Hello all,
I have been running FreeNAS-9.10.2-U6 and Transmission 2.92 (14714) in a jail for some time now. Obviously totally disregarding any updates. My bad.
Two nights ago I heard a NAS disk going berserk, I mean it was spinning so much I could hear it. I thought one disk is going, the older ones are something like 3 years old now. I logged in to the system and saw both disk in one volume having a lots of activity. This is the volume the Transmission jail is located. However the Transmission admin web page showed no activity.
I took a look on the firewall and it showed a lot of request to the Transmission port. I took a quick look on the FreeNAS machine process list and sendmail was on top of it, despite that I do not use it for anything in that machine. I shut down the FreeNAS but still hours later the firewall showed around 35M of traffic hitting that Transmission port. So I guess I was really popular for around 40 minutes before I shutdown the machine.
I think it can be easily deducted someone has found a vulnerability in Transmission and my machine was used to send spam. I have since removed the port forward to Transmission and removed it from FreeNAS. Now the question is how much I can trust the hackers just got in to the jail and not to the other files in the system? I just powered the FreeNAS on for the first time after the incident and it seems I have all my files intact. But should I just wipe those drives and start from scratch? Or is removing the jail and Transmission enough?
I have been running FreeNAS-9.10.2-U6 and Transmission 2.92 (14714) in a jail for some time now. Obviously totally disregarding any updates. My bad.
Two nights ago I heard a NAS disk going berserk, I mean it was spinning so much I could hear it. I thought one disk is going, the older ones are something like 3 years old now. I logged in to the system and saw both disk in one volume having a lots of activity. This is the volume the Transmission jail is located. However the Transmission admin web page showed no activity.
I took a look on the firewall and it showed a lot of request to the Transmission port. I took a quick look on the FreeNAS machine process list and sendmail was on top of it, despite that I do not use it for anything in that machine. I shut down the FreeNAS but still hours later the firewall showed around 35M of traffic hitting that Transmission port. So I guess I was really popular for around 40 minutes before I shutdown the machine.
I think it can be easily deducted someone has found a vulnerability in Transmission and my machine was used to send spam. I have since removed the port forward to Transmission and removed it from FreeNAS. Now the question is how much I can trust the hackers just got in to the jail and not to the other files in the system? I just powered the FreeNAS on for the first time after the incident and it seems I have all my files intact. But should I just wipe those drives and start from scratch? Or is removing the jail and Transmission enough?