Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[iker]

I found out yesterday that it looks like there is a ransomware acively attacking DNS-320 and DNS-320L/LW (maybe more models are affected) and encrypting all your files. There is not much info about it, but according to some affected users, they were in old firmware versions with the web interface and ftp exposed to the internet. They still dont know exactly how the ransomware attacked the NAS so this is only a theory and it could be a different atack. I hope that the vulnerability is solved in newer firmware versions, but anyway you should always avoid exposing the web interface to the internet in this and in any device.

https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/

[FurryNutz]

What version of FW are you using?

The use user did mention "My Dlink NAS is a DNS-320LW (the White version of more widespread DNS-320L with full firmware compatibility), and I must confess that I had not updated the firmware so it should be a basical 1.01."

So at this stage anything was possible.

Since v1.11 is most currently we can only hope that users would and should be already on this version of FW and would help avoid this kind of compromise.

[arisermpo87]

Hey guys. My DNS-320 ver A2 was attacked.
I had it connected to Internet via port forward and DMZ which I guess was the problem. No I cut both port forward and DMZ. Is it safe to use it again?

[FurryNutz]

Link>Welcome!

• Link>What Firmware version is currently loaded? Found on the DNSs web page under status.
• What region are you located?

What Mfr and model is the main host router?

What version of FW are you using?
What do you mean by attacked?
How did you determine your DNS was attacked?

Using the DMZ is not recommended for NAS devices.

Hey guys. My DNS-320 ver A2 was attacked.
I had it connected to Internet via port forward and DMZ which I guess was the problem. No I cut both port forward and DMZ. Is it safe to use it again?

[arisermpo87]

Hello!
So I have a DNS-320 v A2 used for local storage and file exchange for a small business. A few weeks ago, I wanted to have distant access to some files, so I used port forward and DMZ from my router to achieve this.
Today, most of my files appeared to be corrupted. I found two files that stated all corrupted files are now encrypted. With a little search online i came across to this article.
Thankfully I had a full backup and the damage was minimal. At the moment I wasn't using the latest FW on the NAS.

My router is a ZTE Speedport Entry 2i. I don't think that the DNS was attacked. All I think is that having enabled DMZ and Port Forwarding was a huge mistake, despite using a 10chars long password for NAS access (with upper and lower case letters, numbers and symbols).

[FurryNutz]

Are ALL files on the DNS corrupted?

What version of FW are you using on the DNS?

[GreenBay42]

This has been reported to the D-Link security team.

[arisermpo87]

Not all files were corrupted/encrypted. There was a file created "_Cr1ptt0r_logs.txt" with the following format:

encrypting using public key: 066d97d8756b5388ca7b74594a9563f04232b38361c20c0056a0ff9dc1a6f253
encrypted: /mnt/web_page/goweb.htm

and followed for all the files that appeared to be corrupted.
At that moment I had FW 2.03. Now I have FW2.05B10.

One weird thing that I saw was under Account management -> Users/Groups there was a user named "remote" assigned to groups "sudo" and "wheel". I never created such a user/groups.

[FurryNutz]

What region are you located?

[arisermpo87]

Greece

[FurryNutz]

Do you have any back up of the contents of the drives in the DNS?

[arisermpo87]

Yes I had a full backup two days ago. Thankfully I had scheduled backup every two days.

[FurryNutz]

Where are you getting v2.XX FW from?
I'm only seeing v1.11 for A series models?
https://eu.dlink.com/gr/el/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support


I presume you may need to restore from back up these files...

[arisermpo87]

Those FW are for the 320L model. I have the 320 model. I already restored my backup at a local drive.
My question is, is it safe to use the NAS (after formating the drive and disabling port forward?)

edit: Thanks for your help!

[FurryNutz]

You should be ok.
You might file a support ticket or contact your regional D-Link support office about this and let them know what happened.

Just keep the DNS out of the DMZ.