Page 1 of 1

CommandInjection.Gen.3 and CommandInjection.Gen.112 exploit attacks today

Posted: 12 Aug 2021, 05:43
by titanrx8
I have 2 x f2-221 on my network. Neither has been enabled for access outside of the LAN. The second server is used only for an rsync destination of the first server. It has no apps installed beyond the TOS basics that were loaded along with the installation of 4.2.14

This afternoon, my router firewall detected several attempts to use an exploit attack (CommandInjection.Gen.3 and
CommandInjection.Gen.112) on the rsync server. The firewall rejected the attempts and there are no TOS log entries showing that would indicate that any attempts had succeeded.

I have 2 questions:

1. How would the IP address of my TOS server be known anywhere while it has never accessed the internet except for the initial installation of TOS?

2. What firewall settings should be set in TOS to prevent any external access in the event that something got past the router firewall?

Thank you.

Re: CommandInjection.Gen.3 and CommandInjection.Gen.112 exploit attacks today

Posted: 12 Aug 2021, 12:15
by TMSupport
1. You can use TNAS PC to search IP address, and then access.
2. You can create a firewall rule that rejects some unused ports.

Re: CommandInjection.Gen.3 and CommandInjection.Gen.112 exploit attacks today

Posted: 13 Aug 2021, 03:13
by deejc
Upnp enabled and mapping ports ?

Re: CommandInjection.Gen.3 and CommandInjection.Gen.112 exploit attacks today

Posted: 13 Aug 2021, 04:58
by titanrx8
deejc wrote: 13 Aug 2021, 03:13 Upnp enabled and mapping ports ?
Upnp was enabled but it was also enabled on my other TOS system on the same subnet which was not targeted.They're disabled now (upnp really wasn't working anyway. Anything that needs to get to the servers over the lan has the access required already).

I suspect that the remote ssh app that I used on my tablet might have leaked the ip. It was the only app that had the TOS server address.

It's just a bit worrisome because the same day that the exploits were happening the Qnap and Synology hacks were in the news.