How come? - FTP brute force attack
 

As you may have read, yesterday I commissioned my RAID1 NAS and it's working great. Very, very slick and a number of the features have brought a smile to my face! I actually got to bed at 3:00am as I couldn't stop playing, ahem.

Browsing the log file just now however I found that for 30 minutes not long after I went to bed it was subjected every two seconds to a brute force FTP attack:

2009/10/07 04:05:32 [admin] FAIL LOGIN: Client "60.217.229.222"

Google revealed the I.P. address to likely be in China and that it has been blacklisted by some ISPs for exactly what caused me to research it.

I'm not an I.T. numpty but I certainly don't know it "all", so my question is "How was my NAS found?". I could understand my firewall repelling an intruder since it's knowingly exposed to the outside world but the fact that the NAS log shows the attack implies the firewall was breached.

I'm running a BT HomeHub with (checked and confirmed just now) default firewall and the only intentional way to reach my NAS from the outside world is via the secure MioNet web-based remote access account that I have created. If that's the weakness it gets deactivated right away; I have chosen a long and meaningless username and password but if that's breached I can't imagine it's rocket science to trawl even the "unshared" parts of my network.


TVM,
XV

I may be wrong but if your NAS has uPNP activated and so does the router then your NAS could be visible to the outside world.....

I don't know the HomeHub, but can I assume it has Network Address Translation (NAT)? Most home gateways do, and if so, then devices behind it are not actually on the Internet, they are on a private network with a different IP address range. The typical private range of 192.168.xxx.xxx is one of several that are not actually valid on the Internet, and routers will not forward them.

So, behind NAT, nothing gets through unless an outgoing port is opened on it, and that happens in two ways: explicitly by a Port Forwarding setting on the gateway, or by some application that has a persistent attachment to the Internet.

In your case, in my opinion, that points the finger directly at the MioNet function on the NAS box. I would disable it, and also check the HomeHub for any Port Forwarding settings. (The only ones there should be ones that you know you need - if in doubt, make a note of them, then remove them and see if anything breaks.)

A friend of mine has a WD NAS box that he uses behind his home hub. When I visited him back in August he was annoyed that MioNet was asking him to pay for an account, but when I read about it, I learned that MioNet is specifically for getting to your files from outside, from the Internet, If you don't need to do that, you don't need MioNet - full stop. We stripped it off all the PCs in my friend's house (he has a lot), and set the WD box as a plain SMB share on Windows (\\wdstorage). Sorted. :ok:

Thanks, bnt.

I'm familiar with the principles of NAT, thanks, and yes, my internal addresses are along the lines you describe (and fixed per MAC address to make network maintenance easier and short cuts more reliable to use).

Unfortunately you confirm my fear that it's MioNet that's the likely catalyst.I say unfortunately because this service (in my case free for the basic option for the life of the unit it came bundled with) is something I do actually want to use.

1. I have family and friends worldwide to whom I'm often posting things on DVD so to dump these things in a folder in to which said family and friends can dip whenever they like is quite appealing
2. I also work from home when in the UK and have been doing my work backup using Memeo Backup. I do this as near-real-time net change to a brace (one always off site and one plugged in) of USB drives. This is massively faster than VPN to the company's servers in Sweden or UK. To instead back up to the MyBook and know I can access my files wherever I am, regardless of whether I have laptop or USB backup with me, is a nice thought

All this only applies though if security is not unduly compromised...


Cheers,
XV

I'd second that uPNP is the cause. If it wasn't negotiated between the NAS and the router then there would be no open tcp port 20/21 through which the Chinese script kiddie could attempt hacking (unless you've inadvertently manually opened those ports and forwarded them on to the NAS's LAN IP).

I don't have a detailed understanding of UPnP, but from what I understand about the way it works, I too would think it's probably the cause.

However....

You don't need the port under attack to be open.

If you've got any inbound services open on perimeter devices then you are at risk if vulnerabilities exist in their implementation (or your configuration thereof) and you have failed to keep your patches up to date (assuming patches exist of course).

There are some very innovative attack strategies out there that can make use of what might look to the lay-person as innocent services.... for example ICMP (a.k.a PING / TRACEROUTE etc.)..... the average Joe might not know what can be done these days with such an innocent sounding service allowed through firewalls..... :cool:

Ask your company if they will pay for an DSL service upgrade to one with a static IP.... then you can have your very own VPN and do things properly !

