Has my MyCloud been hacked?

 I noticed this connection while checking internet connections on my router. The address is just a placeholder at a Polish ISP (I think).

192.168.X.XXX:52782 xxx.xxx.xxx.xxx:52782 91.236.233.117:6050 TCP EST Out 128 7659

gewilli wrote:

 I noticed this connection while checking internet connections on my router. The address is just a placeholder at a Polish ISP (I think).

 

192.168.X.XXX:52782 xxx.xxx.xxx.xxx:52782 91.236.233.117:6050 TCP EST Out 128 7659

Gosh, are you sure that it is MyCloud starting this connection???

Port 6050 often is used for VOIP and that IP is a Polish telecom :frowning:

Count_Dooku wrote:


gewilli wrote:

 I noticed this connection while checking internet connections on my router. The address is just a placeholder at a Polish ISP (I think).

 

192.168.X.XXX:52782 xxx.xxx.xxx.xxx:52782 91.236.233.117:6050 TCP EST Out 128 7659
* * *

Gosh, are you sure that it is MyCloud starting this connection???

Port 6050 often is used for VOIP and that IP is a Polish telecom :frowning:

 

 Yes I checked that out. And as you can see from my router stats the direction is out. I’ve powered down my Mycloud for now untill I can determine what is going on. I posted another thread about my device being busier than normal. Perhasps some of the tasks that are running will provide a clue. I’m not fluent in Linux so have no idea what those tasks are.

 

 Here is the TOP output:

 

 

top - 10:59:24 up 7 days, 19:45,  1 user,  load average: 9.62, 9.08, 9.06
Tasks: 100 total,   9 running,  91 sleeping,   0 stopped,   0 zombie
%Cpu(s): 85.0 us, 15.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:    230560 total,   181996 used,    48564 free,     2344 buffers
KiB Swap:   500732 total,    62468 used,   438264 free,    88416 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
23587 root      20   0  4936  984  500 R  49.0  0.4   1007:25 ksh
23585 root      20   0  4936  444  240 R  48.4  0.2   1086:27 /usr/sbin/httpd
23589 root      20   0  4936  440  240 R  33.3  0.2 989:32.68 /usr/sbin/httpd
23592 root      20   0  4936  444  240 R  33.3  0.2   1028:06 /usr/sbin/sshd <—<<< This is me.
23583 root      20   0  4936  444  240 R  33.0  0.2   1052:29 /usr/sbin/apach

 

 

Most often I have seen MyCloud busy with scanning media.

Never have seen a suspicious task that would point to VOIP activities.

But there are 4 additional partitions where I do not have the slightest clue what their purpose could be?

Anybody knows that??

You’d need to look at the source port on the cloud (in your example, 52782) and find out what process is using that port.

lsof -i TCP:xxxxxx

where xxxx is the source TCP port.

The service running on that address is an IRC (Internet Relay Chat) service.

I had shut down my MyCloud. Just restarted and first thing I did was change root password.

 What a dummy. Should have changed it.

WDMyCloud:~# lsof -i TCP:52782
WDMyCloud:~#

 I’ll check again later. Perhaps those processes running had something to do with it.

I can’t find these processes anywhere. I looked in usr/sbin.

23585 root      20   0  4936  444  240 R  48.4  0.2   1086:27 /usr/sbin/httpd
23589 root      20   0  4936  440  240 R  33.3  0.2 989:32.68 /usr/sbin/httpd

Yes, I find it very strange that a binary that does not exist was using 70% + of your CPU.

I have nothing called /usr/sbin/httpd present on my cloud.

httpd is a web browser.

The resident web browser on the Cloud is /usr/sbin/apache2

If you see httpd running again, find out what process spawned it by looking for the PARENT process ID of httpd.

Further:    Another of those binaries does not exist on mine.

ksh  (Also known as KORN Shell) doesn’t exist anywhere, and it was using high CPU on yours.

Did you do any system modifications of *ANY* sort on your Cloud?

TonyPh12345 wrote:

Further:    Another of those binaries does not exist on mine.

 

ksh  (Also known as KORN Shell) doesn’t exist anywhere, and it was using high CPU on yours.

 

Did you do any system modifications of *ANY* sort on your Cloud?

I haven’t done any mods. I guess with SSH enabled and the default password in effect I was wide open.

TonyPh12345 wrote:

Further:    Another of those binaries does not exist on mine.

 

ksh  (Also known as KORN Shell) doesn’t exist anywhere, and it was using high CPU on yours.

 

Did you do any system modifications of *ANY* sort on your Cloud?

Obviously something nefarious was happening.

I don’t see any of those processes running now. I’ll keep an eye on it.

I was alerted to all of this due to performance issues on my network.

gewilli wrote:I guess with SSH enabled and the default password in effect I was wide open.

Did you have Port-Forwarding allowed from your internet router to the SSH port?

