Difficult one.

Theoretically, if you were very careful and your router/firewall provides a way to block outbound as well as inbound traffic from its IP address you could reduce the risk of data leakage.

Maybe the manufacturer will let you send it back to them under warranty and format it... unless they'll send you some tools on a CD.

What I would suggest is to download ethereal or some other free network analyzer and see what, if anything, is going on on the network between your NAS and other devices / internet.

A hub comes in very handy here - especially if you can't set up a switchport as a monitoring port. just use a x-over cable to connect the hub to the switch, then attach the NAS and the PC you are running your sniffer on to the hub. Now you will see all traffic between the NAS and everything else.

SD

Well, that's not good, is it?

What? :8

For info ethereal is now called "WireShark"

Thanks for that; I'll give Wireshark ago with the config suggested.

As an aside, as a way of junking all the data I thought of rebuilding the NAS from RAID1 to RAID0 using the Admin Console, and then reverting to RAID1 but I guess (a) this doesn't necessarily reformat (so data still "exists") and (b) the RAID controller / MoBo is probably flashable and therefore could have been exposed to a hack anyway?

That did come to mind.... but then I thought it might be a bit beyond the realms of available IT know how in the XV105 household. :ok:

Wireshark easily produces a whole ton of data which can be confusing and difficult to interpret if you don't know what you're looking for or how to configure it.

Rebuilding the RAID as suggested is certainly an easy way to trash your data.... but it's not going to solve the problem of what might be going on at embedded OS level.

I think the chances of the Motherboard being targetted are fairly slim in this scenario .... more likely is that the OS was targetted in order to attempt to ensure a backdoor remained available.

Thanks again mixture. I take it then that if Wireshark doesn't show something dodgy (it doesn't so far*, amongst the tons and tons of data yuo correctly predicted!) then a RAID rebuild could be a sensible thing to do before forgetting the affair and moving on? Remember I have now verified that UPnP is "off" and that ShieldsUp found no weaknesses so it's only something already inside trying to get out that I think I need to consider.

*I let it capture for a while and then sorted the records alphabetically by source column so I could quickly scan I.P. addresses and names outside those I know. I then did likewise for destination. Nothing found. I'll let it run for a couple of hours more and then look again.

In all honesty, yes that's probably the best course of action in your circumstances.

What you could do is leave the RAID as RAID1, but just reformat it (or even better do a quick one pass zero overwrite) ....you might as well keep the benefit of RAID1.

Then, you might want to consider making use of TrueCrypt (or other tool of your choice) to create encrypted disks (not "whole disk" encryption, just little disk images of manageable sizes - or larger sizes if you know you're never going to be doing remote access)..... so then at least your data is encrypted at rest and "they" can copy it as much as they want but would be able to see :mad: all. :ok:

By the way, I forgot to say ...

Congratulations on you for being security aware and actually keeping an eye on your logs etc.

So don't feel too bad about this whole lesson ! You did well to pick up on it so quickly.

XV105 there must be a utility to securely erase the data on the drive and reset to the factory condition They must have thought of the end of life or moving locations. Look at the manufacturers web site and search the knowledge base. If no answer pose the question to them. They should have phone support available.

Thanks (again!), and for the comment. It still hurts though as I try to be absolutely as security aware as I am backup plan conscious, and something got past me. Grrrr!

Regarding encryption I have been using Memeo Backup for some time now but whilst I have elected to continue using it with the NAS I have likewise elected to continue using it without invoking the encryption option. My thinking here was that the benefit of being able to manually restore if the auto restore was ever needed but failed [the backup follows the same logical structure and is viewable (but must not be edited!) via Windows Explorer] outweighed the encryption benefit of a device on an internal network with strong firewall and which is unlikely to be stolen.

Perhaps time to have a rethink.

Regarding the RAID "reformat" I have successfully gone from RAID 1 to RAID 0, rebooted the NAS, and then gone back from RAID 0 to RAID 1. All is well and the free byte count is correct.

