Is this the place to report a breakin to Freenas

[Graham Comber]

I am new to the Freenas forum which I have joined to share my story of a break in to my main and backup Freenas servers which seems to have existed for some time and took quite some tracking down. I can find no threads or forum sections on Security as such and so the question of where to post the details so that others can be forewarned and vigilant.

Thanks Graham

 

[cyberjock]

You can report a breakin here. I'm not sure how they got in since you provided no information at all. But FreeNAS is based on FreeBSD, so there's a chance its not a limitation of FreeNAS but of FreeBSD.

So how about you discuss the information you have on how your system was compromised....

 

[jgreco]

And also an explanation of how and why it was exposed to the Internet (or whatever other threat vector was used).

 

[Graham Comber]

Thanks for the replies cyberjock and jgreco. Hopefully my report below will cover the issue.
Incidentally i have a copy of the offending file if anybody would like to disasemble it.
Regards Graham


Firstly let me say I am in no way whining about BSD or FreeNAS security or anything of the sort. I simply believe this attack on my NAS servers is likely an identity or credit card theft attack and I am simply reporting it so that others can be more vigilant in detecting it and or avoiding it. After all we all think that whats on our LAN stays on our LAN – but it simply aint true.

I have 2 installations of FreeNAS-8.0.4-p1-x64 running as a main and backup server on my LAN.
Freenas is running as a Hardware Virtual Machine under Xen Hyperviser 4.1 on Linux 12.04.
Freenas is provided with 8GB Ram and 2 CPU Cores by the hyperviser which also provides bridged ethernet connectivity to the LAN via a 1Gb NIC.
Both Main and standby hardware are Dell 2950 Servers with 200GB Scsi raid mirror segmented for each OS and 4 x 1TB SATA drives for the NAS data pool.

Around June 2013 Internet service on our LAN became intermittent and getting steadily worse.
Investigation led to the discovery that massive amounts of data were blocking the ADSL modem and further that disconnection of both NAS servers from the LAN stopped the blocking.
By monitoring the main NAS server ethernet port with Wireshark it was found that data packets were being streamed to more than 10 ip adresses (listed below). I was blocked from the web gui and ssh access. Fortunately being virtualized I could access the freenas console via a VNC connection facility built into Xen Hyperviser but this did not reveal much of any value initially.
When the NAS server was prohibited from Inet access and rebooted it was noted that it was requesting DNS resolution for 2 specific domain names (also listed below) at regular intervals.
Restoring a Xen runtime image of freenas made in early January 2013 when the server configuration was completed had the same problem. The question was - what process was responsible for this.
It turned out to be /usr/sbin/crond which had the same date code as all other modules but different time and attributes. After doing a complete fresh install of freenas from the original iso file, I discovered crond was Not part of the standard install module set and hence I assume it is completely malicious.

Note that the NAS servers were allowed outbound access to the inet to allow NTP. No inbound access is allowed to the LAN from the Inet. Now clearly I did not have a narrow enough limit on the nas servers access to the Internet to foil this worms mechanisms, silly me. However just how this file got installed I have no idea, but for sure it happened during the configuration phase of the servers.
I can find no suspicious files or directories in the Freenas data space and so I assume that the object of the attack is for identity fraud rather than as a relay.

I can not find any mention of this hack on google but neither can I believe I am unlucky enough to be the only one affected. So hopefully this may help others to either find and repair a similar hack or at least firewall well enough to stop it doing any major damage.

DNS resolution requests were initiated by the crond executable to the following domains -
f??k.jorgee.nu (I will leave the reader to fill in the ?? so as not to offend)
burrito.wut.re both miniscule island domains in the pacific.
Nslookup of the former resolves to 61.100.3.153 and 176.31.123.56
and the later to 176.31.123.56

Now 176.31.123.56 is shown to be hosted by OVH systems in France and the specific address is shown to be the home of one loldump.org with a contact of Json, which if you dare visit the site has comic strips of a character named Jason and a pile of very funny cat videos which presumably keep you occupied while Jason gets into your head somehow. I seem to recollect a cat lover friend sending me an email with a pile of similar funny cat videos some time back so maybe that is how it is spread.

176.31.123.56 also gets many google hits on blacklists and honeypot forums.

During monitoring of data streaming, IP Connections (many on blacklists) were noted to –
176.31.123.56
67.220.83.90
192.157.62.66
37.59.41.117
87.106.131.89
94.23.42.81
37.59.60.133
206.214.88.57
67.220.83.90
188.126.73.62
65.23.157.127
etc

 

[cyberjock]

Well, can you be particularly surprised? If you had followed the FreeNAS updates, you would have known that 8.0.4-p1 has known security vulnerabilities as of more than a year ago!

Other than that, none of the information you have gives any clue as to how they gained access to the server. They could have used a vulnerability to gain access to another machine in the network and brute forced your password, guessed your password was something simple like "password", etc.

In essence you really provide no information as to how they got in only that they did. It really doesn't validate that there is any attack vector within FreeBSD or FreeNAS that should be investigated further.

Not to sound rude but your post is nothing more than "I got hacked". Well, that's obvious. But what's important is how they did. If they guess an easy password, poor permission setup on your part, etc then there isn't a problem with FreeBSD or FreeNAS but an administration issue/error. But if you had specific information on how in particular they gained access that may include an unknown vulnerability, that would be worth looking into.

Other people have been hacked too. Many of them stupidly opened one or more ports on their firewall to FreeNAS so they could remotely connect to their server. In those cases, those individuals got exact what they deserved. Everyone that has an inkling of security knows not to forward ports like that. That's just stupid.

 

[Graham Comber]

Thanks Cyberjock
To be honest I really havnt got time to update software every other day
Please feel free to blow the thread away.
regards to all in the forum
Graham

 

[cyberjock]

What I recommend you do is add yourself to the FreeNAS mailing list. I hound them to put out a message via the mailing list when they do an update if they forget. :)

In the meantime, I'd highly recommend you update to either 8.3.1-p2 or 9.1 and put yourself on the mailing list.