Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[MountainMan]

I've come to the conclusion that external hackers are finding my DNS-323 and accessing it.  And I'm not sure what to do about it other than not use the FTP functionality, which is one of the key reasons I bought the product.

After a few days of having my firewall setup to forward port 21 to the NAS, the drive activity starts increasing and occurring almost constantly.  The drive activity goes away immediately if I unplug the ethernet from the back of the NAS, showing its not due to internal NAS activity such as refreshing UPnP directories, etc.  The drive activity also goes away immediately if I disconnect my home network from the external internet, showing its not due to an internal computer on my home network.  And when I login to the FTP server the login messages tell me that I am user 2, 3, or 4, telling me that other people are somehow logged into my NAS.  Note that when I first turn the NAS on and the drive light is not blinking, I always show as user 1.

It usually takes a day or two of leaving port 21 forwarded to the NAS before I start seeing the external access drive activity.  So I am thinking there are hackers out there port scanning the internet that eventually find the open port, recognize the DNS-323, and hack in.  What they do once they are inside, I have no idea.  My data looks intact.  But I don't feel like my data is secure under these circumstances.

So I have two comments/suggestions:
(1)  I think this device needs some logging of FTP server access.  I'm kinda operating in the blind here with no ability to investigate who is logging in.  What user are they logging in as?  From what IP address?  Did they read or write data, if so, how much?  Unfortunately my router doesn't have that capability either.  Its a WRT54G so maybe I'll install one of the customized firmwares such as Tomato that has more tracking/logging capability.

(2)  I think there may be some serious security holes that allow hackers to easily break into this device.  This is very bad if its true.  There really is nothing more I can do to provide security to this device if it is easily hackable.  I have to forward an FTP port to it and trust that it can protect itself.  All I can do is move it to a non-standard FTP port other than 21 to increase the difficulty of hackers finding the open port.

Has anyone else seen this?  I'm I missing something in my debug of the issue?

Thanks.

[fordem]

I have my DNS-323 set up for anonymous read/write access - logging is done at the router so I know when ftp access occurs and from what ip address (but not by whom) - and so far, the only access logged has been either myself, or one of my kids who knows that the server is running.

[MountainMan]

Hmmm.  Do you have FTP setup on a non-standard port?  Or 21?

Any other theories that explain my observations?

[fordem]

Port 21

[Banshee1971]

Hmm... suggestion : purchase a router (WRT-54GL ... 50 $), flash-it with Tomatos firmware (from polarcloud website). Configure it for you're PORT FORWARD... and wait.
When you notice the suspect "activity", go on the QoS menu, and "View Detail" (you must have activate the QoS first)
You will see all activity, and you can click on the "S Port" collum, to beter see the port 21 ... and look for all IP adress. If you notice some IP adresse connected to the IP of you're NAS for the Outside, yes... you have a hacker somewhere !

But.. i don't think it's possible.. it is, but risky for the hacker. Perform a random PORT SCAN on random IP adress are sometime detected by the ISP, and flag as a possible hacker attack. It end with the disconnection on the hacker.

Hope you will find solution to you're issue, but i don't think it's "hacker" issue... unless you having a trojan in you're computer that tell other (on a website) that the can try you're IP adress ...

I've come to the conclusion that external hackers are finding my DNS-323 and accessing it.  And I'm not sure what to do about it other than not use the FTP functionality, which is one of the key reasons I bought the product.

After a few days of having my firewall setup to forward port 21 to the NAS, the drive activity starts increasing and occurring almost constantly.  The drive activity goes away immediately if I unplug the ethernet from the back of the NAS, showing its not due to internal NAS activity such as refreshing UPnP directories, etc.  The drive activity also goes away immediately if I disconnect my home network from the external internet, showing its not due to an internal computer on my home network.  And when I login to the FTP server the login messages tell me that I am user 2, 3, or 4, telling me that other people are somehow logged into my NAS.  Note that when I first turn the NAS on and the drive light is not blinking, I always show as user 1.

It usually takes a day or two of leaving port 21 forwarded to the NAS before I start seeing the external access drive activity.  So I am thinking there are hackers out there port scanning the internet that eventually find the open port, recognize the DNS-323, and hack in.  What they do once they are inside, I have no idea.  My data looks intact.  But I don't feel like my data is secure under these circumstances.

