How to check linux integrity
Options
bezbota
Posts: 7 
Freshman Member
Freshman Member
My NAS326 was hacked. I did a factory settings and then one more again. Is it enough? Is possible that something left in linux file system? How can I know that nothing harmful is still running as a process?
I used factory settings and I haven't downloaded any extra applications. I have just changed user settings a bit and changed folder sharing (I mean sharing via SMB protocol vith local computers only).
#NAS_Oct_2019
I used factory settings and I haven't downloaded any extra applications. I have just changed user settings a bit and changed folder sharing (I mean sharing via SMB protocol vith local computers only).
#NAS_Oct_2019
0
Accepted Solution
-
Hm. That's not clear to me.To get back to your original question, if a sufficiently skilled person hacked your NAS, then in theory there is no way to remove the infection, as you depend on the firmware to update/overwrite it, and the firmware cannot be trusted.In practice it's not that hard. Most hackers are script kiddies, which are searching for some general vulnerabilities, and maybe find a 326, which gets some easy script to do some work for the hacker. But it's not deeply embedded in the firmware. So in most cases a factory reset is enough to remove the scripts.My actions would be:Remove all packages, if any.Enable the ssh server, login over ssh, and execute
<div>cd /i-data/sysvol/.system/zy-pkgs/</div><div><br></div><div>pwd<br></div><div></div>
The output of pwd should read '/i-data/sysvol/.system/zy-pkgs'. If so, execute<div>rm -rf *<br></div><div></div>
Remove the disk(s)Perform a factory reset.Downgrade the firmware and upgrade again.Start the ssh server on the NAS.Login over ssh and execute 'ps', to see a list of running processes. Store that list somewhere.Put back the disks, and run ps again. Compare it to the old list. Find out what the unique processes in the second list are. If they are a normal part of the firmware, you're done.Rationale:The easiest way for a script to get started on boot is to hide in an installable package, so these have to be removed all.The directory /i-data/sysvol/.system/zy-pkgs/ contains a package cache, plus possibly a list of scripts which have to be started on boot, so that directory has to be cleared up.By down- and upgrading without harddisk inserted, there is nowhere the hostile script can hide. So I assume the box to be clear after that. By comparing the list of running processes without a with disks, the hostile script should show up, if it somehow survived on the disk.
0
Guru Member
All Replies
-
Why do you think your nas was hacked?
0 -
It seems that all firmware directories are deleted first and then new firmware is uploaded there from backup location. Integrity check of backup location is done before starting reset to factory settings. So any malicious changes should disapper.0
-
Hm. That's not clear to me.To get back to your original question, if a sufficiently skilled person hacked your NAS, then in theory there is no way to remove the infection, as you depend on the firmware to update/overwrite it, and the firmware cannot be trusted.In practice it's not that hard. Most hackers are script kiddies, which are searching for some general vulnerabilities, and maybe find a 326, which gets some easy script to do some work for the hacker. But it's not deeply embedded in the firmware. So in most cases a factory reset is enough to remove the scripts.My actions would be:Remove all packages, if any.Enable the ssh server, login over ssh, and execute
<div>cd /i-data/sysvol/.system/zy-pkgs/</div><div><br></div><div>pwd<br></div><div></div>
The output of pwd should read '/i-data/sysvol/.system/zy-pkgs'. If so, execute<div>rm -rf *<br></div><div></div>
Remove the disk(s)Perform a factory reset.Downgrade the firmware and upgrade again.Start the ssh server on the NAS.Login over ssh and execute 'ps', to see a list of running processes. Store that list somewhere.Put back the disks, and run ps again. Compare it to the old list. Find out what the unique processes in the second list are. If they are a normal part of the firmware, you're done.Rationale:The easiest way for a script to get started on boot is to hide in an installable package, so these have to be removed all.The directory /i-data/sysvol/.system/zy-pkgs/ contains a package cache, plus possibly a list of scripts which have to be started on boot, so that directory has to be cleared up.By down- and upgrading without harddisk inserted, there is nowhere the hostile script can hide. So I assume the box to be clear after that. By comparing the list of running processes without a with disks, the hostile script should show up, if it somehow survived on the disk.
0
Categories
- All Categories
- 393 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 906 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