If so, yeah, that’s an accident waiting to happen…

gewilli wrote:> top - 10:59:24 up 7 days, 19:45,  1 user,  load average: 9.62, 9.08, 9.06

Tasks: 100 total,   9 running,  91 sleeping,   0 stopped,   0 zombie
%Cpu(s): 85.0 us, 15.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:    230560 total,   181996 used,    48564 free,     2344 buffers
KiB Swap:   500732 total,    62468 used,   438264 free,    88416 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
23587 root      20   0  4936  984  500 R  49.0  0.4   1007:25 ksh
23585 root      20   0  4936  444  240 R  48.4  0.2   1086:27 /usr/sbin/httpd
23589 root      20   0  4936  440  240 R  33.3  0.2 989:32.68 /usr/sbin/httpd
23592 root      20   0  4936  444  240 R  33.3  0.2   1028:06 /usr/sbin/sshd <—<<< This is me.
23583 root      20   0  4936  444  240 R  33.0  0.2   1052:29 /usr/sbin/apach 

Also, where you said “sshd <-- This is me”  — Are you sure?

That sshd process is also using 33% of your CPU, and has consumed over 1000 seconds of CPU time  (not CLOCK time, CPU time.)

Unless you’re beating the heII out of your box via SSH, that’s not you…

Assuming that “33%” CPU load for sshd is an average, that means that SSH process has been running at that load for approximately an hour.

TonyPh12345 wrote:


gewilli wrote:> top - 10:59:24 up 7 days, 19:45,  1 user,  load average: 9.62, 9.08, 9.06

Tasks: 100 total,   9 running,  91 sleeping,   0 stopped,   0 zombie
%Cpu(s): 85.0 us, 15.0 sy,  0.0 ni,  0.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem:    230560 total,   181996 used,    48564 free,     2344 buffers
KiB Swap:   500732 total,    62468 used,   438264 free,    88416 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
23587 root      20   0  4936  984  500 R  49.0  0.4   1007:25 ksh
23585 root      20   0  4936  444  240 R  48.4  0.2   1086:27 /usr/sbin/httpd
23589 root      20   0  4936  440  240 R  33.3  0.2 989:32.68 /usr/sbin/httpd
23592 root      20   0  4936  444  240 R  33.3  0.2   1028:06 /usr/sbin/sshd <—<<< This is me.
23583 root      20   0  4936  444  240 R  33.0  0.2   1052:29 /usr/sbin/apach 


Also, where you said “sshd <-- This is me”  — Are you sure?

That sshd process is also using 33% of your CPU, and has consumed over 1000 seconds of CPU time  (not CLOCK time, CPU time.)

 

Unless you’re beating the heII out of your box via SSH, that’s not you…

 

Assuming that “33%” CPU load for sshd is an average, that means that SSH process has been running at that load for approximately an hour.

 

Your right. Probably not me, although I was SSH to the box at the time obviously. I didn’t think that it was possible to have more than 1 ssh connection. AFAIK there is only one user “root”. users cmd only shows root. who command shows more:

WDMyCloud:~# users
root
WDMyCloud:~# who
root     pts/0        Mar 17 18:24 (192.168.xxx.xxx)
WDMyCloud:~#

Here is what my box is doing now. It has a safepoint running but that is all.

top - 18:26:05 up  5:13,  1 user,  load average: 8.02, 8.40, 8.23
Tasks: 109 total,   3 running, 106 sleeping,   0 stopped,   0 zombie
%Cpu(s): 52.2 us, 25.8 sy,  0.0 ni,  2.8 id, 16.6 wa,  0.0 hi,  2.7 si,  0.0 st
KiB Mem:    230560 total,   183784 used,    46776 free,      972 buffers
KiB Swap:   500732 total,   104532 used,   396200 free,    54068 cached

