Author Topic: Norton Core Secure Router flagging outbound traffic from Linkstation NAS  (Read 1717 times)

Cabledude27

  • Calf
  • *
  • Posts: 4
Good morning,

I have an interesting situation.  I have a Norton Core secure router and I'm seeing alerts from it saying that my Linkstation NAS is basically being blocked from connecting outbound to "malicious sites" which are always an IP.  I've mapped to the NAS and ran Avira and found two files from a mac timemachine update which was "cleaned" and I removed them but still getting the alerts. Based on my work I have a direct connection to discuss the findings with Symantec and from their side there is no indications the notifications are incorrect or not working.

My questions are this:

  • Anyone else seeing this with a Norton Core?
  • Anyway that I can get root on my NAS (Linkstation 200 - LS-WXL705) to get better logs to try and see what's going on from the NAS itself?
  • Any ideas on how to troubleshoot this better?

Texturtle

  • Administrator
  • *****
  • Posts: 893
  • RAID is NOT a substitute for a good backup
Re: Norton Core Secure Router flagging outbound traffic from Linkstation NAS
« Reply #1 on: September 14, 2018, 10:58:28 AM »
The NAS is almost certainly attempting to contact the update server to check to see if an updated FW is available.

Cabledude27

  • Calf
  • *
  • Posts: 4
Re: Norton Core Secure Router flagging outbound traffic from Linkstation NAS
« Reply #2 on: September 14, 2018, 12:50:40 PM »
These are all varying IP's across multiple notifications.  Just got another alert for an IP based in France that's hosted by ovh.com which is a dedicated host service, couple others from other ISP's.  Looking around on the net the IP's I'm getting alerts on are definitely on the naughty list.

Texturtle

  • Administrator
  • *****
  • Posts: 893
  • RAID is NOT a substitute for a good backup
Re: Norton Core Secure Router flagging outbound traffic from Linkstation NAS
« Reply #3 on: September 17, 2018, 09:06:45 AM »
What options are turned on on the NAS?

Cabledude27

  • Calf
  • *
  • Posts: 4
Re: Norton Core Secure Router flagging outbound traffic from Linkstation NAS
« Reply #4 on: September 17, 2018, 10:01:12 AM »
I can answer this and provide an update to my pursuits over the last few days as well.

I mounted the NAS drives to my MacBook and ran Avira (I beta test for Avira and used their recent beta update app) to scan the network shares.  That found two general items in what appeared to be the timemachine shares.  Unfortunately the descriptions were very general and not specific to what malware if any they were.  I believe one was classified as a vulnerability and other a potential malware.  Either way Avira quarantined them and I reviewed and deleted both. 

I then downloaded BitDefender for Mac's Friday night and ran that.  Initially it was taking well over 12-14 hours so Saturday I redid the scan to just scan the shares other than timemachines and will redo the timemachine ones one at a time to see if that speeds the scans up.  I also had FTP on and had port 2020 forwarding to the internal FTP port.  i just turned that on mid last week as I was trying to get into it via FTP to see if I could tool around and check the folders/etc but that seems locked down.  Beyond that I had a port forward setup for 8082 externally to route to internal port 80 on the device to remote login.  I have a 15+ character password for admin that uses numbers, letters, caps, and symbols and would be difficult to crack.  It's not reused outside of my internal devices.  I also tried my hand at ACP Commander (Yes I know it voids the warranty but the device is many years old) to try and get into a SSH setup to see if I can see more logging or things that look off, but when I ran the original dmg file it said the file was broken and I couldn't get it to run (I have Mojave GM on my macbook and I think it was blocking the file from running) and ensure java was installed correctly.  When I ran the .jar file it would open but not locate my NAS automatically and I couldn't figure out how to fix that.

I've not seen an alert like the ones that started this in the last two days (but there was one after the Avira scan and findings). 

As for options I think you mean like web services or network services right?  So right now only webaccess is on and the ports associated with them are open via UPnP (6881 UDP, 34006 TCP, and 6881 TCP).  I have the email for alerts turned on and get a Linkstation report email to me every morning at 12am EST but it doesn't provide access logs, outbound logs etc.  It simply says that it's running, what the size is for each share, how much use on each, and percentage of use etc.  I had tooled around with the other options before but they were all off when I was going through the device trying to figure this out. 

Really would be nice to have some logging option to turn on for stuff like this.  Hopefully someone from Buffalo is reading this and can put a bug in a dev's ear for a firmware update to provide this under "advanced" settings tab or something.

davo

  • Really Big Bull
  • VIP
  • *
  • Posts: 6149
Re: Norton Core Secure Router flagging outbound traffic from Linkstation NAS
« Reply #5 on: September 17, 2018, 10:38:06 AM »
Press CTRL+ALT+SHIFT+B when you're logged onto the admin page to get the full system logs.
PM me for TFTP / Boot Images / Recovery files  LSRecovery.exe file.
Having network issues? Drop me an email: info@interwebnetworks.com and we will get it fixed!

Cabledude27

  • Calf
  • *
  • Posts: 4
Re: Norton Core Secure Router flagging outbound traffic from Linkstation NAS
« Reply #6 on: September 17, 2018, 12:02:23 PM »
Awesome it worked!!!

Do you have any recommendations on the any particular logs I should review first for these access attempts?