URGENT - been hacked, they've been MITM'ing my NAS units on my local LAN.

[VirtualLarry]

Interesting technology. I've got some NAS units, "TS-431" and "TS-451". AFAIK, they register in local (router) DNS when booted, with their names. Which, to my knowledge, should be accessable, via "http://ts-451./" , etc.

Well, It seems that somehow, my router has been compromised (likely a targeted attack), and when I went to go to those URLs, by name, rather than local IP directly, that they re-directed out to a "Fake NAS" site, that re-directed back into my local NAS, but stole my NAS admin passwords and whatnot. Looks like my NAS, but some settings didn't stick properly, and I didn't know why, and responsiveness of the UI was laggy.

The fact that either: 1) they were able to auto-generate, on the fly, additions to the internet's TLD category, using my custom NAS names, or 2) inject those named into my local Router's DNS, possibly using ARP or DNS poisoning, such that logins., etc, that would normally happen completely locally to my LAN, went out over the internet to some server.

I have proof.

 

[VirtualLarry]

After posting this, it seems that they've de-activated their trojan horse, presumably to prevent being traced. Note this NSLOOKUP.

 

[VirtualLarry]

It seems even curiouser. That Verizon's DNS service, is somehow complicit in the sponging of personal data off of NAS units, in conjunction with this "barefruit.co.uk" / "barefruit.com".

That Verizon's DNS resolver EVEN ALLOWS them to create FAKE/DECOY/SPOOF NAS domain-names (that should be strictly maintained as on the local private-IP-space LAN), that instead resolve to actual public IPs, and then you connect in File Explorer using \\servername\share, and no-one's the wiser, and you've shuttled/copied your NAS contents to another NAS unit, only, THEY'VE HOOVERED UP ALL YOUR NAS PERSONAL DATA IN THE PROCESS.

This didn't resolve to the spoof sites, when on my Comcast connection. Their DNS implementation correctly returns "No such domain" errors.

I shut down my NAS units, using their physical power buttons, and then unplugged my Asus AC68R router, and connected a laptop I reserve for flashing firmware, to my Comcast router wirelessly, and then I downloaded the newest firmware for the router, and then I shut down the router, booted it into Recovery Mode, and set up a firmware recovery on the laptop, using the newly-downloaded firmware.

I still had the G1100 upstream, and it was still resolving my NAS domain names to barefruit, so I powered down my router with the fresh firmware, and disconnected the G1100 router, and connected my FIOS connection straight into the Asus router's WAN port. I then powered up the router, connected wirelessly with my diag router (I had previously re-configured the router, with new Wifi SSIDs, new Wifi passwords, and new admin passwords, using an ethernet cable.) Still resolving the barefruit IPs for my NAS's domain names.

So I powered-down my router, and connected my Comcast router/gateway to my Asus router's WAN port, and powered it up.
"No such domain" errors, doing nslookup on the Comcast connection to my NAS units' domain names (while they were powered down).

This is, in my mind, criminal access to my private NAS contents, via Verizon's DNS server, and barefruit's infrastructure.

And it's wide-spread. I imagine a similar sort of thing could happen to ring video doorbells, or any number of IoT items, that could be MITM'ed via a simple DNS highjack, that would allow stealing credentials and data streams, by routing what should be constricted to private LAN IPs, over the public internet.

 

[mxnerd]

Is RT-AC68R-F138-AC68U.Home (IP 192.168.6.1) the name your NAS that's running your own private DNS?

Which DNS does QNAP use/provide ? The link to their DNS setup?

Some info.

Why is the IP "92.242.140.21" connecting to one of my ports? Is it Malware?

When I start up Chrome, "netstat -taupen" shows 92.242.140.21 connecting to a random port number, usually above 20,000. The IP is from the UK and is tied to Barefruit Ltd. Exactly what is connectin...

askubuntu.com

If you want to avoid this, try to setup DNS or forward DNS to

Google DNS 8.8.8.8 , 8.8.4.4.
Cloudflair DNS 1.1.1.1, 1.0.0.1,

or reference

Best free, public DNS servers in 2022: Boost your internet speed with these services

Speed up and secure your browsing with the best DNS services

www.techradar.com

==

C:\Windows\System32>PING 92.242.140.21

Pinging 92.242.140.21 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 92.242.140.21:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\System32>nslookup
Default Server: UnKnown
Address: 192.168.0.1

