Expelling evil from ReadyNAS


    On Habré there are already several articles related to the security of various devices from the sphere of the so-called “Things-Internet”: home routers, “smart” TVs, NAS devices, etc.

    This article will talk about the features of the ReadyNAS NAS model. An article about how I managed to drive a stranger out of a NAS device, which was very well established there. Looking ahead, I’ll say that the information collected was not enough to say who this stranger was: an intruder with a human face and self-interest or an insensitive virus. Therefore, in the title of this article appears the impersonal word "evil."

    One fine day, my friend called me and asked: “look what's wrong with this piece of iron? well, I keep films on it ... well, you understand what I mean! ”And then descriptions of symptoms followed. It was an ordinary working evening, and my head was already thinking not super. Of course, from a telephone conversation, I really did not understand anything. But he decided not to interrogate by phone and come to the scene, personally see what and how. I asked to disconnect the device from the Internet before my arrival.

    Arriving at his home, I still did not understand what kind of symptoms he was describing to me. But just in case, I decided to look at the piece of iron. It turned out to be ReadyNAS. In appearance, the device worked quite normally, no special brakes or inappropriate behavior were noticed. Unidentified users were not found in the list on the device. After which I decided to still look at the logs. So, to clear conscience. I have not had cause for concern yet. So my motivation was rather to reassure my friend. Like, I was transported with a piece of iron, everything is fine in the logs, I don’t see the brakes, false alarm. Leaving right away without even portraying an attempt to really figure it out was ugly. But the logs were not so reassuring. And I realized that the evening will stand out with a struggle.

    And what are the logs?


    The “Enabled root SSH access” line was found in the logs.


    Searching on Google issued a page with a description of the utility . Judging by the description, the utility was intended to provide root access to the device via SSH. Moreover, the root password should be the same as the admin user. The admin user was used by us to access the device through the web interface. A friend swore that he did not install this plugin.

    I will make a small digression. ReadyNAS devices are divided into those where ReadyOS and RAIDiator are installed.
    In case of ReadyOS, the included SSH server can be seen among other services through the web interface.



    But in RAIDiator, the SSH server is available after installing the enable root plugin . And after this procedure, none of the plug-in lists itselfroot the enable , or in the list of services does not appear information about the switched SSH-server:




    Thus on systems running RAIDiator, to identify that an uninvited guest is somewhat more problematic in a device.

    Having done the telnet telnet 192.168.0.1 22, I made sure that the SSH server really works. But I failed to log in as root - the alleged password from admin did not fit. Authorization from admin led to a reset of the session. As it turned out, in addition to the root user, the rest of the device had / bin / false in / etc / passwd
    It can be assumed that the attacker changed the password. I thought: “Great! The scammer does not have physical access to the device, but there is root access. And I have physical access ... but what's the point? After all, there is no root access. And how to solve the problem? ”The first thing that comes to mind is resetting the device to factory settings. But I least wanted to do this: I had to merge terabytes of films somewhere. The procedure is not fast. And I didn’t really want to come the second time. And I started looking for alternatives.

    Decision


    Further description of the solution takes very little text, but it took a lot of time and nerves. The first thing I tried was to upload this enable root plugin to the device in the hope that this would reset the root password. I hoped that the plugin would simply overwrite / etc / shadow for root with a default password. The plugin was successfully uploaded, the device rebooted. But this did not solve the problem.
    The next step, I decided to try updating the device firmware if it is not the latest version. Suddenly, this will overwrite the system files and the problem will be miraculously solved?



    The firmware was not the latest version, an update was available. I pressed the treasured button. The system warned that the procedure will take time and I will be informed of the result at the end. However, the result was negative: the mismatch of the checksums. I began to feel that I could hardly go to bed early ... And even if I can, in a dream, thoughts like: “Well, how can this villain be thrown out of the system?” And you can forget about a good dream anyway. My head completely refused to work, and I couldn’t find anything better than just poking the “Update” button, in the hope that the device will stop acting up and updating ... Did I believe that this will end well? Unlikely. I no longer knew what to do, not so much was left of the former fighting spirit. But by some miracle, the system from the 5th really updated and went to reboot. It was a real miracle! After that, we successfully logged into the system from the root with a password from the admin.
    Once on the device, I ran through the file system and logs, hoping to find traces of the presence of an alien. But I could not find them: the last team showed information only about my own visit. The command history file ( .bash_history ) was completely absent. And in the file /var/log/auth.log there was also information only about my visit. T.O. it was not possible to find out when the device was compromised, from which IP address and which commands were executed. The only clue was the date and time the initial installation of the enable SSH root pluginin the logs of the web interface. Yes, we can say that some undetected code remained in the device, which works with root privileges. But to decide on reinstalling the system is not for me, but for my friend. In the meantime, he decided not to do this. In addition, as it turned out after interrogation with an addiction, it was the reboot of the device that bothered the companion while watching the movie. What the attacker needed to do to activate the enable SSH root plugin . The time of the sudden reboot coincided with the time found in the logs of the web interface regarding the installation of enable SSH root . So, perhaps we really did respond quickly and the attacker did not have time to do anything.

    Conclusion


    I advise many of my friends and acquaintances not to give out “white” IPs to their devices from the “Internet of Things”. You can “forget” (or not want to) change the factory passwords on the device. But by hiding them from public access via the Internet, you can save yourself from such unpleasant stories. While changing the factory password is not a fact that will solve the problems. I tell them: “put them behind the router. Moreover, you don’t have to pay for another static address. Need access remotely? Configure the port forwarding of the router correctly. Using port knoking technology ( article once , article two ) ”Having been tormented to explain in detail how to do this, I wrote an article An example of secure configuration of a home local network . I hope some of the readers will also be useful
    And those few comrades for whom it’s difficult to configure according to the article in view of little knowledge in the field of network technologies ... I just ask them to fork out for the Mikrotik router and come with pre-prepared settings, in which I can only change the settings for the interface where the cable from the provider is stuck

    UPD: Mikrotik can be useful in terms of analyzing the passing traffic from the device under study to the network. Mikrotik allows you to intercept and analyze traffic very conveniently: in the config you specify the computer address where the log will be analyzed, the traffic collection rule. Next, run Wireshark on your computer, configure it, and see traffic in real time. More details about this here.. Those. traffic can be analyzed without taking priests from your chair; there is no need to collect test networks.

    Although, on the device itself, you could try to sniff traffic through tcpdump (if it is there, you will need to look).

    Also popular now: