D-Link Network Storage > DNS-327L

this is not good!

(1/2) > >>

regi:
hi folks,

i have an external 2 tb disk attached to my dns-327l (ntfs formatted), the nas is 24/7 online.

i use the external disk to copy (for me important) certain folders from nas time to time via laptop as backup.

ftp server is activated so that my grown up kids (they don´t live here anymore) have access to my nas with username and password, to one folder on each internal disk.

the 2 internal drives are read only via ftp.

problem: my laptop found a virus on the external disk (img001.exe, photo.scr and info.zip) in a few folders. i have let windows defender delete these files. i did´nt feel well about this and unmounted the disk, attached it directly to my laptop and formatted the disk.

i then made defender search my laptop and the nas for any infects, nothing was found.

feeling happy i attached the external disk back to my nas and backed up the folders needed.

2 days later the files (img001.exe, photo.scr and info.zip) are back!!!

now my son tells me he can see the external drive in filezilla and he has full access....read and write!!!

to be clear, both sons haven´t accessed the external drive or the nas for the last 2 weeks, he tried copying a file to the external drive after i asked him to.

the external drive is now unmounted and switched off, defender still doesn´t find any infects on my laptop or internal drives of my nas. i have switched the ftp server and the forwarded port in my router off.

a google search for "img001.exe photo.scr nas" says many people complain about this virus infecting their nas (through ftp port 21?).

dlink, why is a external drive attached to the nas writable?

FurryNutz:
Link>Welcome!


* What Hardware version is your DNS? Look at the sticker behind or under the device.
* Link>What Firmware version is currently loaded? Found on the DNSs web page under status.
* What region are you located?
Seems like this external drive may have the bad files and could be infected. Has this drive been fully scanned by MalWareBytes? I would use this program to scan both this external drive and the NAS and ALL other PCs. Something in malware on your system is getting infected and possibly making changes.

regi:
hi,

the virus is not coming from my computer, i have checked that the last few days.

i found logs on my router showing this:

"[LAN access from remote] from 37.150.1.135:45024 to 192.168.1.5:55591, Saturday, Mar 11,2017 07:12:54
[LAN access from remote] from 37.150.1.135:45031 to 192.168.1.5:21, Saturday, Mar 11,2017 07:12:55"

there are about 40 of them in 4 days (the dlink ip is 192.168.1.5)

you can read about this virus here:
http://www.pcworld.com/article/3118717/security/thousands-of-seagate-nas-boxes-host-cryptocurrency-mining-malware.html

the only way to prevent this thing is shutting the ftp server off.

the only way this virus could infect my nas was dlinks fault with the full access (read AND write)  external disk attached to the nas as nobody has AND had write access to my dlink nas.

again dlink,  why is a external drive attached to the nas writable through ftp?

FurryNutz:
What Firmware version is currently loaded? Found on the DNSs web page under status.
What region are you located?

Well that IP address is coming in from the following:
http://whois.domaintools.com/37.150.1.135

IP Location Kazakhstan Kazakhstan Georgievka Jsc Kazakhtelecom 
ASN Kazakhstan AS9198 KAZTELECOM-AS , KZ (registered Feb 23, 1999) 
Resolve Host 37.150.1.135.megaline.telecom.kz 
Whois Server whois.ripe.net 
IP Address 37.150.1.135

I've passed this on to D-Link. I recommend that you use your main host router or modem services to block this IP address and keep FTP services disabled.

I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this. We find that phone contact has better immediate results over using email.
Let us know how it goes please.

regi:
hi,

firmware is 1.07
loction is germany

blocking this ip won´t really help...