> server 4.2.2.1
Default Server: a.resolvers.level3.net
Address: 4.2.2.1

> ts-451
Server: a.resolvers.level3.net
Address: 4.2.2.1

*** a.resolvers.level3.net can't find ts-451: Non-existent domain
> ts-451.
Server: a.resolvers.level3.net
Address: 4.2.2.1

Non-authoritative answer:
Name: ts-451
Addresses: 23.202.231.167
23.217.138.108

> server 8.8.8.8
Default Server: dns.google
Address: 8.8.8.8

> ts-451.
Server: dns.google
Address: 8.8.8.8

*** dns.google can't find ts-451.: Non-existent domain
> ts-451
Server: dns.google
Address: 8.8.8.8

*** dns.google can't find ts-451: Non-existent domain

========

ping -a 23.217.138.108

Pinging a23-217-138-108.deploy.static.akamaitechnologies.com [23.217.138.108] with 32 bytes of data:
Reply from 23.217.138.108: bytes=32 time=137ms TTL=53
Reply from 23.217.138.108: bytes=32 time=140ms TTL=53
Reply from 23.217.138.108: bytes=32 time=141ms TTL=53
Reply from 23.217.138.108: bytes=32 time=138ms TTL=53

Ping statistics for 23.217.138.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 137ms, Maximum = 141ms, Average = 139ms

====> ts-451 probably just happen to be a subdomain of some domains?

 

[VirtualLarry]

That doesn't even scratch the surface of what they appear to be doing. They appear to be a "rogue DNS provider", that provides "overlay DNS", and creates entries, for what would otherwise be falied DNS lookups. INCLUDING TOP-LEVEL AND LOCAL DOMAIN NAMES!

My understanding is, a local device creates a local domain name, "TS-451", domain "ts-451". To prevent your browser from interpreting that as a search term, or doing a .com / .net / .org seach for a matching primary domain, you have to specify the link as "http://ts-451./" - with the trailing period, indicating a TOP-LEVEL (local) domain-name.

What Barefruit appears to be doing, is populating their "domain-name system overlay space" - INCLUDING top-level / local domains. So they created an entry for "ts-451.", that points to a PUBLIC IP, rather than my 192.168.x.x LAN IP range.

What happens when you then use "\\ts-451\Public" to access a share on your NAS? It goes out over the public internet, instead of staying on your LAN! And Verizon is complicit in this!

These people are not just "advertising based on DNS lookup failures" - they are full-on high-jacking DNS - including local DNS entries like servers and NAS units! And apparently, MITM'ing the CFS connections!.

This IS CRIMINAL. That guy that started Reddit, that was accused of unlawful access, they were going to give him 50 years. What should these corporate DNS high-jackers get? LIFE IN PRISON, IMHO.

Edit: I also believe this to be true, because I used the domain-name (with the period) in my browser, to access the login screen for my (local) NAS units, and the first login fails, when I could have sworn I typed the password in correctly. Then it succeed the second time. A classic password-stealing MITM attack. Something that a rogue DNS provider overlay highjack system would be designed to do.

Also, when I use the domain-name in my browser, and login to my NAS, it's laggy, and settings don't always stick. When I use a local LAN NAS browser app from the mfg, and double-click and login using the IP address, things are nice and speedy.

This also explains why my file-transfers (writes) going to my NAS unit(s), were in-explicably going at only 30MB/sec, instead of 100MB/sec like they used to do.

 

[VirtualLarry]

Emergency personell just showed up. I hope that they're not trying to get me locked up somehow for exposing them. This is NO JOKE.

 

[mxnerd]

What's your Verizon FIOS DNS IP addresses?

I forgot the difference between domain names with or without a dot. But I never use the one with a dot.

 

[mxnerd]

Emergency personell just showed up. I hope that they're not trying to get me locked up somehow for exposing them. This is NO JOKE.

What?

 

[mxnerd]

Here is Verizon's DNS Assistance opt out instruction

TV, Phone, Internet, Billing & Account - Customer Service | Verizon support.

Need help with Verizon 's TV, Internet or Phone? Or need assistance with Billing? Our online support site provides the information and tools you need to quickly resolve any issue.

www.verizon.com

Yeah, thier DNS Assistance is really shady.

 

[mxnerd]

More info.

