My MyCloud has 8 connections to Google DNS server 8.8.8.8:53.
Here is an example:
| 192.168.xxx.xxx:56499 | xxx.xxx.xxx.xxx:56499 | 8.8.8.8:53 | TCP | TW | Out | 128 | 223 |
Is this normal?
You’ve already asked this question, and you didn’t answer the questions in response.
Is your Cloud configured to use Google DNS? (Either thru DHCP or static configuration)
Sorry about that. I thought I had.
The answer is no. I’m using DHCP. The DNS servers I use are specified in the router. They are not Google.
Another PC on my network does use google DNS but that is not the one in the router connections log.
I’m hoping someone from WD will answer. If not I’ll open a ticket.
Currently there are no connections to Google DNs. Seems to only last for an hour or so after bootup.
So, you already did the system restore discussed in your other thread, and this is still happening?
Log in via SSH to the Cloud and type
cat /etc/resolv.conf
What does it say?
On my network, I enforce the use of OpenDNS for all systems on my intranet.
I have a rule set on my firewall to deny all DNS connections to anything other than OpenDNS’s servers.
If the “out-of-the-box” My Cloud is still using Google DNS, then my rule will break whatever it is – and I’ve seen no indications this is happening.
No, system restore not done yet. I’m still curious. Using this time to explore the MyCloud. Do you think there is something suspicious about the Google DNS server connections.
Here are the results of that command.
WDMyCloud:~# cat /etc/resolv.conf
domain phub.net.cable.rogers.com
search phub.net.cable.rogers.com
nameserver 192.168.0.1
WDMyCloud:~#
I think this is saying that the DNS servers specified in my router are being used. I have OpenDNS servers specified in my Router.
Would the MyCloud have something built in to use Google DNS servers?
Etupes wrote:
Just curious. Why do you limit the connections to OpenDNS?
Two words: Teenage Boys.
gewilli wrote:
No, system restore not done yet. I’m still curious. Using this time to explore the MyCloud. Do you think there is something suspicious about the Google DNS server connections.
Would the MyCloud have something built in to use Google DNS servers?
Suspicious? Absolutely.
Something else using Google DNS? Not that I can tell. I setup the same situation as you – I started a security log on my router, and rebooted the cloud, and let it sit that way for six hours.
It never tried to reach Google’s DNS – in fact, it never tried to reach ANY DNS accept for the router itself.
So, yes, as I implied in the other thread, I think you’re still hacked.
gewilli wrote:
No, system restore not done yet. I’m still curious. Using this time to explore the MyCloud. Do you think there is something suspicious about the Google DNS server connections.
Here are the results of that command.
WDMyCloud:~# cat /etc/resolv.conf
domain phub.net.cable.rogers.com
search phub.net.cable.rogers.com
nameserver 192.168.0.1
WDMyCloud:~#
I think this is saying that the DNS servers specified in my router are being used. I have OpenDNS servers specified in my Router.
Would the MyCloud have something built in to use Google DNS servers?
Very interesting question 
But keep in mind that your MyCloud has been hacked. So you do not know what software might be running 
I’m going to start with a system only Factory Restore. Then monitor for awhile.
gewilli wrote:
I’m going to start with a system only Factory Restore. Then monitor for awhile.
As far as I have understood this will not at all restore your firmware. All those actions do reset to DHCP and reset the password. Some also do wipe all _user_ data (media files on sda4) but ihmho none of them does write a clean ex factory of the code in the root partition /dev/mdo.
That’s where malicious code would hide with an innocent looking piece of code … 
I’ve completed a system reset and will monitor this box to see if there is any change.
I would really like to hear from Wd about this access of Google DNS servers.
OK. Still have those connections to Google DNS server. Here is what I can say so far. Sorry about the formatting.
Powered up my PC and checked for connections from my MyCloud. This is what was there.
Local NAT Internet Protocol State Dir Priority Time
Out
192.168.x.xxx:80 xxx.xxx.xx.xx:80 198.107.148.113:48087 TCP LA In 128 179 <–<<< WD
192.168.x.xxx:33549 xxx.xxx.xx.xx:33549 198.107.148.110:443 TCP TW Out 128 163 <–<<< WD
192.168.x.xxx:80 xxx.xxx.xx.xx:80 xxx.xxx.xx.xx:49487 TCP LA In 128 79
192.168.x.xxx:443 xxx.xxx.xx.xx:443 *.*.*.*:* TCP NO - 128 -
192.168.x.xxx:80 xxx.xxx.xx.xx:80 *.*.*.*:* TCP NO - 128 -
The WD connections time out eventually.