see for yourself:
[LAN access from remote] from 91.195.137.177:46436 to 192.168.1.5:21, Sunday, Mar 12,2017 19:14:49
[LAN access from remote] from 91.226.141.250:53644 to 192.168.1.5:21, Sunday, Mar 12,2017 17:30:12
[LAN access from remote] from 141.212.122.48:52003 to 192.168.1.5:21, Sunday, Mar 12,2017 06:28:43
[LAN access from remote] from 141.212.122.54:47754 to 192.168.1.5:21, Sunday, Mar 12,2017 06:28:43
[LAN access from remote] from 141.212.122.53:48243 to 192.168.1.5:21, Sunday, Mar 12,2017 06:28:43
[LAN access from remote] from 169.54.244.78:43092 to 192.168.1.5:21, Saturday, Mar 11,2017 22:09:49
[LAN access from remote] from 169.54.244.78:49502 to 192.168.1.5:21, Saturday, Mar 11,2017 22:09:48
[LAN access from remote] from 179.109.169.29:6449 to 192.168.1.5:21, Saturday, Mar 11,2017 10:04:07
[LAN access from remote] from 62.182.32.65:6597 to 192.168.1.5:55622, Saturday, Mar 11,2017 08:59:16
[LAN access from remote] from 62.182.32.65:56106 to 192.168.1.5:21, Saturday, Mar 11,2017 08:59:16
[LAN access from remote] from 62.182.32.65:13002 to 192.168.1.5:55650, Saturday, Mar 11,2017 08:58:40
[LAN access from remote] from 62.182.32.65:3267 to 192.168.1.5:55566, Saturday, Mar 11,2017 08:58:39
[LAN access from remote] from 62.182.32.65:5697 to 192.168.1.5:21, Saturday, Mar 11,2017 08:58:39
[LAN access from remote] from 62.182.32.65:20805 to 192.168.1.5:55663, Saturday, Mar 11,2017 08:58:38
[LAN access from remote] from 62.182.32.65:5110 to 192.168.1.5:55658, Saturday, Mar 11,2017 08:58:35
[LAN access from remote] from 62.182.32.65:16442 to 192.168.1.5:55552, Saturday, Mar 11,2017 08:58:34
[LAN access from remote] from 62.182.32.65:8769 to 192.168.1.5:55629, Saturday, Mar 11,2017 08:58:33
[LAN access from remote] from 62.182.32.65:1901 to 192.168.1.5:21, Saturday, Mar 11,2017 08:58:32
[LAN access from remote] from 62.182.32.65:10331 to 192.168.1.5:55587, Saturday, Mar 11,2017 08:58:07
[LAN access from remote] from 62.182.32.65:5606 to 192.168.1.5:55606, Saturday, Mar 11,2017 08:58:06
[LAN access from remote] from 62.182.32.65:54426 to 192.168.1.5:21, Saturday, Mar 11,2017 08:58:05
[LAN access from remote] from 62.182.32.65:53929 to 192.168.1.5:55581, Saturday, Mar 11,2017 08:57:40
[LAN access from remote] from 62.182.32.65:53928 to 192.168.1.5:55605, Saturday, Mar 11,2017 08:57:38
[LAN access from remote] from 62.182.32.65:11222 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:38
[LAN access from remote] from 62.182.32.65:16428 to 192.168.1.5:55538, Saturday, Mar 11,2017 08:57:11
[LAN access from remote] from 62.182.32.65:53232 to 192.168.1.5:55597, Saturday, Mar 11,2017 08:57:10
[LAN access from remote] from 62.182.32.65:8300 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:09
[LAN access from remote] from 62.182.32.65:24469 to 192.168.1.5:55648, Saturday, Mar 11,2017 08:57:09
[LAN access from remote] from 62.182.32.65:53229 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:08
[LAN access from remote] from 62.182.32.65:24420 to 192.168.1.5:55557, Saturday, Mar 11,2017 08:57:08
[LAN access from remote] from 62.182.32.65:53227 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:07
[LAN access from remote] from 62.182.32.65:53226 to 192.168.1.5:55606, Saturday, Mar 11,2017 08:57:06
[LAN access from remote] from 62.182.32.65:53225 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:05
[LAN access from remote] from 62.182.32.65:21099 to 192.168.1.5:55639, Saturday, Mar 11,2017 08:57:05
[LAN access from remote] from 62.182.32.65:53071 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:04
[LAN access from remote] from 62.182.32.65:52998 to 192.168.1.5:55540, Saturday, Mar 11,2017 08:57:03
[LAN access from remote] from 62.182.32.65:52993 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:02
[LAN access from remote] from 62.182.32.65:52992 to 192.168.1.5:55632, Saturday, Mar 11,2017 08:57:02
[LAN access from remote] from 62.182.32.65:52991 to 192.168.1.5:21, Saturday, Mar 11,2017 08:57:00
[LAN access from remote] from 62.182.32.65:52990 to 192.168.1.5:55583, Saturday, Mar 11,2017 08:56:59
[LAN access from remote] from 62.182.32.65:52989 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:58
[LAN access from remote] from 62.182.32.65:52293 to 192.168.1.5:55567, Saturday, Mar 11,2017 08:56:24