It's been like this since 2014

FIOS DNS Hack Directed to unallocated.barefruit.co.uk92.242.140.21

For the past 3 days the DNS for me (and people I know from work that have FIOS) has been correupted by what appears to be a DNS hack / re-direct to barefruit.co.uk92.242.140.21. This is causing super slow resolve times for websites, super SLOW connection times for the office VPN and lack of DNS...

forums.verizon.com

 

[VirtualLarry]

This is still an issue months after Verizon was made aware that their DNS was redirecting customers incorrectly. Now when this hapens, FiOS routers are creating port forwarding rules for this ip address and company Barefruit without the knowledge of their customers. How is an everyday user to know that this is going on as they have no idea how to log into the web interface of a router?! First level tech support at Verizon act like they have never heard of this issue when you call, it was only after they put me on the phone with Actiontech that it was immediately addressed.

Maybe that's how they're pulling off the SMB/CIFS high-jacks.

 

[WelshBloke]

Emergency personell just showed up. I hope that they're not trying to get me locked up somehow for exposing them. This is NO JOKE.

Did you just get Men in Blacked?

 

[mxnerd]

How to keep your ISP’s nose out of your browser history with encrypted DNS

Long article, have to find sometime to read myself.

How to keep your ISP’s nose out of your browser history with encrypted DNS

Using Cloudflare’s 1.1.1.1, other DNS services still require some command-line know-how.

arstechnica.com

 

[ch33zw1z]

How to keep your ISP’s nose out of your browser history with encrypted DNS

Long article, have to find sometime to read myself.

How to keep your ISP’s nose out of your browser history with encrypted DNS

Using Cloudflare’s 1.1.1.1, other DNS services still require some command-line know-how.

arstechnica.com

Great. I've been considering picking up my first raspberry pi, this may be just what I use it for.

 

[WelshBloke]

How to keep your ISP’s nose out of your browser history with encrypted DNS

Long article, have to find sometime to read myself.

How to keep your ISP’s nose out of your browser history with encrypted DNS

Using Cloudflare’s 1.1.1.1, other DNS services still require some command-line know-how.

arstechnica.com

I dont use my ISPs DNS but not for privacy issues (mainly the redirection of mistyped webaddresses really annoys me!).
Wouldn't your ISP know where you are going with or without using their DNS, they can see (well they have to see) what IP addresses you are going to as they are routing you?

 

[ch33zw1z]

I dont use my ISPs DNS but not for privacy issues (mainly the redirection of mistyped webaddresses really annoys me!).
Wouldn't your ISP know where you are going with or without using their DNS, they can see (well they have to see) what IP addresses you are going to as they are routing you?

Sure, your ISP can see all the connections from your IP thru their network. DNS just makes this much easier for an ISP to keep track of, and potentially sell to advertisers. Without DNS, they would have to use some other software to effectively compile a list.

 

[Red Squirrel]

Is upnp enabled? You could have landed on a bad site that then loaded something into your machine which then used upnp to forward a port to the trojan. Just a wild guess. Or worse, is remote admin turned on? I would disable both of those if they arn't, as a start.

 

[[DHT]Osiris]

That doesn't even scratch the surface of what they appear to be doing. They appear to be a "rogue DNS provider", that provides "overlay DNS", and creates entries, for what would otherwise be falied DNS lookups. INCLUDING TOP-LEVEL AND LOCAL DOMAIN NAMES!

My understanding is, a local device creates a local domain name, "TS-451", domain "ts-451". To prevent your browser from interpreting that as a search term, or doing a .com / .net / .org seach for a matching primary domain, you have to specify the link as "http://ts-451./" - with the trailing period, indicating a TOP-LEVEL (local) domain-name.

What Barefruit appears to be doing, is populating their "domain-name system overlay space" - INCLUDING top-level / local domains. So they created an entry for "ts-451.", that points to a PUBLIC IP, rather than my 192.168.x.x LAN IP range.

What happens when you then use "\\ts-451\Public" to access a share on your NAS? It goes out over the public internet, instead of staying on your LAN! And Verizon is complicit in this!

These people are not just "advertising based on DNS lookup failures" - they are full-on high-jacking DNS - including local DNS entries like servers and NAS units! And apparently, MITM'ing the CFS connections!.

This IS CRIMINAL. That guy that started Reddit, that was accused of unlawful access, they were going to give him 50 years. What should these corporate DNS high-jackers get? LIFE IN PRISON, IMHO.

