Buffalo Forums

Products => Storage => : jsamps0n February 19, 2010, 09:17:25 AM

: What is Accessing My LS-CHL From the Web?
: jsamps0n February 19, 2010, 09:17:25 AM

I'm trying to figure out who/what is accessing my storage device?  


This is a 1GB device with multiple shares that are accessible on my LAN without a password.  


Additionally, I have enabled the FTP Server so that I can backup a remote database each night.  The remote machine connects to the LS-CHL via FTP using the appropriate userid and password, uploads the database to the backup folder, then disconnects.  This takes less than 2 hours each night and works flawlessly.


Each morning I log into the remote machine using GOTOMYPC, checkout the FTP log file, and make sure that all is well.


From time to time I will observe that something, is accessing the LS outside the FTP window and I'm puzzled as to what this activity is.  The LAN light is flashing non-stop and I know that the traffic is coming from the web because the light stops dead when I disconnect the WAN from my router.  If I reconnect the WAN, the non-stop flashing resumes.  Eventually, it will stop and the machine sits idle as it should.


I thought that maybe that the antivirus setup of a locally connected LAN machine had a scan running against a mapped drive on the LS, but the traffic is not coming from the LAN.


Any ideas on what might be accessing my device and how to stop it?


Thanks in advance for any guidance.



: Re: What is Accessing My LS-CHL From the Web?
: DumbTechDude February 19, 2010, 10:13:40 AM

Once your LS is connected to the WWW and when you opened up port 21 (FTP port), you are basically announcing to the world that my shares are open to hack in!  What you are experiencing is people from any where in the world, either from China or Russia, who are trying to hack into your LS to get to the content.  FTP is by the way the most common way to get in because people usually are unaware that stock ftp setup come with anonymous guest setup which allows hackers free access to your LS since you did not secure all your other shares with any password whatsoever.  First and foremost, secure all your shares with a strong password, ie words and numbers combined together.  I know it is inconvenient, but if you want to make it more convenient for you to access all your shares upon bootup is to have your computer account sync with the same password as your admin ftp.  Secondly, remove any guest access to your ftp.  If you want to provide guest access, restrict access only to read.  Do not store any financial or private information on your LS as this can be easily seen with the current setup you have now.  I am not surprised if hackers had already gain access to all your shares and is just having a blast sifting through all your data.   

: Re: What is Accessing My LS-CHL From the Web?
: jsamps0n February 19, 2010, 11:07:32 AM

Completely understood.  Thanks for the info and advice.


I took a closer look at the share configuration on the LS and see that the only folder with FTP support configured is the folder for the remote FTP backups, access restrictions are enabled, and the guest account has no access.


The generally accessible LAN folder does not have FTP support configured.


As a test, I used FTP from the remote machine and connected using anonymous login.  While I was able to connect without a problem, there was a limited view into the device.  You can see disk1, but not any of the folders.  The only folder that was wide open was the default 'info' folder which contains the linkstation documentation.  I could not see the LAN share or the remote FTP share.


Question: If you can connect using anonymous login, are you then able to use net commands to map accessible folders for windows support rather than FTP access?  That seems like the only opening not yet closed.  True?


Thanks again for any info and advice.



: Re: What is Accessing My LS-CHL From the Web?
: DumbTechDude February 19, 2010, 03:17:48 PM

When you open the ports on your Linkstation to allow remote access to the file serving functions, you also need to open the port on your router as well.  As long as you have an open port on your router, the hacker gets in through that.  The hacker does not have to exploit the ftp function if he or she can't get further access.  Since the hacker gets through WAN and onto your LAN, the hacker can have access to your local LAN through WAN like you would with your own computer.  To an IT professional or a competent hacker, this is easy to do -- I can do this even with an iPhone or iPod Touch.  Which is why, a good NAS or a good router also has a built-in auto IP blocker which records and blocks offending external IPs from the net.  So my advice to you is still the same, secure all your shares with a strong password.


Anonymous access is guest access.  The reason for anon service is to provide easy access to public information, which is what Buffalo provided.  Sadly though, that information can work against you since the hacker now knows exactly the type of NAS unit he or she is working to hack as opposed to having no information at all which can delay progress.