So I have two comments/suggestions:
(1)  I think this device needs some logging of FTP server access.  I'm kinda operating in the blind here with no ability to investigate who is logging in.  What user are they logging in as?  From what IP address?  Did they read or write data, if so, how much?  Unfortunately my router doesn't have that capability either.  Its a WRT54G so maybe I'll install one of the customized firmwares such as Tomato that has more tracking/logging capability.

(2)  I think there may be some serious security holes that allow hackers to easily break into this device.  This is very bad if its true.  There really is nothing more I can do to provide security to this device if it is easily hackable.  I have to forward an FTP port to it and trust that it can protect itself.  All I can do is move it to a non-standard FTP port other than 21 to increase the difficulty of hackers finding the open port.

Has anyone else seen this?  I'm I missing something in my debug of the issue?

Thanks.

[jeth]

I see the same type of continuous activity on one of my two drives.

However, it doesn't stop when I disconnect the cable to my router.

Does the DNS-323 do some sort of file checking when it is turned on?>

[ben]

I'm experiencing the same issue.

About one week after enabling the ftp server on my nas drive I detected unauthorized access.

I'm the only person who knows the password and the maximum number of users is set to one.  When I tried to connect to the server I was denied access because the maximum number of users was exceeded.  When I checked my isp usage for the month my outgoing usage was about 4Gb higher than I can account for.

• Firmware: 1.04
• Anonymous access: disabled
• FTP port: 21
• IP address: updated using dyndsn.com

Is this an issue with WU-FTPD http://wiki.dns323.info/howto:open_ports_ftpd?
Should I install VSFTP http://wiki.dns323.info/howto:vsftpd?s=ftp?

[ECF]

Please make sure you are running the latest firmware on the unit.

[delafield]

First, do what this user does and use a different port than port 21 (at least the port facing the internet):
http://forums.dlink.com/index.php?topic=5564.msg32710#msg32710

Also, don't log into your FTP server from outside your network using the insecure FTP, use the FTPS (really FTPES, I think - that is FTP using SSL/TLS). It comes with the 1.06 firmware, so you should upgrade to that. Plus, there are likely security enhancements to the new firmware (that comes with the Linux kernel, etc.).

So, does anyone know how to **require** users to use FTPS/SSL/TLS to log in, and to disallow insecure FTP using FW 1.06? Or is that option only available using FW 1.08 beta?

Regards,
delafield

[ben]

ECF,

Is this a known security issue with version 1.04 firmware that has been addressed with subsequent versions?  If I upgrade my firmware and use FTPS how confident can I be that my data is secure?

[ECF]

The recent firmware is much more secure. Is there a reason you are still running 1.04?

[ben]

Its a big job to back up all my data before the upgrade so I keep putting it off.  I think I'll buy an external hard drive to make it easier.  Sounds like the upgrade is worth doing though.  Thanks for your help.

[traylorre]

Hi ben,

Using ftp with no encryption means that you are as vulnerable as it gets to being hacked.  Once you login from a remote host, you will have clearly broadcast your username and login to the world.  No wonder you are being hacked.  I would compare it shouting your IP Address, username and password outloud down the street, only worse. 

1. avoid port 21 so that a hacker has to guess your port

2. You must use encryption.  With DNS firmware 1.07 TLS encryption is officially supported, but that is actually false because I see from my connection logs that it does not work.  I have seen the same thing in logs of other persons on this forum.  I have also tried many FTP clients (FileZilla, CuteFTP, CoreFTP)

Client says : PROT P[rivate communication]
Server replies : Fallback C[lear communication]

http://forums.dlink.com/index.php?topic=3476.0

3. I have now installed Fonz Fun Plug to gain ssh access to 323, then DebNAS (a Debian release) to get a fuller-fledged system up, and then installed vsftpd.  This is all new to me and painful.  I am now trying to get xinetd to work but not there yet.  You might try this as well.


Hope that helps.

[ben]

Hi Tray,

Thanks for your reply.

I have not enabled ftp access since being hacked.  I would really like to use this feature but I can't justify the risk with the default level of security.

vsftpd sounds like a much better proposition.  Please post back and let us know how the mods go.  If it is successful I may try the same thing.

[gunrunnerjohn]

Its a big job to back up all my data before the upgrade so I keep putting it off.  I think I'll buy an external hard drive to make it easier.  Sounds like the upgrade is worth doing though.  Thanks for your help.

If you don't have a second copy of your data, you are really skating on thin ice!  RAID is not backup, it's just hardware redundancy.