The next job?

To work out how the hell to remove (a) MioNet, (b) the Public Folder, and (c) the Download Folder without resorting to SSH and a hack. I have decided to live without MioNet and use web-hosted file sharing on demand instead and I don't need the two described folders that are a CIFS standard.

Don't be scared by Linux !

Post the commands they've told you to type on SSH and I'll soon tell you how likely they are to trash your box assuming they are standard Linux commands and not some proprietary NAS box commands ! :cool:

I'm not a huge supporter of encryption, it can be a hinderance rather than a help in many cases, as well as a risk of its own. Evaluate on a case-by-case basis as they say.

Can I just point out the following little-known facts:

1) the number of script kiddy attacks is inversely proportionate to their effectiveness.

i.e. - there's thousands of teenage students out there, using P2P software and have probably downloaded a generic script which wants to replicate itself and does so via scanning IPs and trying basic exploits

2) another reason there are lots of attacks are because not everyone understands the benefits of keeping systems up to date regarding security exploit fixes etc

3) the VAST majority of script kiddy attacks are automated, basic, and targeted towards the exploits not patched in #2 above.

4) the VAST majority of exploits are for Windows systems, which make up a VAST majority of internet-connected computers

5) the VAST majority of exploits are done for commercial gain in some shape or form

...

Hence, unless you are convinced that you had a manually initiated attack, onto your IP address, using exploits which were sufficient to compromise your own specific embedded Linux variant, and the operator was skilled enough to be able to install a trojan as a result, and they had something significant to gain from doing so on your NAS box (versus the time they would have had to do so, in a time and motion study sorta thing)......then i'd suggest you can sleep safe in your bed.

FWIW, I have LOTS of devices on the internet, and attempted attacks are a regular occurrence. Granted you can't be 100% sure that someone's not smarter than you are, but on the law of averages and looking at the reasons behind the exploits, you really need to chill about this IMHO.

(besides, the NAS specifically included uPNP in order to configure itself to do this very task on the internet - if you were a product designer, would you do this as standard if you weren't very confident about it's security?)

Not always ....

Zombie nets
Somewhere to host questionable content to share amongst "friends"
etc. etc.

If you were a product designer, product marketing probably came downstairs to see you with a list of features from competitive products and said "what other funky features can we put in to our box to give us a USP". In today's IT market it's all about maximising sales ....

Lets face it .... product design for residential products is NOT security lead. That includes residential firewalls embedded on cheapo routers, which don't compare in the least with their commercial variants.

There is pleanty of software that can target specific OS and software variants and versions automatically.

But just to make my point of view clear... I think XV should take a little time to make sure his house is in order and then move on. I don't think he should spend days or weeks on it.

Once again, I think Mixture and I are coming to agreement but from different start points. I agree totally with my quote from him. It's not a clear-cut thing, but I think we both agree that as long as you have a modicum of diligence then you can rest easy that it's a lot less easy to 'hack' into a 'managed' computing device than is sometimes glorified by the media.

Mike,

It does indeed seem we have the same end goal in mind even if certain methods of achieving it are up for debate, however now is not the time and PPRuNe is not the place.

In the end, I think it has been correctly identified that UPNP was to blame here which, like WiFi and all the other residential technologies sold as a way to make your life easier, are so easily abused and mis-configured due to the manufacturers and resellers focus on marketing and sales rather than product development and user education/support.

As for pointing fingers at BT and Homehub .... I will leave that one as an exercise for the reader..... :ok:

The security of the BT hub leaves a lot to be desired, I got mine because I they offered me the Voip service for free. When I came to set it up I looked at the manual and could find no mention of WPA encryption at all, the only security mentioned was to enter the serial number of the router into the WEP box.
So I rang the help desk and the person I spoke to didn't even know what I was talking about. :ugh:

I found WPA eventually. But it's a bloody awful setup menu, very difficult to find your way through (or at least it was 2 years ago when I got mine).