TrueNAS Bittorrent compromised - how to improve security

[BrownZeus]

Hi everyone,

 

I'm running TrueNAS Core 13.0-U4. I had the qBittorrent plugin running and when looking at my torrent list i noticed a torrent I definitely did not add. It was for some Wifi Hacking ebook.

 

I purged the files downloaded, and went ahead and deleted the whole plugin install cause I reviewed the plugin settings and saw that "run program on torrent finish" was enabled and looks like it was set to run a bash command that seems to connect to a remote server.

 

I restarted my router, computer and nas as all good measures.

 

But what more can I do? I don't want this happening again. As far as I know my NAS isn't setup for remote access at all. My plex plugin is set so that remote access is disabled.

 

I saved that run after command as well so I have the remote server IP, is there anything i can do with this information? NOT by in terms of revenge, I know better than to piss off a hacker.

[Rysters Tech]

Have security on your web interfaces, NEVER EVER PORT FORWARD WEB CONSOLES, HAVING A PASSWORD DOESNT SAVE YOU! If you need remote access, use a encrypted VPN/Tunnel such as tailscale or zerotier (afaik both are based on wireguard) instead of forwarding ports. imo you should never port forward anything if you can avoid it. If you want to run a website or something, use a dedicated, isolated server you own at minimum if you are into self-hosting. Also update your software, whether it be on a nas or a desktop a phone what have you, if you have an old windows 7 machine, update to windows 10/11 or linux. If you are on a public wifi network or even a questionable family members house, use a VPN(usually paid or Tor(free, can route all applications on windows through it using OnionFruit or Tallow). Openmediavault also has a AntiVirus plugin that scans shared drives for virus and removed them if any are found, i dont know if something similar is avalible for truenas, but if there is, use it.

[LIGISTX]

30 minutes ago, BrownZeus said:

Hi everyone,

 

I'm running TrueNAS Core 13.0-U4. I had the qBittorrent plugin running and when looking at my torrent list i noticed a torrent I definitely did not add. It was for some Wifi Hacking ebook.

 

I purged the files downloaded, and went ahead and deleted the whole plugin install cause I reviewed the plugin settings and saw that "run program on torrent finish" was enabled and looks like it was set to run a bash command that seems to connect to a remote server.

 

I restarted my router, computer and nas as all good measures.

 

But what more can I do? I don't want this happening again. As far as I know my NAS isn't setup for remote access at all. My plex plugin is set so that remote access is disabled.

 

I saved that run after command as well so I have the remote server IP, is there anything i can do with this information? NOT by in terms of revenge, I know better than to piss off a hacker.

Was anything exposed externally? Did you have ports open in your router? Figuring out how you were compromised is equally as important as trying to purge bad data, hell, probably more important. 

[BrownZeus]

11 minutes ago, LIGISTX said:

Was anything exposed externally? Did you have ports open in your router? Figuring out how you were compromised is equally as important as trying to purge bad data, hell, probably more important. 

 

14 minutes ago, Rysters Tech said:

Have security on your web interfaces, NEVER EVER PORT FORWARD WEB CONSOLES, HAVING A PASSWORD DOESNT SAVE YOU! If you need remote access, use a encrypted VPN/Tunnel such as tailscale or zerotier (afaik both are based on wireguard) instead of forwarding ports. imo you should never port forward anything if you can avoid it. If you want to run a website or something, use a dedicated, isolated server you own at minimum if you are into self-hosting. Also update your software, whether it be on a nas or a desktop a phone what have you, if you have an old windows 7 machine, update to windows 10/11 or linux. If you are on a public wifi network or even a questionable family members house, use a VPN(usually paid or Tor(free, can route all applications on windows through it using OnionFruit or Tallow). Openmediavault also has a AntiVirus plugin that scans shared drives for virus and removed them if any are found, i dont know if something similar is avalible for truenas, but if there is, use it.

As far as I know, no ports were opened specifically by me prior to this incident. I'm currently in full defensive mode and wiping out my Truenas install and reinstalling. 

 

Currently looking into checking if the plugin by default opens ports.

[LIGISTX]

56 minutes ago, BrownZeus said:

 

As far as I know, no ports were opened specifically by me prior to this incident. I'm currently in full defensive mode and wiping out my Truenas install and reinstalling. 

 

Currently looking into checking if the plugin by default opens ports.

If no ports in your router are open, then something internally was able to access it… and I doubt it attempts to open ports via UPNP. Are you certain it was not a torrent you maybe accidentally added as a test, or somehow changed the name of? 
 

That’s an interesting one for sure… 

 

Wiping out truenas may not be the best, I would probably try and figure out what info could be found via logs before nuking it all. Or just turn it off until you have a plan to dump the logs. If you don’t know how something got in, reformatting won’t help especially if whatever got in from another local source - it would probably just happen again. 

[BrownZeus]

11 minutes ago, LIGISTX said:

If no ports in your router are open, then something internally was able to access it… and I doubt it attempts to open ports via UPNP. Are you certain it was not a torrent you maybe accidentally added as a test, or somehow changed the name of? 
 

That’s an interesting one for sure… 

 

Wiping out truenas may not be the best, I would probably try and figure out what info could be found via logs before nuking it all. Or just turn it off until you have a plan to dump the logs. If you don’t know how something got in, reformatting won’t help especially if whatever got in from another local source - it would probably just happen again. 

So I decided to go to truenas scale onto an ssd i had laying around. The original Truenas core drive I have is currently locked away.

I definitely didn't add this torrent, and the post completion script was something I had no idea was a function of the qbittorrent plugin. I googled the issue actually and just a few days ago someone on reddit posted about the same thing, and they had the exact same post completetion script.

So given that post and their experience I think whats happened here is somehow qbittorrent was enabled for remote access, and the payload downloaded wasn't necessarily the malware, the end goal was to get that post completion script to run and that was the malware. I'm going to review my router and make sure no ports are open or forwarded but I think crisis averted. None of my data appears to be compromised. I randomly opened a bunch of my files off my nas and everything seems intact

[LIGISTX]

3 minutes ago, BrownZeus said:

So I decided to go to truenas scale onto an ssd i had laying around. The original Truenas core drive I have is currently locked away.

I definitely didn't add this torrent, and the post completion script was something I had no idea was a function of the qbittorrent plugin. I googled the issue actually and just a few days ago someone on reddit posted about the same thing, and they had the exact same post completetion script.

So given that post and their experience I think whats happened here is somehow qbittorrent was enabled for remote access, and the payload downloaded wasn't necessarily the malware, the end goal was to get that post completion script to run and that was the malware. I'm going to review my router and make sure no ports are open or forwarded but I think crisis averted. None of my data appears to be compromised. I randomly opened a bunch of my files off my nas and everything seems intact

I’d potentially post in truenas forum as well. 
 

If it’s an official plugin, truenas shouldn’t be shipping it in a default state that attempts to open a port via upnp, if that is even what happened… but they may know better as to what happened. 

[BrownZeus]

20 minutes ago, LIGISTX said:

I’d potentially post in truenas forum as well. 
 

If it’s an official plugin, truenas shouldn’t be shipping it in a default state that attempts to open a port via upnp, if that is even what happened… but they may know better as to what happened. 

On truenas core it was a community plugin not official unfortunately