Transmission hacked

[mek]

Hello all,

I have been running FreeNAS-9.10.2-U6 and Transmission 2.92 (14714) in a jail for some time now. Obviously totally disregarding any updates. My bad.

Two nights ago I heard a NAS disk going berserk, I mean it was spinning so much I could hear it. I thought one disk is going, the older ones are something like 3 years old now. I logged in to the system and saw both disk in one volume having a lots of activity. This is the volume the Transmission jail is located. However the Transmission admin web page showed no activity.

I took a look on the firewall and it showed a lot of request to the Transmission port. I took a quick look on the FreeNAS machine process list and sendmail was on top of it, despite that I do not use it for anything in that machine. I shut down the FreeNAS but still hours later the firewall showed around 35M of traffic hitting that Transmission port. So I guess I was really popular for around 40 minutes before I shutdown the machine.

I think it can be easily deducted someone has found a vulnerability in Transmission and my machine was used to send spam. I have since removed the port forward to Transmission and removed it from FreeNAS. Now the question is how much I can trust the hackers just got in to the jail and not to the other files in the system? I just powered the FreeNAS on for the first time after the incident and it seems I have all my files intact. But should I just wipe those drives and start from scratch? Or is removing the jail and Transmission enough?

 

[m0nkey_]

A perfect example as to why you don't want to expose your FreeNAS box to the Internet in any way. If you want to access your box and it's services, configure a VPN such as OpenVPN. Most SOHO routers now support OpenVPN out of the box, so there shouldn't be any excuse.

You probably got hit by this remote code execution vulnerability.. https://www.cvedetails.com/cve/CVE-2018-5702/

 

[mek]

Thank you very much! I was trying but didn't find the vulnerability description myself. If my reading of this is correct it seems my files were safe but I need to offer the internet an apology for all that spam originating from my machine.

 

[garm]

Well, I would assume they left code behind. The Ukraine power grid hack is my baseline for this stuff. I would treat the system as a threat until you are able to clean it up.

But, sins we are talking about FreeNAS and are blessed with ZFS it is possible to role back the entire machine to before the exploit was used (if you know that).

The basic procedure is that you burn anything the could get their hands on and restore from backup. In the case of ZFS it means that you could roll back to a snapshot before the attack, given that you know when that is. You can also examine snapshots for changes to them and that way identify and nuke any nasty stuff.

But what ever you do, be very thorough.

 

[Jailer]

Blow the transmission jail away and rebuild it.

 

[kdragon75]

port forward to Transmission

This was painful to read. this is also why FreeNAS NEEDS a basic firewall implementation! with that you could have at least blocked sendmail from spamming other people.

 

[mek]

In the case of ZFS it means that you could roll back to a snapshot before the attack, given that you know when that is.

Thank you! I know when the attack started in earnest, easy to see from the firewall log and also on the disk activity on the Freenas. I noticed it 40 minutes from the start, but of course I cannot be sure when the first attack was. Just gonna nuke the Transmission jail and never put it back anymore.

 

[mek]

Blow the transmission jail away and rebuild it.

I already nuked the Transmission install but won't be putting it back to the FreeNAS machine. It was very convenient but this scare was enough for me. Seems old dogs can learn too ;).

 

[garm]

But be wary about any datasets you shared with that jail as well..

 

[mek]

This was painful to read. this is also why FreeNAS NEEDS a basic firewall implementation! with that you could have at least blocked sendmail from spamming other people.

Thanks. If I was a smart man then I could have done that also from the firewall side. There was no need for the FreeNAS machine to get out except for the torrent files.

But a smart man would not run old software versions connected to the net to begin with so I guess that part is clear to all ;).

 

[Jailer]

This was painful to read. this is also why FreeNAS NEEDS a basic firewall implementation! with that you could have at least blocked sendmail from spamming other people.

Or a good firewall in front of it.

 

[garm]

Or a good firewall in front of it.

hear hear, never expose a FreeNAS box to internet in any manner with a consumer grade firewall/NAT/Router. There are open source options for commercial grade firewalls available

 

[mek]

But be wary about any datasets you shared with that jail as well..

Thanks, good point. Happily nothing was shared.

 

[mek]

hear hear, never expose a FreeNAS box to internet in any manner with a consumer grade firewall/NAT/Router. There are open source options for commercial grade firewalls available

I am running a pfSense setup but even a good fw won't protect you when the admin (that's me) pokes holes in it... Though as said I could and should have blocked all access to outside from the FreeNAS machine in the first place.

 

[Jailer]

pfsense with something like Snort, suricata or pfBlockerNG can be set up to block known nefarious actors and would go a long way towards stopping something like this from happening. It won't stop known vulnerabilities from being exploited obviously. I've had upwards of 60k blocks per day on busy days when I'm sharing something with qbittorrent.

 

[kdragon75]

Or a good firewall in front of it.

perimeter security is not the end all that so many people think it is. One internal compromised box can negate the best firewall solution out there. Granted most home users can't justify setting up security zones or validating code.