Help with unknow user logged in via ssh?

Orrby
Orrby Posts: 5  Freshman Member
First Anniversary
I have a Nas540 and i have a problem with someone logged in via ssh i think, and i dont know if any files are compromised but i have seen about 15-20 torrents added in transmission?

A year ago i had the ransomware in my nas, textfiles in every folder that told me to pay... I moved all my files and did a factory reset.

Now i have done a reset (3 beeps) and after i have set a new admin password and config the network i se already after 10 min i have another user logged in?!
Ssh is disabled, but someone is logged in?!

I´m not a very good computer guy but i tried the ssh with putty and listed the users, what user should be there? I only have the "admin" and created one "Olle" the rest is stock after a reset?

What should i do?


All Replies

  • Mijzelf
    Mijzelf Posts: 2,598  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Do you have portforwards to your NAS? I see two external IP addresses in the 'Current Connections' list (one Swiss, one Danish), in normal conditions that shouldn't be possible.
    BTW, you can list all connections from the command line using
    netstat -tn
    Other shell logged in users can be seen with
    who
    although that is not watertight.

    Your passwd doesn't look alarming to me. As the intruder seems to be logged in as admin, it doesn't matter either. You have a strong password on admin, I hope?

    Can you post the list of running programs, the output of 'ps'? (In PuTTY you can copy text by just selecting it with your mouse. Everything selected is on the clipboard)

  • Dexter
    Dexter Posts: 108  Ally Member
    First Anniversary Friend Collector First Comment
    edited February 2022
    Are you using transmission when check the login status?
    Maybe you can try to stop the task on the transmission and check if there is still other users.
     
  • Orrby
    Orrby Posts: 5  Freshman Member
    First Anniversary
    Thanks for helping, yes i have ports open for transmission, closed it and no other are now connected.

    Must have been years ago i opend those ports, i use it for adding torrents from transdroid in my phone. Any ideas for port or is it my bad password who is the faulty one?
  • Dexter
    Dexter Posts: 108  Ally Member
    First Anniversary Friend Collector First Comment
    Maybe you can try to capture packet when doing transmission and see if there is any ssh packet.

Consumer Product Help Center