Starting the NTP service results in these connections below. I left it off overnight and checked earlier and there were no
connections to Google DNS servers (see above). You can see here that the MyCloud connects to several NTP servers (logical). Also uses the DNS servers that are in my router(logical) and the Google DNS servers (not logical). It trys the Google server every 30 seconds continuously.
Notice that these are TCP connections not UDP.
Turning off the NTP service does not stop this activity. However logging off the WEB interface does.
Interestingly logging on to the WEB interface doesn’t trigger this action but Turning NTP back on triggered this action,
and logging off the WEB interface stops it even if I leave the NTP on.
Apparently this it related to apache (just a wild assed guess).
Local NAT Internet ProtocolState Dir Priority Time
Out
192.168.x.xxx:123 xxx.xxx.xx.xx:123 96.44.142.5:123 UDP - Out 128 300 <—<< NTP server
192.168.x.xxx:123 xxx.xxx.xx.xx:123 71.19.144.130:123 UDP - Out 128 300 <—<< NTP server
192.168.x.xxx:123 xxx.xxx.xx.xx:123 4.53.160.75:123 UDP - Out 128 300 <—<< NTP server
192.168.x.xxx:123 xxx.xxx.xx.xx:123 69.167.160.102:123 UDP - Out 128 300 <—<< NTP server
192.168.x.xxx:123 xxx.xxx.xx.xx:123 65.55.56.206:123 UDP - Out 128 299 <—<< NTP server
192.168.x.xxx:34899 xxx.xxx.xx.xx:34899 208.67.222.222:53 UDP - Out 128 25 <—<< Opendns
192.168.x.xxx:33816 xxx.xxx.xx.xx:33816 208.67.222.222:53 UDP - Out 128 25 <—<< Opendns
192.168.x.xxx:34712 xxx.xxx.xx.xx:34712 8.8.8.8:53 TCP TW Out 128 221 <—<< Google
192.168.x.xxx:34711 xxx.xxx.xx.xx:34711 8.8.8.8:53 TCP TW Out 128 214 <—<< Google
Block Google DNS on your router.
Watch the active connections list on the My Cloud
(netstat -a | grep tcp | grep google)
Blocking the connection will cause whatever process is accessing it to hang temporarily.
You can find the process ID by looking for the connection (and source port number) using the command
lsof -i TCP:xxxxxx
where xxxxx is the SOURCE port number.
That will tell you exactly what process is trying to contact Google DNS.
1 Like
My MyCloud shows the following tcp connections:
netstat -tpnv
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.15.13:9000 192.168.15.13:58938 TIME_WAIT -
tcp 0 0 192.168.15.13:9000 192.168.15.13:58937 TIME_WAIT -
tcp 0 0 192.168.15.13:41007 8.8.8.8:53 TIME_WAIT -
tcp 0 0 192.168.15.13:41004 8.8.8.8:53 TIME_WAIT -
tcp 0 0 127.0.0.1:9000 127.0.0.1:56407 TIME_WAIT -
tcp 0 0 192.168.15.13:9000 192.168.15.13:58939 TIME_WAIT -
tcp 0 0 192.168.15.13:58936 192.168.15.13:9000 TIME_WAIT -
tcp 0 0 192.168.15.13:22 192.168.15.10:57975 ESTABLISHED 11569/0
tcp6 0 0 192.168.15.13:80 192.168.15.10:55383 ESTABLISHED 12062/apache2
tcp6 0 0 192.168.15.13:80 192.168.15.10:55376 ESTABLISHED 12566/apache2
So there are indeed two connections to the google nameserver in statuts TIME_WAIT.
It looks pretty difficult to find out what part of the code did it.
But in any case it is really bad practise to hard code connections to a specific name server!
1 Like
Ok, since gewilli figured out that NTP triggers this, I was able to reproduce it, too.
I was able to get a couple of quick packet captures and found that it is making an EMPTY connection to Google DNS, and then closing the connection.
No payload at all.
Unfortunately, just as I was tracking down the process ID that is doing this, my power has gone down. (Posting this before my APC batteries drain. :)
I’ll look more later.
1 Like
Thanks tony and Count.
So it looks like this isn’t the result of a hack. Just bad coding somewhere.
My power just cane back after being out for 2.5 hours.
Just noticed this: It didn’t last long. Just happened to be looking at connections.
| xxx.xxx.xxx.xxx:80 | xxx.xxx.xxx.xxx:80 | 80.82.78.100:7671 | TCP | EST | In | 128 |
7665
|
You’ll see those every now and then.
That’s just a connection to the Apache server (Cloud connection.)
All they’ll see is “Sorry, you don’t have permission to access …”
OK thanks. Just wondering why someone was trying to connect from Holland. They would have to use my routers IP address wouldn’t they? BTW it’s still there in my router log (until it times out) but there is nothing showing on the MyCloud.