P.S. Just noticed it's you XV105...... so how about making a VPN your next pet project... :ok:

Well, gentlemen, I think you are collectively in with a very good chance of being correct...

I just took a look at my HomeHub settings and found "allow UPnP" enabled. I don't recall doing it, but I must have as I can't believe it'd be the default setting.

Needless to say it's now disabled but in the mean time someone (ostensibly an IT services provider in California according to whois!) has successfully connected via FTP according to the log. Damn. They were connected for about half an hour before I realised and hit the "off" switch supplying the Home Hub.

I now have a new external I.P address (confirmed) as well as having switched off external UPnP but now need to think what to check for malicious intent.

:)

Don't tempt me!

Seriously, I already have a dyndns account but unfortunately company policy is (a) that they will pay for domestic ADSL and (b) mandatory use only of Cisco VPN and associated company-supplied certificates.

I googled BT Home Hub and indeed it appears that BT Home Hub has UPnP enabled as the default. It beggars belief if that is the case.

That's bizarre - but it still has me wondering how the FTP traffic got in, through NAT. If they weren't on the correct FTP port (21) the login attempts would not have registered at all. So I don't think uPNP is the final answer here, and would still check for any Port Forwarding settings on the HomeHub.

I'm a bit rusty on the issues, but I'm reading about some of the problems with uPNP, and they include security holes in its Internet Gateway Device spec. According to a report on Wikipedia, a Flash applet on a website can get a uPNP-enabled router to set up port forwarding, exposing a computer to internet attacks.

Basically, uPNP devices within a small network will negotiate (without your knowledge) with a uPNP-enabled router in order to open the relevant ports required for the services the device wants to use.

Hence, the NAS firmware's uPNP has told the HomeHub that it wants to open 20/21 and the HomeHub has duly obliged.....leaving an FTP service open on the internet, which has subsequently been found by script kiddies with probes looking at 20/21 on a range of IP addresses.

In this instance, the edge device was his HomeHub, and without the HomeHub ports open his SPF and NAT in the HomeHub would have denied all access to the NAS located on his LAN, irrespective of the ports on the NAS being open.

Thanks for all that; very interesting to read.

The questions now are:

1. Did anything get transferred even though the FTP logs only show a connection, not any activity, and the two "public" folders were empty at the time? (The private folders were chokka with files)
2. Has anything been silently installed on the (Flavour of Linux) NAS and should I therefore reset it to as-delivered defaults and start again?

I guess the real answer is "who knows?", so having plugged the hole (switched off UPnP) I need to stop worrying, reconfigure the NAS from factory defaults, and for my sanity, also forget about going anywhere near MioNet or any other service that gives remote access! ;)

There is a great tool ShieldsUp which is available free to check open ports on your network.

Anyone with half a brain will do their utmost to cover their tracks. Trashing logs is what you learn at hacker nursery.... so you should assume your logs have been tampered with and are unreliable.

Personally, I would assume yes. Much like a virus infested computer. You'll sleep much better if you do the proper thing and reset it (NOT using the reset button in the GUI, that would be a waste of time, but a proper reformat and re-install from CD).

Mike, as I said, I don't have much to do with UPnP, Homehubs or that sort of trash.

The concept of UPnP doesn't even exist on the routers and firewalls I use at home .... let alone any that I might have come across elsewhere :ok:

Thanks very much, srobarts.
No vulnerabilities were found.
I know that's not to say my setup is perfect and cannot be exploited, but at least none of the obvious things tested showed a weakness.

Thanks for your help, too, mixture. The problem I have is that the NAS doesn't ship to be "consumer rebuilt" by doing anything other than pressing the reset pip (only resets the network and admin password) or by using the option in the admin console that deletes all user data and reverts to factory defaults*. It does not reformat and reading "how to hack your NAS" and "Linux for newbies" (you get my drift) puts the fear of God in me that I will end up with a nice white brick. :)

*Added later via edit: I have now done a reset via the Admin console and as you imply, it doesn't reset to factory defaults, despite what the manual says; the firmware is still at the version I upgraded to via download from WD, not the version that came installed.

The problem with the reset button or command line reset is it probably just runs some script..... if they've installed something then the script won't trash it.

Anyhow.... I understand your point of view, so I'll leave it as "your call".

Yes, that was my point; it's obvious from what I have seen that I don't have a NAS that's truly back to "as delivered" and therefore anything installed (and I assume it was) is probably still there.

The NAS is now unplugged whilst I pause and think rationally what to do.