (like your son only havong access to the dsm videostations port to access movies instead of exposing the nas to a unsafe user/system

 

lots of home network have grown into small/media company scale networks without people realizing it and not thinking about risks, planing for desasters or doing proper backup - its not a attack problem, its a lack of planning ahead (i guess you did plan for fire or other things by having smoke detectors and having insurance), sadly its pretty normal to get attacked on the internet, ultimate freedom can also mean ultimate evil is possible

people tend to forget a nas or even a "simple" mobile phone is a full scale computer that can do anything if used in the right way (and especially mobiles are not getting enough security updates and are highly exposed)

 

you should see this as a warning, nothing serious seemed to be happened right now and even ransomware (with just encrypting files) is no real thread when having backups, there is much more of a problem when your online accounts, cloud resources and bank accounts get involved

 

Edited May 22, 2021 by IG-88

[araknoid]

I join this conversation even if it's very old because I'm in the same situation but I didn't panic and I have some data that can help a possible future reader in the analysis. I logged the IP address and found it's an updated pc (Win11) my son uses. He keeps many web pages open but being the son of a computer scientist he is quite attentive to security, he has an antivirus (free) always active. Virtually the only use he makes of his PC is to watch streaming video. The sites he uses therefore could have downloaded anything in javascript and HTML 5 on his PC. I don't know one or the other so I wonder if it can happen that a web page does background scans on the local network and specifically on ssh ports without the browser being asked for authorization.

 

But wait, none of them, in my case the PC was running Avast antivirus that contains a Wifi Inspector. This enging scan your network to find problems and report to user abount devices unchanged default password or other misconfiguring security problem.
 

 

Edited June 26, 2023 by araknoid
answer found