Weird hacking attempt?

Topics including remote access and management can go here, including port forwarding, telnet, ssh, and advanced network settings.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

Weird hacking attempt?

Postby sklettke » Sat Mar 09, 2013 12:12 am

For about the last month or two my new 412+ has been working well. I set up auto-block and that has prevented the occasional Chinese port scanner from trying to connect to my FTP server. The attempts were under DSM 4.1. I recently upgraded to DSM 4.2 and had a "hacking" attempt today that I can't explain. I have enabled the DoS protection in 4.2, but, otherwise, the settings are unchanged from 4.1.

Starting at around 3:37pm today I had 5 failed log in attempts to my FTP server under the "Administrator" username coming from 119.1.109.96 (QianXiNan County, China). Then, at 3:38pm (approx 40 seconds after the 5th failed log in), there were 5 consecutive failed log in attempts from my LAN IP address (10.0.1.1). Then, 6 minutes after that the 119.1.109.96 computer again attempted to log in but tried the "Administrador" username (Spanish??) this time. Finally, 4 minutes after that another failed log in attempt by 10.0.1.1 using "Administrateur" username (French??).

I'm okay with the occasional log in attempts from outside IP addresses, but I can't explain the failed attempts from within the local network. Can anyone explain this?

(I'm attached a screenshot of the system log.) Thanks!

Scott

Image
sklettke
I'm New!
I'm New!
 
Posts: 7
Joined: Fri Mar 08, 2013 11:41 pm
Location: Wisconsin

Re: Weird hacking attempt?

Postby mike42dk » Sun Mar 10, 2013 10:19 am

Hi

Is the 10.0.1.1 your routers IP address?

Then he perhaps have access to your router?

I have closed the ports 21 and 80 which often is open on your router, and made a very strong password on the router.
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
DS-412+
2 WD red 2 TB harddrive RAID 1
1 Seagate 2 TB harddrive Basic
mike42dk
Sorcerer
Sorcerer
 
Posts: 2475
Joined: Sun Jun 06, 2010 7:45 am

Re: Weird hacking attempt?

Postby sklettke » Mon Mar 11, 2013 2:32 am

Yes, 10.0.1.1 is my router's IP address, however, it already has a very strong password. I do have an FTP server running on port 21 through the NAS. How could he have accessed my wifi router? Let's say he did do this, how would he have used that to try and login to the FTP server? Thanks.

mike42dk wrote:Hi

Is the 10.0.1.1 your routers IP address?

Then he perhaps have access to your router?

I have closed the ports 21 and 80 which often is open on your router, and made a very strong password on the router.
sklettke
I'm New!
I'm New!
 
Posts: 7
Joined: Fri Mar 08, 2013 11:41 pm
Location: Wisconsin

Re: Weird hacking attempt?

Postby mike42dk » Mon Mar 11, 2013 6:29 pm

Hi

Router firmware is often a small Linux or similar system, and if you get access you can change settings and get access towards devices behind the router.

I know about the wireless hack with WPS, the uPNP hack that also gives access to router and devices, (just installed a new firmware to my router that fixed the uPNP hack) and if that possible then all is possible.

I don't know if there is an access to your router, but if I was you I would take my WAN connection off, and then reflash my router, and make a new password, and make new settings from scratch.
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
DS-412+
2 WD red 2 TB harddrive RAID 1
1 Seagate 2 TB harddrive Basic
mike42dk
Sorcerer
Sorcerer
 
Posts: 2475
Joined: Sun Jun 06, 2010 7:45 am

Re: Weird hacking attempt?

Postby maxxfi » Tue Mar 12, 2013 10:48 pm

mike42dk wrote:I don't know if there is an access to your router, but if I was you I would take my WAN connection off, and then reflash my router, and make a new password, and make new settings from scratch.

I second Mike's suggestion.
DS-411 (DSM 4.3-3827u5) w/ 2x WD20EFRX + 1x WD10EFRX
DS-106j (DSM 3.0-1357), PATA-to-SATA adapter, 2.5" HM250HI
User avatar
maxxfi
Programmer
Programmer
 
Posts: 5864
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

Re: Weird hacking attempt?