  PID USER      PR  NI  VIRT  RES  SHR S  %CPU %MEM    TIME+  COMMAND
31401 root      20   0  3404  472  116 R  44.0  0.2  36:05.92 rsync
31397 root      20   0  3484  624  284 S  42.2  0.3  35:14.60 rsync
20316 root      20   0  7164 5248 1440 D  33.8  2.3   0:01.27 perl
25549 root      20   0 99100  13m  704 S   5.9  5.9  38:13.47 forked-daapd
20322 root      20   0  6540 2080 1624 S   4.7  0.9   0:00.15 sshd
20323 root      20   0  7432 2076 1624 S   4.3  0.9   0:00.14 sshd
24294 root      20   0     0    0    0 D   4.0  0.0   4:00.99 usb-storage
  278 root      20   0     0    0    0 D   1.6  0.0   1:53.26 kswapd0
    4 root      20   0     0    0    0 S   1.2  0.0   0:58.45 ksoftirqd/0
31418 root      20   0     0    0    0 S   1.2  0.0   0:40.73 flush-8:16
20000 root      20   0  2664 1132  772 R   0.9  0.5   0:00.61 top
20326 sshd      20   0  6540 1116  668 S   0.9  0.5   0:00.03 sshd
20327 sshd      20   0  7432 1116  672 S   0.9  0.5   0:00.03 sshd
 3521 root      20   0 30476  684  316 S   0.6  0.3   0:18.89 rsyslogd
 7237 root      20   0  8800  224  132 S   0.6  0.1   0:07.01 wddispatcher
20214 root      20   0  7132 2276 1808 S   0.6  1.0   0:00.18 sshd
 2202 root      20   0     0    0    0 R   0.3  0.0   1:00.32 pfe_ctrl_timer
18328 root      20   0 47188 2764  804 S   0.3  1.2   4:14.36 twonkyserver
20229 sshd      20   0  6540 1044  704 S   0.3  0.5   0:00.04 sshd
21699 root      20   0  5196  328  232 S   0.3  0.1   0:02.56 sshd
    1 root      20   0  1688   96   64 S   0.0  0.0   0:09.19 init
    2 root      20   0     0    0    0 S   0.0  0.0   0:00.00 kthreadd
    3 root      20   0     0    0    0 D   0.0  0.0   0:00.00 cpu1_hotplug_th
    7 root      rt   0     0    0    0 S   0.0  0.0   0:00.00 migration/0

Yeah, it’s still root – root can log in multiple times.

If the same shenanigans start happening again,

who

might show where the other connection originates.

@ gewilli

Your findings look pretty disturbing. I have three questions:

a) Did you have Port-Forwarding allowed from your internet router to the SSH port?

If yes, I suggest to temporarily disable it.

bI Did you use a strong password for SSH access or was it left on welc0me?

In any case I suggest to change it. Do you know how to do that?

  1. Had you changed the SSH configuration file or left as is from factory?

If yes, what does it contain now?

Thank you!

Count_Dooku wrote:

 

@ gewilli

 

Your findings look pretty disturbing. I have three questions:

 

a) Did you have Port-Forwarding allowed from your internet router to the SSH port?

If yes, I suggest to temporarily disable it.

 

bI Did you use a strong password for SSH access or was it left on welc0me?

In any case I suggest to change it. Do you know how to do that?

 

  1. Had you changed the SSH configuration file or left as is from factory?

If yes, what does it contain now?

 

Thank you!

 

 

A: Yes Ports 21 and 22 are open. If these are closed I assume it only affects SSH and FTP remote access?

B: Unfortunately I hadn’t changed the default password. It has now been changed to a strong password.

3: I’ve made no changes to the SSH config file. I wouldn’t know how without some research. As you can probably tell I know anout enough to be dangerous. :dizzy_face:

 This means that any MyClouds with SSH enabled and password not changed are vulnerable and are being targeted.

gewilli wrote:


Count_Dooku wrote:

 

@ gewilli

 

Your findings look pretty disturbing. I have three questions:

 

a) Did you have Port-Forwarding allowed from your internet router to the SSH port?

If yes, I suggest to temporarily disable it.

 

bI Did you use a strong password for SSH access or was it left on welc0me?

In any case I suggest to change it. Do you know how to do that?

 

  1. Had you changed the SSH configuration file or left as is from factory?

If yes, what does it contain now?

 

Thank you!

 

 

    • * B: Unfortunately I hadn’t changed the default password. It has now been changed to a strong password.

 

3: I’ve made no changes to the SSH config file. I wouldn’t know how without some research. As you can probably tell I know anout enough to be dangerous. :dizzy_face:

 

 This means that any MyClouds with SSH enabled and password not changed are vulnerable and are being targeted.

Keeping default password is the most known attack mode, used for all kind of devices. Since there exist lists of such passwords every apprentice of the intruding business tries first these.

The SSH config could be changed in such a way that SSH is only allowed from within your local LAN.

With a truly strong password this should not be necessary.

You can file an abuse report to the ISP asking for the name of the client who had this IP at that time.

If you are lucky the ISP does handle it, otherwise you have to live with it.

In your situation I still would be scared because with root entry that intruder can have changed whatever he intended to do in your box, and that code will survive reboots. Think about it !!

I know and that worries me. Like I said, I will be watching this closley.

"You can file an abuse report to the ISP asking for the name of the client who had this IP at that time.

If you are lucky the ISP does handle it, otherwise you have to live with it."

Unfortunately they don’t have an abuse contact (email). They are in Poland.

Anyone know what trhis process is?   forked-daapd

gewilli wrote:

Anyone know what trhis process is?   forked-daapd

iTunes server.

If I were you, I’d do a factory restore on your system and start from scratch.   Just because you closed FTP / SSH ports doesn’t mean the hacker didn’t open something else.

You should also check EVERY other machine on your network – one compromised system can infect ALL of your systems.