Post by patrolwomanjayne on Nov 21, 2007 3:14:06 GMT 7
Well, I think I had better tell everyone what happened. Hopefully this will avoid some problems for people in the future.
Basically, we've had a Thecus here in my department for about 6 months. It has 20 users and 2.5TB of storage space. Everything works fine on it and people seem to love it. We have had many problems with NFS however, so I have been looking forward to patches and firmware updates.
I installed 2.00.03 on the system. Everything seemed fine, especially NFS. We only export 1 folder, and that's /raid/data, so we never ran into any issues with being able to export more than one folder. Most of the problems were related to random disconnections and slowness when 3 or more machines shared the NFS link.
It all looked good and nobody complained. Then, I received a phone call from security.
Turns out, someone with a perl script and way too much time on their hands had gotten into the Thecus and made it part of a botnet.
While I thought it hilarious that someone would add a NAS to a botnet (akin to making a Beowulf out of Commodore64's), it was really shocking and disturbing to hear. I looked at netstat and indeed, it was pwned with a running service on 6667 TCP. Of course, I had the SYSuser module installed, but I changed the password on it. Nobody could have accessed the server that way, right? Wrong.
I watched very closely when I changed the password on the sys user. the hash in /etc/shadow never changed. perplexed, I removed the hash, uninstalled the module, then reinstalled. Same hash. Oh crap. Default password. panicked, I tried changing ANYONE's password. I couldn't.
I guess I would back it down to 1.00.10 because at least then I could use the RSYNC module. Now I have to back stuff up using insecure FTP, which I'm sure will make everyone in network security love me so very much.
Can anyone provide detailed instructions on how to back down the firmware or at least fix this "I hate modules" attitude that my Thecus seems to have taken up lately?
So I don't know what has happened. I can install and remove modules just fine. The only problem is that the passwords can't be modified and I can't change the port SSH is listening on.
Basically, we've had a Thecus here in my department for about 6 months. It has 20 users and 2.5TB of storage space. Everything works fine on it and people seem to love it. We have had many problems with NFS however, so I have been looking forward to patches and firmware updates.
I installed 2.00.03 on the system. Everything seemed fine, especially NFS. We only export 1 folder, and that's /raid/data, so we never ran into any issues with being able to export more than one folder. Most of the problems were related to random disconnections and slowness when 3 or more machines shared the NFS link.
It all looked good and nobody complained. Then, I received a phone call from security.
Turns out, someone with a perl script and way too much time on their hands had gotten into the Thecus and made it part of a botnet.
While I thought it hilarious that someone would add a NAS to a botnet (akin to making a Beowulf out of Commodore64's), it was really shocking and disturbing to hear. I looked at netstat and indeed, it was pwned with a running service on 6667 TCP. Of course, I had the SYSuser module installed, but I changed the password on it. Nobody could have accessed the server that way, right? Wrong.
I watched very closely when I changed the password on the sys user. the hash in /etc/shadow never changed. perplexed, I removed the hash, uninstalled the module, then reinstalled. Same hash. Oh crap. Default password. panicked, I tried changing ANYONE's password. I couldn't.
I guess I would back it down to 1.00.10 because at least then I could use the RSYNC module. Now I have to back stuff up using insecure FTP, which I'm sure will make everyone in network security love me so very much.
Can anyone provide detailed instructions on how to back down the firmware or at least fix this "I hate modules" attitude that my Thecus seems to have taken up lately?
So I don't know what has happened. I can install and remove modules just fine. The only problem is that the passwords can't be modified and I can't change the port SSH is listening on.
