Potential Malware Infection
Posted: 28 Dec 2021, 07:46
I believe my Terra Master NAS has been hacked. After setting up rules on my new firewall to exclude traffic to/from China, Russia, and North Korea, I noticed almost 12,000 blocked packets per day coming from my NAS to auto.skypool.com:6666 (China). This appears to be a cryptomining site and possibly associated with the DarkConnections trojan.
I also noted several sites being contacted by the NAS that specifically request current external IP address, like icanhazip.com, myexternalip.com, api.ipify.org and several others. This would be typical behaviour for a bot attempting to report back to a botnet.
I am blocking all these site on my firewall as I see them, but that doesn't resolve the issue that I may have a compromised NAS. Apart from running Clam AV (scanning now, but I'm not going to hold my breath), I would appreciate some guidance on eliminating unrecognized programs from the system startup. I am a sysadmin with network security experience so you shouldn't have to dumb it down for me much.
My Linux is a little rusty but I'm still familiar with it as well, though I do not know how to drop into the CLI on my NAS.
-Dave
I also noted several sites being contacted by the NAS that specifically request current external IP address, like icanhazip.com, myexternalip.com, api.ipify.org and several others. This would be typical behaviour for a bot attempting to report back to a botnet.
I am blocking all these site on my firewall as I see them, but that doesn't resolve the issue that I may have a compromised NAS. Apart from running Clam AV (scanning now, but I'm not going to hold my breath), I would appreciate some guidance on eliminating unrecognized programs from the system startup. I am a sysadmin with network security experience so you shouldn't have to dumb it down for me much.
-Dave