Am I being hacked!?

[drwoodcomb]

I just got this email from my TrueNAS box:

New alerts:
* 307 SSH login failures:
May 15 16:59:39 freenas 1 2022-05-15T16:59:39.117972-04:00 freenas.local sshd 61588 - - Invalid user from 192.168.1.153 port 50624
May 15 16:59:39 freenas 1 2022-05-15T16:59:39.120437-04:00 freenas.local sshd 61588 - - Failed none for invalid user from 192.168.1.153 port 50624 ssh2
... 303 more ...
May 15 16:59:47 freenas 1 2022-05-15T16:59:47.055353-04:00 freenas.local sshd 61824 - - Failed password for invalid user Snowden from 192.168.1.153 port 50845 ssh2
May 15 16:59:47 freenas 1 2022-05-15T16:59:47.059126-04:00 freenas.local sshd 61824 - - Disconnected from invalid user Snowden 192.168.1.153 port 50845 [preauth]

I am worried someone is in my network. I dont know who Snowden user is?

 

[drwoodcomb]

Nevermind. I think Avast Network Scan was doing this. Wow this scared the crap out of me...

 

[hugovsky]

Avast is trying to login to your nas? why?

 

[danb35]

I think Avast Network Scan was doing this.

Well, the "Snowden" username is a bit of an eye-raiser, but I guess there's all kinds of things it could mean. The first thing you should determine, though, is what device owned the IP address of 192.168.1.153, because that's where the login attempts came from.

It does look like Avast tries to log in to local resources, including by SSH:

Avast scans my local web servers

Avast scans my local web servers

forum.avast.com

Sounds like malware to me, but...

 

[dbrannon79]

Hello all, I was looking around for help with some disturbing alerts I received from both of my nas servers multiple times throughout last night. Wondering of a PC on my network has been compromised.

I received this and many many more like it from both machines running Truenas Core.
[ICODE] New alert: [LIST] [*]3644 SSH login failures in the last 24 hours: ... first 3640 messages skipped ... 14 Dec 01:47:07: Failed password for invalid user Admin from 192.168.1.24 port 65158 ssh2 14 Dec 01:47:07: Failed password for invalid user user from 192.168.1.24 port 65165 ssh2 14 Dec 01:47:07: Failed password for invalid user user from 192.168.1.24 port 65170 ssh2 14 Dec 01:47:07: Failed password for invalid user admin from 192.168.1.24 port 65175 ssh2 [/LIST] Current alerts: [LIST] [*]3864 SSH login failures in the last 24 hours: ... first 3860 messages skipped ... 14 Dec 01:51:31: Failed password for invalid user admin from 192.168.1.24 port 53353 ssh2 14 Dec 01:51:31: Failed password for invalid user f~i!b@e#r$h%o^m*esuperadmin from 192.168.1.24 port 53354 ssh2 14 Dec 01:51:32: Failed password for invalid user installer from 192.168.1.24 port 53356 ssh2 14 Dec 01:51:32: Failed password for invalid user admin123 from 192.168.1.24 port 53357 ssh2 [/LIST] [/ICODE]

the PC "192.168.1.24" is my son's pc running windows 10 and has avast installed. matter of fact all of our pc's are using avast but I am only seeing this coming from one pc. I don't know where to look to verify if avast is causing this or it has been hacked somehow. I have ran multiple scans on the pc in question and have found nothing so far.

 

[somethingweird]

Hello all, I was looking around for help with some disturbing alerts I received from both of my nas servers multiple times throughout last night. Wondering of a PC on my network has been compromised.

I received this and many many more like it from both machines running Truenas Core.
[ICODE] New alert: [LIST] [*]3644 SSH login failures in the last 24 hours: ... first 3640 messages skipped ... 14 Dec 01:47:07: Failed password for invalid user Admin from 192.168.1.24 port 65158 ssh2 14 Dec 01:47:07: Failed password for invalid user user from 192.168.1.24 port 65165 ssh2 14 Dec 01:47:07: Failed password for invalid user user from 192.168.1.24 port 65170 ssh2 14 Dec 01:47:07: Failed password for invalid user admin from 192.168.1.24 port 65175 ssh2 [/LIST] Current alerts: [LIST] [*]3864 SSH login failures in the last 24 hours: ... first 3860 messages skipped ... 14 Dec 01:51:31: Failed password for invalid user admin from 192.168.1.24 port 53353 ssh2 14 Dec 01:51:31: Failed password for invalid user f~i!b@e#r$h%o^m*esuperadmin from 192.168.1.24 port 53354 ssh2 14 Dec 01:51:32: Failed password for invalid user installer from 192.168.1.24 port 53356 ssh2 14 Dec 01:51:32: Failed password for invalid user admin123 from 192.168.1.24 port 53357 ssh2 [/LIST] [/ICODE]

the PC "192.168.1.24" is my son's pc running windows 10 and has avast installed. matter of fact all of our pc's are using avast but I am only seeing this coming from one pc. I don't know where to look to verify if avast is causing this or it has been hacked somehow. I have ran multiple scans on the pc in question and have found nothing so far.

Best bet is to redo the PC - reinstall clean OS and reinstall clean applications. Some of these compromised PC can bypass security software once they get in.

 

[HoneyBadger]

Apparently this behaviour is "by design" of Avast and AVG, specifically the "Network Inspector" component.

Network Inspector - FAQs | Official Avast Support

A list of frequently asked questions about Network Inspector in Avast Antivirus on Windows PC and Mac.

support.avast.com

Network Inspector - FAQs | AVG

A list of frequently asked questions about Network Inspector in AVG AntiVirus on Windows PC and Mac.

support.avg.com

Under "What issues and vulnerabilities does Network Inspector detect?" it mentions "Weak or default password" which leads to this supplemental article:

Avast Network Inspector alert: Weak or default password | Official Avast Support

Step-by-step instructions to resolve the issue if Avast Network Inspector shows the alert 'Weak or default password'.

support.avast.com

How to resolve the 'Weak or default password' alert | AVG

Step-by-step instructions to resolve the issue if AVG Network Inspector shows the alert 'Weak or default password'.

support.avg.com

Where they discuss, in a roundabout way, that this service will scan devices on your local network and attempt to use a dictionary list of known weak or default passwords to sign into them, over HTTP/S, FTP, Telnet, and SSH.

The "Network Inspector" component can (and IMO, should) be disabled or removed from these AV products.

 

[dbrannon79]

I went into my sons PC and disabled the network inspector and what avast calls Wifi anaylizer also. so far I haven't seen any more of these messages. what is odd to me is that this happened to him before about a year ago where my server started getting these messages along with someone hacked into his gmail, steam, and facebook accounts. we were able to recover everything but FB killed his FB account during that escapade. I never figured out what caused the issue then ether.

 

[dbrannon79]

it would be nice if avast or avg would warn you what it's about to do so you can be prepared and not have an "Oh st%&" moment when you get these messages and are away from the network!!

 

[dbrannon79]

on top of that, if it had gained ssh access to the truenas server file system I assume it would begin scanning for threats. that could possibly wreck havoc on a linux system causing fatal errors for it.