[LAN access from remote] from 62.182.32.65:1230 to 192.168.1.5:55571, Saturday, Mar 11,2017 08:56:23
[LAN access from remote] from 62.182.32.65:52289 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:22
[LAN access from remote] from 62.182.32.65:24179 to 192.168.1.5:55562, Saturday, Mar 11,2017 08:56:21
[LAN access from remote] from 62.182.32.65:7449 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:21
[LAN access from remote] from 62.182.32.65:24011 to 192.168.1.5:55613, Saturday, Mar 11,2017 08:56:20
[LAN access from remote] from 62.182.32.65:52060 to 192.168.1.5:21, Saturday, Mar 11,2017 08:56:19
[LAN access from remote] from 62.182.32.65:1876 to 192.168.1.5:55635, Saturday, Mar 11,2017 08:55:43
[LAN access from remote] from 62.182.32.65:51367 to 192.168.1.5:55606, Saturday, Mar 11,2017 08:55:42
[LAN access from remote] from 62.182.32.65:8415 to 192.168.1.5:21, Saturday, Mar 11,2017 08:55:41
[LAN access from remote] from 62.182.32.65:13178 to 192.168.1.5:55607, Saturday, Mar 11,2017 08:55:40
[LAN access from remote] from 62.182.32.65:16820 to 192.168.1.5:55661, Saturday, Mar 11,2017 08:55:39
[LAN access from remote] from 62.182.32.65:51318 to 192.168.1.5:21, Saturday, Mar 11,2017 08:55:38
[LAN access from remote] from 37.150.1.135:44942 to 192.168.1.5:55637, Saturday, Mar 11,2017 07:15:55
[LAN access from remote] from 37.150.1.135:44941 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:54
[LAN access from remote] from 37.150.1.135:44940 to 192.168.1.5:55619, Saturday, Mar 11,2017 07:15:53
[LAN access from remote] from 37.150.1.135:44939 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:53
[LAN access from remote] from 37.150.1.135:44934 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:31
[LAN access from remote] from 37.150.1.135:44927 to 192.168.1.5:55637, Saturday, Mar 11,2017 07:15:24
[LAN access from remote] from 37.150.1.135:44926 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:23
[LAN access from remote] from 37.150.1.135:44918 to 192.168.1.5:55600, Saturday, Mar 11,2017 07:15:17
[LAN access from remote] from 37.150.1.135:44915 to 192.168.1.5:21, Saturday, Mar 11,2017 07:15:13
[LAN access from remote] from 37.150.1.135:44839 to 192.168.1.5:55543, Saturday, Mar 11,2017 07:14:12
[LAN access from remote] from 37.150.1.135:44831 to 192.168.1.5:55556, Saturday, Mar 11,2017 07:14:02
[LAN access from remote] from 37.150.1.135:44830 to 192.168.1.5:21, Saturday, Mar 11,2017 07:14:01
[LAN access from remote] from 37.150.1.135:44828 to 192.168.1.5:55637, Saturday, Mar 11,2017 07:14:01
[LAN access from remote] from 37.150.1.135:44827 to 192.168.1.5:21, Saturday, Mar 11,2017 07:14:00
[LAN access from remote] from 37.150.1.135:44826 to 192.168.1.5:55650, Saturday, Mar 11,2017 07:14:00
[LAN access from remote] from 37.150.1.135:44825 to 192.168.1.5:21, Saturday, Mar 11,2017 07:13:59
[LAN access from remote] from 37.150.1.135:45034 to 192.168.1.5:55627, Saturday, Mar 11,2017 07:12:57
[LAN access from remote] from 37.150.1.135:45033 to 192.168.1.5:55585, Saturday, Mar 11,2017 07:12:56
[LAN access from remote] from 37.150.1.135:45031 to 192.168.1.5:21, Saturday, Mar 11,2017 07:12:55
[LAN access from remote] from 37.150.1.135:45030 to 192.168.1.5:55628, Saturday, Mar 11,2017 07:12:55
[LAN access from remote] from 37.150.1.135:45024 to 192.168.1.5:55591, Saturday, Mar 11,2017 07:12:54

copied from windows event log:
Von Windows Defender wurde Schadsoftware oder andere potenziell unerwünschte Software erkannt.
 Weitere Informationen:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/CoinMiner.BB!bit&threatid=2147716648&enterprise=0
    Name: Trojan:Win32/CoinMiner.BB!bit
    ID: 2147716648
    Schweregrad: Schwerwiegend
    Kategorie: Trojaner
    Pfad: file:_\\NAS\USBDisk1_1\Backups\Photo.scr;file:_\\NAS\USBDisk1_1\Photo.scr

i switched the ftp server off sunday evening and deleted the forwarded port 21 im my router (only the one port was forwarded)

for the moment i will leave ftp disabled, but that´s not a solution!

dlink has to disable write and read permissions for the attached usb drive via ftp, that´s all i/we need

thanks for your help

Navigation

[0] Message Index

[#] Next page

Go to full version