Postby Mace0ne » Thu Mar 14, 2013 1:02 pm

I've just started getting these attempts from China or in that area as well. Can't be a coincidence we're all using Synology NAS. They keep knockin but they can't come in :D Wonder what's going on.

BTW, mine were attempted SSH access. Just shut down the service on router and NAS since I don't use it any more.
Mace0ne
Trainee
Trainee
 
Posts: 10
Joined: Thu Mar 07, 2013 5:35 pm

Re: Weird hacking attempt?

Postby mike42dk » Sat Mar 16, 2013 9:41 am

Hi

I know that the Hackers use the standard username that is used in the different brands NAS as admin username, so easy to program your portscanner to use a specific username and go for specific ports.

Now when Synology has become more and more popular, it's expected that the DS is a target.

A similar analogy is the virus creation, it is targeting MAC in a high scale, now when MAC has become so popular.
¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
DS-412+
2 WD red 2 TB harddrive RAID 1
1 Seagate 2 TB harddrive Basic
mike42dk
Sorcerer
Sorcerer
 
Posts: 2475
Joined: Sun Jun 06, 2010 7:45 am

Re: Weird hacking attempt?

Postby Goner » Sat Mar 16, 2013 4:51 pm

mike42dk wrote:Now when Synology has become more and more popular, it's expected that the DS is a target.

I don't think they are specifically targeting Synology boxes ; there are 100.000's of devices on the Internet using port 21, 22, 80 etc. and having a default 'admin' account.
They just scan ranges of IP-addresses for well-known port numbers. I have seen attempts to log on with port 22 (SSH/SFTP) here, but not a single one on port 5000.

NAS : DS212j with 2 ST2000DL003 in SHR / DSM 5.0-4493 update 2
LAN : Fritz!Box 7170, 5 Devolo 200/500Mbps homeplugs, 2 5-port switches, ASUS WL-300g
HW : Conceptronic CHD3NET, ACRyan Playon!HD, Eminent EM7075dts, Wii, Wii U, PS2, D-Link DCS-930L
OS : Linux Mint 16 Cinnamon
User avatar
Goner
Seasoned
Seasoned
 
Posts: 580
Joined: Tue Mar 06, 2012 2:27 pm
Location: Rotterdam, Netherlands

Re: Weird hacking attempt?

Postby Sceed » Tue Mar 19, 2013 1:51 pm

I have daily about 10 attempts to log in as well on my 412+. I block ip adresses permanently after 5 attempts. Also i found some lists with suspicious ip-addresses that i imported into the block list. I have 3780 entries in my blocklist at the moment. Maybe it is a good idea to share block-lists?
Sceed
Trainee
Trainee
 
Posts: 15
Joined: Wed Nov 07, 2012 10:37 am

Re: Weird hacking attempt?

Postby kerryandjane » Tue Mar 19, 2013 2:35 pm

Goner wrote:
mike42dk wrote:Now when Synology has become more and more popular, it's expected that the DS is a target.

I don't think they are specifically targeting Synology boxes ; there are 100.000's of devices on the Internet using port 21, 22, 80 etc. and having a default 'admin' account.
They just scan ranges of IP-addresses for well-known port numbers. I have seen attempts to log on with port 22 (SSH/SFTP) here, but not a single one on port 5000.


This is the best idea! I noticed a few weeks ago I had about 10 - 20 blocked ip addresses due to ssh a day. I got fed up and did what Goner suggested. http://forum.synology.com/wiki/index.php/Unsupported_configuration_changes#Change_SSH_Port
Change it to something random, forward your router to it and unforward Port 22. Port 22 was the killer for me. Since then I haven't had a single block from someone trying to access port 22.
Last edited by kerryandjane on Tue Mar 19, 2013 3:28 pm, edited 1 time in total.
DS209+ 2 x 2TB HD's (2xWD20EARS-00S8B1)
running latest firmware DSM 4.2
SparkLAN CAS-371W IP Cam
iPhone 3GS with SynoDS
and slim PS3
Get tech or die trying
User avatar
kerryandjane
Knowledgeable
Knowledgeable
 
Posts: 318
Joined: Tue Feb 03, 2009 3:39 pm

Re: Weird hacking attempt?

