Skip to first unread message
Goydo
Jan 5, 2020, 2:56:33 PM1/5/20
to Alt-F
Hi all,
I got one of these ugly old boxes a few weeks ago and I wasn't aware at all of these backdoor exploits and the total abandon from the manufacturer D-Link, so I was visited from Cr1ptTor 2 days ago.
just to say hi and send a big thank you to you, João. You are my hero!
Happy New Year and best wishes! To everyone in this group also!
I got one of these ugly old boxes a few weeks ago and I wasn't aware at all of these backdoor exploits and the total abandon from the manufacturer D-Link, so I was visited from Cr1ptTor 2 days ago.
This is one of the biggest data losses I've ever had and for sure my last gear from D-Link. (Only one 2TB disk)
You are really not a thrustworthy hardware supplier, you know there is a great risk and you let your customers go to the dark side without a warning. You know these back doors and you have done nothing to protect your fellow folks, what a shame. I even registered my NAS for a D-Link DDNS and you still did nothing, not even a mail to warn about, the only open port was 80 but now removed.
So I have stopped and deleted the D-Link firmware and replaced it with Alt-F, I even got the smb shares to work and I am happy for now, perhaps one day I get my data back and I learn how to use Alt-F and other packages.
The last accessed and modified time stamp has not changed so you don't even know which files are encrypted or not, there is no log file. I tried with some tools to restore older versions but with no luck on this volume and I'm not the penguin man either, I had Synologys running and I'm working on Windows since 3.1
Best Regards
Guido
Guido
Joao Cardoso
Jan 5, 2020, 8:46:22 PM1/5/20
to Alt-F
On Sunday, January 5, 2020 at 7:56:33 PM UTC, Goydo wrote:
Hi all,just to say hi and send a big thank you to you, João. You are my hero!Happy New Year and best wishes! To everyone in this group also!
I got one of these ugly old boxes a few weeks ago and I wasn't aware at all of these backdoor exploits and the total abandon from the manufacturer D-Link, so I was visited from Cr1ptTor 2 days ago.This is one of the biggest data losses I've ever had and for sure my last gear from D-Link. (Only one 2TB disk)You are really not a thrustworthy hardware supplier, you know there is a great risk and you let your customers go to the dark side without a warning. You know these back doors and you have done nothing to protect your fellow folks, what a shame. I even registered my NAS for a D-Link DDNS and you still did nothing, not even a mail to warn about, the only open port was 80 but now removed.
Guido, thanks for sharing
The Alt-F webUI should not be exposed to the internet neither at port 80 nor at the alternative port 8080, as it was written without any security concerns at all.
The webUI is also available through secure https at port 443 or the alternative port 8443, but the same consideration applies.
If you have to expose some service to the internet, such as ssh or https, put it running as "server mode", not as "inetd mode", and the service will use its own security counter measures. See Services->Network, inetd, Configure, and then use each service Configure button.
I will soon make an update to all those security related packages, but it's a prey/predator race, some will always be eaten. Stay tuned to the News section on the webUI Status page.
Thanks
Goydo
Jan 5, 2020, 10:07:35 PM1/5/20
to Alt-F
Ok thanks João,
I removed all port forwardings from the router except 2 for the Synologys UI and 1 for Plex server and disabled all unnecessary services (I hope so), the D-Link is sleeping, only the 2 hdd LEDs are blinking orange at a low heartbeat.
I bought this cheap old DNS-325 just as a better external hdd case with some more possibilities, the hardware is not bad at all.
Although it was reachable from outside the unit was in hibernation mode and only waked up if it was directly accessed. (So it did 3 days ago before I realized it was hijacked).
Hopefully it contained nothing really important, only outdated software from the last century :)
The Synology DS wakes up periodically 36 times a day and nobody really knows why, I hope they fix this with their new OS coming soon. Removing all the packages can't be the solution neither, since it is worse than before but the support told me to do so :)
I use the DS415+ mostly as video server, DS Video, Plex and FFMPEG are running because of the well known dts no sound problem on DS Video, they removed dts and EAC3 support and recent TVs don't even pass the sound to your surround receiver if it is other than AC3, this is really annoying bullshit.
So I'm looking forward to learn and understand how Alt-F works, it was easier with the GUI from D-Link or Synologys DSM.
Many thanks and keep up the good work
geek
Apr 18, 2020, 6:26:02 AM4/18/20
to Alt-F
Hi, I have a dns-325 with original D'Link firmware v. 1.05 (11/07/2016).
Even if I install ALT-F can I be vulnerable from Cr1ptT0r?
I have no active port forwarding.
I use the nas only within the local network.
Best Regards
Goydo
Apr 18, 2020, 8:53:28 AM4/18/20
to al...@googlegroups.com
Hi Geek,
you should be safe if the D-Link isn't accessible from outside but you can still get a virus or ransomware attack from your mainframe if you run an infected file or if a new exploit comes up.
I did so at work twenty years ago and spread a worm into our manufactory network with about 80 pc's.
My boss wasn't very happy about this but we could disinfect the thread quickly.
There's no vaccin and no 100% security.
So here for everyone who may be concerned an exerpt of my logfile created with a little software from Michael Gillespie, called CryptoSearch, this scans your entire discs or arrays for encrypted files and moves them to another location, preservant the entire path.
This is very useful, never you would sort them out by main. Perhaps one day we are able to decrypt but not today.
Cr1ptT0r was active only a few hours on my disk, the second time I woke up in the middle of the night I cut the power from the NAS.
Complete, found 11286 encrypted folders with 201840 encrypted files (63GB)
Also found 0 clean folders with 18692 clean files (1,7TB)
Retrieving data from ID Ransomware...
Retrieving data from local filesystem...
Loaded data on 702 ransomwares
Retrieving data from ID Ransomware...
Retrieving data from local filesystem...
Loaded data on 702 ransomwares
Directory selected: Z:\software
Searching for files encrypted by Cr1ptT0r Ransomware...
[-] Encrypted folder: Z:\software
...........
Complete, found 11286 encrypted folders with 201840 encrypted files (63GB)
Also found 0 clean folders with 18692 clean files (1,7TB)
Moving encrypted files (63GB) to: Z:\Encrypted
Complete, archived 201840 encrypted files
PS: it crypted mainly the small files, like .txt, .pdf, .wav, .mp3, .jpg and so on, so I'm very happy that this 2Tb disk was not really important to me and all my photos and documents are safe in another location.
Reply all
Reply to author
Forward
0 new messages