Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[regi]

hi folks,

i have an external 2 tb disk attached to my dns-327l (ntfs formatted), the nas is 24/7 online.

i use the external disk to copy (for me important) certain folders from nas time to time via laptop as backup.

ftp server is activated so that my grown up kids (they donīt live here anymore) have access to my nas with username and password, to one folder on each internal disk.

the 2 internal drives are read only via ftp.

problem: my laptop found a virus on the external disk (img001.exe, photo.scr and info.zip) in a few folders. i have let windows defender delete these files. i didīnt feel well about this and unmounted the disk, attached it directly to my laptop and formatted the disk.

i then made defender search my laptop and the nas for any infects, nothing was found.

feeling happy i attached the external disk back to my nas and backed up the folders needed.

2 days later the files (img001.exe, photo.scr and info.zip) are back!!!

now my son tells me he can see the external drive in filezilla and he has full access....read and write!!!

to be clear, both sons havenīt accessed the external drive or the nas for the last 2 weeks, he tried copying a file to the external drive after i asked him to.

the external drive is now unmounted and switched off, defender still doesnīt find any infects on my laptop or internal drives of my nas. i have switched the ftp server and the forwarded port in my router off.

a google search for "img001.exe photo.scr nas" says many people complain about this virus infecting their nas (through ftp port 21?).

dlink, why is a external drive attached to the nas writable?

[FurryNutz]

Link>Welcome!

• What Hardware version is your DNS? Look at the sticker behind or under the device.
• Link>What Firmware version is currently loaded? Found on the DNSs web page under status.
• What region are you located?

Seems like this external drive may have the bad files and could be infected. Has this drive been fully scanned by MalWareBytes? I would use this program to scan both this external drive and the NAS and ALL other PCs. Something in malware on your system is getting infected and possibly making changes.

[regi]

hi,

the virus is not coming from my computer, i have checked that the last few days.

i found logs on my router showing this:

"[LAN access from remote] from 37.150.1.135:45024 to 192.168.1.5:55591, Saturday, Mar 11,2017 07:12:54
[LAN access from remote] from 37.150.1.135:45031 to 192.168.1.5:21, Saturday, Mar 11,2017 07:12:55"

there are about 40 of them in 4 days (the dlink ip is 192.168.1.5)

you can read about this virus here:
http://www.pcworld.com/article/3118717/security/thousands-of-seagate-nas-boxes-host-cryptocurrency-mining-malware.html

the only way to prevent this thing is shutting the ftp server off.

the only way this virus could infect my nas was dlinks fault with the full access (read AND write)  external disk attached to the nas as nobody has AND had write access to my dlink nas.

again dlink,  why is a external drive attached to the nas writable through ftp?

[FurryNutz]

What Firmware version is currently loaded? Found on the DNSs web page under status.
What region are you located?

Well that IP address is coming in from the following:
http://whois.domaintools.com/37.150.1.135

IP Location Kazakhstan Kazakhstan Georgievka Jsc Kazakhtelecom 
ASN Kazakhstan AS9198 KAZTELECOM-AS , KZ (registered Feb 23, 1999) 
Resolve Host 37.150.1.135.megaline.telecom.kz 
Whois Server whois.ripe.net 
IP Address 37.150.1.135

I've passed this on to D-Link. I recommend that you use your main host router or modem services to block this IP address and keep FTP services disabled.

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

[regi]

hi,

firmware is 1.07
loction is germany

blocking this ip wonīt really help...