Postby Goner » Tue Mar 19, 2013 3:26 pm

kerryandjane wrote:Change it to something random, forward your router to it and unforward Port 22.

That's even more secure probably ; you change the port of SSH/SFTP in the settings of the service.

I only changed the port-numbers on the 'outside' ; I use something like 7022 to connect to my router and forward port 7022 to 22 on my DS.

NAS : DS212j with 2 ST2000DL003 in SHR / DSM 5.0-4493 update 2
LAN : Fritz!Box 7170, 5 Devolo 200/500Mbps homeplugs, 2 5-port switches, ASUS WL-300g
HW : Conceptronic CHD3NET, ACRyan Playon!HD, Eminent EM7075dts, Wii, Wii U, PS2, D-Link DCS-930L
OS : Linux Mint 16 Cinnamon
User avatar
Goner
Seasoned
Seasoned
 
Posts: 580
Joined: Tue Mar 06, 2012 2:27 pm
Location: Rotterdam, Netherlands

Re: Weird hacking attempt?

Postby Montago » Wed May 01, 2013 8:55 am

would be cool if the NAS could subscribe to a list of blocked IP's and post IPs to the list too...

my NAS is also bombarded with SSH attemps - so i disabled SSH since i never use it anyway.

its insane how much hacking is being done in 2013 !!!!... and DDOS'ing !
Montago
Student
Student
 
Posts: 67
Joined: Thu Aug 26, 2010 5:47 pm

Re: Weird hacking attempt?

Postby kerryandjane » Wed May 01, 2013 9:00 am

Disable default port 22 and forward another/random port. I haven't had a single block /unwanted connection since. Need help?
DS209+ 2 x 2TB HD's (2xWD20EARS-00S8B1)
running latest firmware DSM 4.2
SparkLAN CAS-371W IP Cam
iPhone 3GS with SynoDS
and slim PS3
Get tech or die trying
User avatar
kerryandjane
Knowledgeable
Knowledgeable
 
Posts: 318
Joined: Tue Feb 03, 2009 3:39 pm

Re: Weird hacking attempt?

Postby Ametz » Wed May 01, 2013 11:21 am

The best would be if it was possible (in an easy way) to block all but a specific country access.
(The one you live in)
Synology: DS2413+, 12X 3TB WD Red Edition, SHR-2 Raid
Computer: AMD Phenom x4 3,4 GHz, RAM 12GB, AMD Radeon HD 6900, Win 7 Ult x64, HDD: 60GB SSD+1,5TB+1,5TB
HTPC: Intel i5-3570K 3,4GHz, RAM 16GB, Win 7 Ult x64, HDD: 60GB SSD+2TB+700GB
User avatar
Ametz
Apprentice
Apprentice
 
Posts: 92
Joined: Wed Dec 12, 2012 5:59 pm

Re: Weird hacking attempt?

Postby kerryandjane » Wed May 01, 2013 11:54 am

Montago wrote:would be cool if the NAS could subscribe to a list of blocked IP's and post IPs to the list too...

my NAS is also bombarded with SSH attemps - so i disabled SSH since i never use it anyway.

its insane how much hacking is being done in 2013 !!!!... and DDOS'ing !


Since you disabled SSH any ip's blocked?
DS209+ 2 x 2TB HD's (2xWD20EARS-00S8B1)
running latest firmware DSM 4.2
SparkLAN CAS-371W IP Cam
iPhone 3GS with SynoDS
and slim PS3
Get tech or die trying
User avatar
kerryandjane
Knowledgeable
Knowledgeable
 
Posts: 318
Joined: Tue Feb 03, 2009 3:39 pm

Next

Return to Remote Access and Network Management

Who is online

Users browsing this forum: Thepharmd and 10 guests