Found someone logged into your system via SSH connection

Topics related to system security only
Post Reply
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Found someone logged into your system via SSH connection

Post by dkaratasos »

Hello,
I am receiving since yesterday these kind of emails (4 so far).
Found someone logged into your system via SSH connection. Login time: 2024-12-24 08:53:40 , IP: 127.0.0.1 --help

Once I first saw it I changed my password from 12 length to 18 length and not saved it in any electronic form. I was skeptical initially since it could be my personal computer in which I'm doing SCP (password I type each time and I didn't have it saved. I had previously only saved password in TOS on chrome). Anyhow, since I saw the emails, I deactivated SSH, changed the password to 18 length and even rebooted the TNAS to force out anyone that might be there (eventhough the system log didn't show any login activity).

However, today again I received above email that someone logged in via SSH. I know for sure that at this time I didn't do any SFTP/SCP or checked my files. Only my daughter was watching on PLEX some movies. I tried SSH from my mobile and I could successfuly do it. I logged in TOS and deactivated SFTP also which forcefully disconnected my mobile. But like this I can no longer reach my files via SFTP and this was something I needed.

So, my questions....
- Was this a real security threat? Even after changing the pasword to something super strong (small letters,capitals,numbers,special characters - 18 long) and not even saving it but only have it in my mind.... did someone so fast managed to enter my TOS?
- IP is localhost(127.0.0.1), so what does this mean? that someone is from TNAS internal was doing SSH to TNAS? Or could it be an application-virus that does this? But how can an application successfully do SSH with an unknown/new password?
- My personal PC was even turned off during time of latest event, so it isn't possible that someone did something using my PC as hop to my NAS
- Or, is it a bug of the system and these are faulty alerts? Sytem log only shows my connections and actions. Nothing I don't recognize.

Please tell me what I can do to secure myself and also keep SFTP possibility.
I have suffered a lot from hackers last year and I don't want history to repeat itself.
User avatar
Gremlin
Gold Member
Posts: 1627
Joined: 02 Dec 2022, 22:31
Great Britain

Re: Found someone logged into your system via SSH connection

Post by Gremlin »

ip: 127.0.0.1
That's 'localhost'. i.e. the NAS itself.

Next time you can check in control panel the identity of 'who' is actually logged in (might be a system app user name like 'plex' I expect but I don't use Plex).
Control Panel > System Info > On line Users (for Tos6)
F5-221 TOS7.0.0777 - 4x4TB (Ironwolf) Traid
F2-424 TOS7.0.0777 - 2x500GB nvme (P3) Traid, 2x6TB HDD (HGST) Traid
F2-221 TOS7.0.0777 - 1x3TB Ext4, 1x4TB Btrfs
F2-425+ TOS7.0.0777 - 2x500GB nvme (P3) Traid, 2x6TB HDD (EXOS) Traid
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Re: Found someone logged into your system via SSH connection

Post by dkaratasos »

I am using plex for a year now. I never had these notifications before. On on-line users I was checking.. it only showed me and I was checking on system log that it was showing only me and my actions. If something bad is inside, maybe hides itself?
Or again is a falty alarm...?
I just got another one of these emails. Timestamp is a hour before I deactivated SFTP. Let's see if I get something after SFTP deactivation
User avatar
RyanYang
TM Support
Posts: 1141
Joined: 01 Dec 2020, 11:50
China

Re: Found someone logged into your system via SSH connection

Post by RyanYang »

May I ask what version of TOS you are using? We have previously encountered situations where using SFTP triggered SSH notifications, and we can verify this.
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement)
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Re: Found someone logged into your system via SSH connection

Post by dkaratasos »

Model TOS version
F2-223 5.1.67-00214

Is what I have.
However the 2 todays notifications have been triggered without me doing sftp. Well this is true for the first one at least, for the second im not very sure as I tried sftp to see if it is working after I received the email. The time stamp of the second though is before I did this test.

Something I remembered now is that I did reboot of the tnas the night before yesterday. Before that reboot I never got such notification and I was doing sftp every days multiple times. Even sometimes ssh from mobile or pc but I never got these emails.
Yesterday morning I had to restart because transmission stopped working. So after several months I did a reboot. Since yesterday I received 5 such emails.. Like something from inside is trying ssh.

Can it possiblly be from my user trying to ssh to my admin account? I say from my user because she doesn't even know what ssh is and zero bash /Linux experience. But can it be that someone logged on her account? I have deactivated all other users. Is it possible that I can check somehow this? Ie if it is some bug or someone from outside is trying to hack me?
User avatar
Gremlin
Gold Member
Posts: 1627
Joined: 02 Dec 2022, 22:31
Great Britain

Re: Found someone logged into your system via SSH connection

Post by Gremlin »

When you upgraded to Tos 5.1 did you upgrade the os partition to 8GB at same time? If you did, you seem to be well behind on the updates for your model. (Just a thought.)
F5-221 TOS7.0.0777 - 4x4TB (Ironwolf) Traid
F2-424 TOS7.0.0777 - 2x500GB nvme (P3) Traid, 2x6TB HDD (HGST) Traid
F2-221 TOS7.0.0777 - 1x3TB Ext4, 1x4TB Btrfs
F2-425+ TOS7.0.0777 - 2x500GB nvme (P3) Traid, 2x6TB HDD (EXOS) Traid
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Re: Found someone logged into your system via SSH connection

Post by dkaratasos »

my system doesn't give me any new update. I had updated once in the past and just followed the prompts on what was proposed then. I think it was a year ago?
Image
If someone has hacked my other user... wouldn't I see the login attempt etc on system log? I know she hasn't logged in for months and I indeed don't see any login attempts on system log. So, I exclude this possibility or go ahead to change that user's password?
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Re: Found someone logged into your system via SSH connection

Post by dkaratasos »

I forcefully changed my users password. I will try to enable SFTP again to see if i'll get another notification.
Is there some log that I check check for the reasons behind this notification? eg which process tried to do the ssh etc?
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Re: Found someone logged into your system via SSH connection

Post by dkaratasos »

I sshed to check messages and users logs.
At the mentioned times of the email I can only see (besides transmission daemon) only some falied DDNS attempts
Image

Image
these failed DDNS are throught the logs anyway though, before and after the notifications.. not only at that points of time. They come every few minutes so not sure if they are related.
Besides these, though nothing else is logged in the system.
A puzzle
User avatar
dkaratasos
Posts: 10
Joined: 04 Aug 2023, 20:15
Greece

Re: Found someone logged into your system via SSH connection

Post by dkaratasos »

TMRyan wrote: 24 Dec 2024, 22:36
@TMRyan how can we verify it please?
Post Reply

Return to “Security”