see for yourself:
[LAN access from remote] from 91.195.137.177:46436 to 192.168.1.5:21, Sunday, Mar 12,2017 19:14:49
[LAN access from remote] from 91.226.141.250:53644 to 192.168.1.5:21, Sunday, Mar 12,2017 17:30:12
[LAN access from remote] from 141.212.122.48:52003 to 192.168.1.5:21, Sunday, Mar 12,2017 06:28:43
[LAN access from remote] from 141.212.122.54:47754 to 192.168.1.5:21, Sunday, Mar 12,2017 06:28:43
[LAN access from remote] from 141.212.122.53:48243 to 192.168.1.5:21, Sunday, Mar 12,2017 06:28:43
[LAN access from remote] from 169.54.244.78:43092 to 192.168.1.5:21, Saturday, Mar 11,2017 22:09:49
[LAN access from remote] from 169.54.244.78:49502 to 192.168.1.5:21, Saturday, Mar 11,2017 22:09:48
[LAN access from remote] from 179.109.169.29:6449 to 192.168.1.5:21, Saturday, Mar 11,2017 10:04:07
[LAN access from remote] from 62.182.32.65:6597 to 192.168.1.5:55622, Saturday, Mar 11,2017 08:59:16
[LAN access from remote] from 62.182.32.65:56106 to 192.168.1.5:21, Saturday, Mar 11,2017 08:59:16
[LAN access from remote] from 62.182.32.65:13002 to 192.168.1.5:55650, Saturday, Mar 11,2017 08:58:40
[LAN access from remote] from 62.182.32.65:3267 to 192.168.1.5:55566, Saturday, Mar 11,2017 08:58:39
[LAN access from remote] from 62.182.32.65:5697 to 192.168.1.5:21, Saturday, Mar 11,2017 08:58:39
[LAN access from remote] from 62.182.32.65:20805 to 192.168.1.5:55663, Saturday, Mar 11,2017 08:58:38
[LAN access from remote] from 62.182.32.65:5110 to 192.168.1.5:55658, Saturday, Mar 11,2017 08:58:35
[LAN access from remote] from 62.182.32.65:16442 to 192.168.1.5:55552, Saturday, Mar 11,2017 08:58:34
[LAN access from remote] from 62.182.32.65:8769 to 192.168.1.5:55629, Saturday, Mar 11,2017 08:58:33
[LAN access from remote] from 62.182.32.65:1901 to 192.168.1.5:21, Saturday, Mar 11,2017 08:58:32
[LAN access from remote] from 62.182.32.65:10331 to 192.168.1.5:55587, Saturday, Mar 11,2017 08:58:07
[LAN access from remote] from 62.182.32.65:5606 to 192.168.1.5:55606, Saturday, Mar 11,2017 08:58:06
[LAN access from remote] from 62.182.32.65:54426 to 192.168.1.5:21, Saturday, Mar 11,2017 08:58:05
[LAN access from remote] from 62.182.32.65:53929 to 192.168.1.5:55581, Saturday, Mar 11,2017 08:57:40
[LAN access from remote] from 62.182.32.65:53928 to 192.168.1.5:55605, Saturday, Mar 11,2017 08:57:38
[LAN access from remote] from 62.182.32.65:11222 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:38
[LAN access from remote] from 62.182.32.65:16428 to 192.168.1.5:55538, Saturday, Mar 11,2017 08:57:11
[LAN access from remote] from 62.182.32.65:53232 to 192.168.1.5:55597, Saturday, Mar 11,2017 08:57:10
[LAN access from remote] from 62.182.32.65:8300 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:09
[LAN access from remote] from 62.182.32.65:24469 to 192.168.1.5:55648, Saturday, Mar 11,2017 08:57:09
[LAN access from remote] from 62.182.32.65:53229 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:08
[LAN access from remote] from 62.182.32.65:24420 to 192.168.1.5:55557, Saturday, Mar 11,2017 08:57:08
[LAN access from remote] from 62.182.32.65:53227 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:07
[LAN access from remote] from 62.182.32.65:53226 to 192.168.1.5:55606, Saturday, Mar 11,2017 08:57:06
[LAN access from remote] from 62.182.32.65:53225 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:05
[LAN access from remote] from 62.182.32.65:21099 to 192.168.1.5:55639, Saturday, Mar 11,2017 08:57:05
[LAN access from remote] from 62.182.32.65:53071 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:04
[LAN access from remote] from 62.182.32.65:52998 to 192.168.1.5:55540, Saturday, Mar 11,2017 08:57:03
[LAN access from remote] from 62.182.32.65:52993 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:02
[LAN access from remote] from 62.182.32.65:52992 to 192.168.1.5:55632, Saturday, Mar 11,2017 08:57:02
[LAN access from remote] from 62.182.32.65:52991 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:00
[LAN access from remote] from 62.182.32.65:52990 to 192.168.1.5:55583, Saturday, Mar 11,2017 08:56:59
[LAN access from remote] from 62.182.32.65:52989 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:58
[LAN access from remote] from 62.182.32.65:52293 to 192.168.1.5:55567, Saturday, Mar 11,2017 08:56:24
[LAN access from remote] from 62.182.32.65:1230 to 192.168.1.5:55571, Saturday, Mar 11,2017 08:56:23
[LAN access from remote] from 62.182.32.65:52289 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:22
[LAN access from remote] from 62.182.32.65:24179 to 192.168.1.5:55562, Saturday, Mar 11,2017 08:56:21
[LAN access from remote] from 62.182.32.65:7449 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:21
[LAN access from remote] from 62.182.32.65:24011 to 192.168.1.5:55613, Saturday, Mar 11,2017 08:56:20
[LAN access from remote] from 62.182.32.65:52060 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:19
[LAN access from remote] from 62.182.32.65:1876 to 192.168.1.5:55635, Saturday, Mar 11,2017 08:55:43
[LAN access from remote] from 62.182.32.65:51367 to 192.168.1.5:55606, Saturday, Mar 11,2017 08:55:42
[LAN access from remote] from 62.182.32.65:8415 to 192.168.1.5:21, Saturday, Mar 11,2017 08:55:41
[LAN access from remote] from 62.182.32.65:13178 to 192.168.1.5:55607, Saturday, Mar 11,2017 08:55:40
[LAN access from remote] from 62.182.32.65:16820 to 192.168.1.5:55661, Saturday, Mar 11,2017 08:55:39
[LAN access from remote] from 62.182.32.65:51318 to 192.168.1.5:21, Saturday, Mar 11,2017 08:55:38
[LAN access from remote] from 37.150.1.135:44942 to 192.168.1.5:55637, Saturday, Mar 11,2017 07:15:55
[LAN access from remote] from 37.150.1.135:44941 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:54
[LAN access from remote] from 37.150.1.135:44940 to 192.168.1.5:55619, Saturday, Mar 11,2017 07:15:53
[LAN access from remote] from 37.150.1.135:44939 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:53
[LAN access from remote] from 37.150.1.135:44934 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:31
[LAN access from remote] from 37.150.1.135:44927 to 192.168.1.5:55637, Saturday, Mar 11,2017 07:15:24
[LAN access from remote] from 37.150.1.135:44926 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:23
[LAN access from remote] from 37.150.1.135:44918 to 192.168.1.5:55600, Saturday, Mar 11,2017 07:15:17
[LAN access from remote] from 37.150.1.135:44915 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:13
[LAN access from remote] from 37.150.1.135:44839 to 192.168.1.5:55543, Saturday, Mar 11,2017 07:14:12
[LAN access from remote] from 37.150.1.135:44831 to 192.168.1.5:55556, Saturday, Mar 11,2017 07:14:02
[LAN access from remote] from 37.150.1.135:44830 to 192.168.1.5:21, Saturday, Mar 11,2017 07:14:01
[LAN access from remote] from 37.150.1.135:44828 to 192.168.1.5:55637, Saturday, Mar 11,2017 07:14:01
[LAN access from remote] from 37.150.1.135:44827 to 192.168.1.5:21, Saturday, Mar 11,2017 07:14:00
[LAN access from remote] from 37.150.1.135:44826 to 192.168.1.5:55650, Saturday, Mar 11,2017 07:14:00
[LAN access from remote] from 37.150.1.135:44825 to 192.168.1.5:21, Saturday, Mar 11,2017 07:13:59
[LAN access from remote] from 37.150.1.135:45034 to 192.168.1.5:55627, Saturday, Mar 11,2017 07:12:57
[LAN access from remote] from 37.150.1.135:45033 to 192.168.1.5:55585, Saturday, Mar 11,2017 07:12:56
[LAN access from remote] from 37.150.1.135:45031 to 192.168.1.5:21, Saturday, Mar 11,2017 07:12:55
[LAN access from remote] from 37.150.1.135:45030 to 192.168.1.5:55628, Saturday, Mar 11,2017 07:12:55
[LAN access from remote] from 37.150.1.135:45024 to 192.168.1.5:55591, Saturday, Mar 11,2017 07:12:54

