Has anyone else con...
 
Notifications
Clear all

Has anyone else connected to the NAS?

4 Posts
3 Users
0 Likes
1,201 Views
Vesalius
(@vesalius)
Posts: 66
Estimable Member
Topic starter
 

Hello Forensic Humans,

So basically I have a NAS Synology setup in which I have had 2 users as clients with only read/write privileges. Yesterday when I checked the drive, specifically the security tab from the mapped drive in My Computer, there were 2 UNIX users in there. By default there should just be the admin, but I have never seen the UNIX accounts before.

the names were UNIX 1028 and UNIX 1029.

has this been generated by the Synology system by default OR is it some sort of Trojan.

I went back today only to see it gone. I want to further investigate, and my goal is to find out if any other account eg. (PC) of any sort has connected to the local NAS drive.

It is not connected to the internet in any way, just using an Ethernet cable directly to the PC, which runs on Windows 7.

How should I further investigate, where and what should I be looking for?

 
Posted : 04/01/2017 12:50 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Did you enable 'syslog' on the DSM Disk Station Manager's security settings?

 
Posted : 04/01/2017 6:41 pm
(@athulin)
Posts: 1156
Noble Member
 

Yesterday when I checked the drive, specifically the security tab from the mapped drive in My Computer, there were 2 UNIX users in there. By default there should just be the admin, but I have never seen the UNIX accounts before.

the names were UNIX 1028 and UNIX 1029.

So … you have to figure out if you are seeing an artifact of the mounting, or of the Synology file share interface, or of the embedded Linux that's probably in there.

All smaller NASes I've seen have a SSH port – so … login, and look around.

My guess is that the NAS doesn't do user identification properly, but only converts a Unix uid to 'UNIX <uid>', instead of doing a full translation. If that guess is correct, you should have passwd/shadow files with entries for the numbers you saw … and that should tell you what users were involved.

However, take system changes into account. If you install a NAS service (say, backup or bittorrent or FTP or git or whateevr, it might lead to service accounts being created. And if you delete such services, the accounts may be deleted as well. So you need to know what has happened on the system during the relevant period. Log analysis? But for that kind of thing, you need a product expert. So … perhaps you need to say exactly what product is involved? And what firmware has been installed?

Part of that problem is to know just how the mount happens.

How should I further investigate, where and what should I be looking for?

Depends on what you are trying to figure out. ou've asked two question, one of which can only be answered well by someone who knows the product and how you've mounted the NAS volue, and the second needs a lot more information about your security stance when it comes to malware.

In general, though

The first question is easiest you need to understand how the NAS works. So … read the documentation, check the support forums, and do all the things that any decent IT specialist does when faced with a new piece of equipment.

While you're at it, ask product support, or the product support forum about what you have seen. Ask the product specialists.

Then, if you haven't got an answer, figure out how the internal information of the NAS maps to the information you saw.

 
Posted : 05/01/2017 11:28 pm
Vesalius
(@vesalius)
Posts: 66
Estimable Member
Topic starter
 

Outstanding reply athulin, thank you very much!

 
Posted : 06/01/2017 12:02 am
Share: