DSM-G600, DNS-3xx and NSA-220 Hack Forum

Unfortunately no one can be told what fun_plug is - you have to see it for yourself.

You are not logged in.

Announcement

#1 2009-06-03 22:39:47

adrianaitken
Member
Registered: 2009-05-22
Posts: 18

Big problem (virus based)

Hi, my NSA-220 is running firmware 3.12, ffp with lighttpd,PHP and mysql enabled. On my router I only allow in port 80 (HTTP) and 22 (SSH). At 3 pm today a virus called Gaelicum.A was written to the root of the drive. Fortuneately all my Windows computers are switched off when I'm at work but I wonder how this could have been written there ?
Is there a known security hole in lighttpd/mysql or in phpgraphy (PHP based photography album) ? If there is a hole how did the virus get permission to write to the root of the drive ?
From Windows PC's there is only read access if I map to the NSA (on purpose !!) but with no PC's switched on I can only assume it came in via the web. The lighttpd logs show nothing happening at 3pm so if someone guessed my admin password and SSHed in, why is there only one virus installed ?

And here was me about to unleash it to the internet, get Google etc to come visit etc. Now it looks slike I'm back to using Windows 2003 which at least I know how to secure properly.


Many thanks
Adrian

Offline

 

#2 2009-06-03 23:07:09

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Big problem (virus based)

Gaelicum.A is win32 virus. How did you find out it was at the root of your hard disk? In which file?


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#3 2009-06-03 23:12:17

adrianaitken
Member
Registered: 2009-05-22
Posts: 18

Re: Big problem (virus based)

I mapped a drive from my Windows PC to view the lighttpd logs and AVG kicked in straight away with a warning. Ran a full scan and it was only one file called "errefs.exe". My main worry is how it got on the NSA. I realise it is a Windows virus which has been kicking around since about 2003 on unpatched Windows boxes but it travels over TCP ports 137-139 which I don't allow in. My other NSA-220 (no direct access from the internet) was clean and it's got an identical setup (ffp,lighttp,php,mysql).
Most troubling.


Many thanks
Adrian

Offline

 

#4 2009-06-04 01:32:43

adrianaitken
Member
Registered: 2009-05-22
Posts: 18

Re: Big problem (virus based)

Hmmm, the well known shares video/music/photo all have errdfs.exe. The author is 'pc-guest' - who the he!! is pc-guest and how can I delete them ?


Many thanks
Adrian

Offline

 

#5 2009-06-04 13:00:29

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Big problem (virus based)

Apparently you have shares you don't know about in your NSA-220 or/and you got weak passwords.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#6 2009-06-04 18:10:06

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 709

Re: Big problem (virus based)

SSH logins are logged in /var/log/messages.
Samba logins are logged in /var/log/samba/log.smbd

When the virus is found in video/music/photo, it seems to me it must be entered via samba, since the paths to these shares are not obvious from within the chrooted ffp environment, while they are directly visible in a samba listing.

Maybe you've got a wireless network?

Offline

 

#7 2009-06-04 21:16:02

adrianaitken
Member
Registered: 2009-05-22
Posts: 18

Re: Big problem (virus based)

well, booted both boxes normally, deleted all shares, rebooted with ffp, did a passwd pc-guest and put in a long stupid password on both boxes.

Looked at samba log - it is empty and date/time stamp is when I rebooted the boxes with ffp. So no luck there :-(

On my router I found I'd put the compromised box in a DMZ which it seems to ignore the security settings and leaves it wide open to the internet - wonderful !!! Switched that feature off :-)

I take it that it's safe to switch off Samba (smbd and nmbd - netbios helper) if I'm never going to access it via a Windows PC ? And is /sbin/zyshd a ZYxel SHaring Daemon that I coudl kill aswell ?

Doing a TOP, there is a Python program running called fileye.pyc. Google doesn't find anything so is it running on your NSA-220 boxes ?

Thanks for your help so far.


Many thanks
Adrian

Offline

 

#8 2009-06-05 10:19:43

sala
Member / Site Admin
From: Estonia
Registered: 2006-07-28
Posts: 731
Website

Re: Big problem (virus based)

It is not "ZYxel SHaring Daemon", it is zyxel internal command processor. You can use zyshclient to send commands to it.
So you cant kill /sbin/zyshd. After that you can't do almost anything from web interface.


DSM-G600 - NetBSD hdd-boot - 80GB Samsung SP0802N
NSA-220 - Gentoo armv5tel 20110121 hdd-boot - 2x 2TB WD WD20EADS

Offline

 

#9 2009-06-05 13:46:17

adrianaitken
Member
Registered: 2009-05-22
Posts: 18

Re: Big problem (virus based)

Since I'm SSH into the box and running lighttpd anyway (I kill Apache) I think it's a candidate for removal but for different reasons that I first thought !!


Many thanks
Adrian

Offline

 

#10 2009-06-08 11:38:38

Mijzelf
Member / Developer
Registered: 2008-07-05
Posts: 709

Re: Big problem (virus based)

adrianaitken wrote:

Looked at samba log - it is empty and date/time stamp is when I rebooted the boxes with ffp. So no luck there :-(

The /var/log directory resides in ram, so after a reboot your logs are gone.

Doing a TOP, there is a Python program running called fileye.pyc. Google doesn't find anything so is it running on your NSA-220 boxes ?

My box is still running fw 2.10, and doesn't contain python. However, the 2.30 fw, from which a part is listed here, contains a /usr/local/fileye/fileye.pyc. So I suppose it's allright.

(btw, it's strange that Google didn't find that listing. Google doesn't seem to index forum.nas-central.org at all).

Offline

 

Board footer

Powered by PunBB
© Copyright 2002–2010 PunBB