copied from windows event log:
Von Windows Defender wurde Schadsoftware oder andere potenziell unerwünschte Software erkannt.
 Weitere Informationen:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/CoinMiner.BB!bit&threatid=2147716648&enterprise=0
    Name: Trojan:Win32/CoinMiner.BB!bit
    ID: 2147716648
    Schweregrad: Schwerwiegend
    Kategorie: Trojaner
    Pfad: file:_\\NAS\USBDisk1_1\Backups\Photo.scr;file:_\\NAS\USBDisk1_1\Photo.scr

i switched the ftp server off sunday evening and deleted the forwarded port 21 im my router (only the one port was forwarded)

for the moment i will leave ftp disabled, but thatīs not a solution!

dlink has to disable write and read permissions for the attached usb drive via ftp, thatīs all i/we need

thanks for your help

[FurryNutz]

Ok, seems like this is an issue. I recommend that you phone contact your regional D-Link support office ASAP and ask for help and information regarding this. Reference this forum thread We find that phone contact has better immediate results over using email.

I've passed this to my regional office here.

Let us know how it goes please.

[Gattsu]

At this point its best to reset the DNS to factory defaults.

**The volume data will not be affected during a factory reset.**

Update the firmware to the latest v1.07.b06 and just follow through steps below.

1. Change the Admin password with new combination. (please keep password to brain memory)
2. Create Users for FTP access with new passwords
3. Add the share and select "FTP Anonymous None"
4. For FTP server settings, select "SSL/TLS".
5. On the router/firewall settings, open only port 21 for remote FTP access.

Please disable any unused protocols:
CIFS - Common Internet File System.
AFP - Apple Filing Protocol.
FTP - File Transfer Protocol
NFS - Network File System.
WebDAV - Web-based Distributed Authoring and Versioning.

Observe the system logs for any unknown access. Please attach the whole log file for reviewing.

[FurryNutz]

Thank you for this additional info. Hope this might help narrow the issue down.
I do have my friends DNS-327 however she doesn't use an external drive or FTP. So I don't know if I can be of any help on this as the unit needs to go back in the next couple of week. 

Please let us know results.

[regi]

attach a spare thumbdrive to the 327 and activate ftp and look what happens

i am not activating ftp again until the "open to everybody usb issue" is resolved.

if dlink canīt fix this then iīll have to look for different nas.

[FurryNutz]

Can you check to see if Gattsus instructions changes anything?
Also what is the Mfr and model if your main host router please?
Mfr and model if ISP modem?

I really can't test with my friends as Its not mine. 

Any information would help. Again, I would also phone contact your regional D-Link support office about this as well.