Edit: I also believe this to be true, because I used the domain-name (with the period) in my browser, to access the login screen for my (local) NAS units, and the first login fails, when I could have sworn I typed the password in correctly. Then it succeed the second time. A classic password-stealing MITM attack. Something that a rogue DNS provider overlay highjack system would be designed to do.

Also, when I use the domain-name in my browser, and login to my NAS, it's laggy, and settings don't always stick. When I use a local LAN NAS browser app from the mfg, and double-click and login using the IP address, things are nice and speedy.

This also explains why my file-transfers (writes) going to my NAS unit(s), were in-explicably going at only 30MB/sec, instead of 100MB/sec like they used to do.

Reading through and trying to digest what you're talking about here... but I'm 99.9% sure you just have/had a good old-fashioned virus that's intercepting DNS requests. Odds are if you wiresharked your local LAN you wouldn't see any TCP/53 leaving your workstation. Instead of your router (192.168.6.1) returning DNS traffic, whatever interceptor/doodad on your local machine was. These are used extensively to get further crapware/viruses on workstations that try to hit the internet post-infection.

VZ doesn't publish records for your internal network, when you do an nslookup for local resources on a network that doesn't have a true DNS configured (you likely don't) it just broadcasts the request and see who responds. If you are using a true local DNS (with a-records, etc) and your system was clean, this kind of thing would require manipulation of the A records on that DNS system, which is highly unlikely. Far more likely the box you browse from got pegged.

 

[killster1]

i remember you wanted to put a merlin firmware on your router. Wonder what fw you are using. they had a november update for your router.

 

[VirtualLarry]

VZ doesn't publish records for your internal network, when you do an nslookup for local resources on a network that doesn't have a true DNS configured (you likely don't) it just broadcasts the request and see who responds. If you are using a true local DNS (with a-records, etc) and your system was clean, this kind of thing would require manipulation of the A records on that DNS system, which is highly unlikely. Far more likely the box you browse from got pegged.

I believe, in conjunction with this "barefruit" entity, that's EXACTLY what they're doing.

I'm not saying that it's not a router bug, that DNS requests for local domain names wouldn't escape my router, but what WAS interesting, was that the "unassigned.barefruit.co.uk" IP address did NOT show up during nslookups for random TLDs (just hitting a string of keys). That means that their (Verizon's) DNS resolver is actually listening to, and filtering DNS requests, to determine WHAT is making that DNS request (DNS lookups for SMB/CIFS lookups of servers probably have a certain characteristic or signature to them), and THOSE are the ones that Verizon / barefruit are spoofing, to exfiltrate SMB/CIFS connections by Windows.

I won't mince words; this has TLA written all over it, as far as the capability goes.

Edit: It's all interesting too, and kind of shoots a hole in your theory, that when I swapped my main LAN router over to my backup ISP, the problem went away (when I stopped using my VZ connection). No malware removal on the local PC. I feel that if it were local PC malware, the problem would have followed the PC, and not the connection.

 

[[DHT]Osiris]

I believe, in conjunction with this "barefruit" entity, that's EXACTLY what they're doing.

I'm not saying that it's not a router bug, that DNS requests for local domain names wouldn't escape my router, but what WAS interesting, was that the "unassigned.barefruit.co.uk" IP address did NOT show up during nslookups for random TLDs (just hitting a string of keys). That means that their (Verizon's) DNS resolver is actually listening to, and filtering DNS requests, to determine WHAT is making that DNS request (DNS lookups for SMB/CIFS lookups of servers probably have a certain characteristic or signature to them), and THOSE are the ones that Verizon / barefruit are spoofing, to exfiltrate SMB/CIFS connections by Windows.

I won't mince words; this has TLA written all over it, as far as the capability goes.

Edit: It's all interesting too, and kind of shoots a hole in your theory, that when I swapped my main LAN router over to my backup ISP, the problem went away (when I stopped using my VZ connection). No malware removal on the local PC. I feel that if it were local PC malware, the problem would have followed the PC, and not the connection.

So, wait, what is the router's DNS pointed to? Like what does it use for DNS records it doesn't know? The 'broken' one, as well as the 'backup' one.

Note that there's nothing unique about dns lookups for hostnames wrt the source or destination request, there's no such thing as a 'signature' on dns records related to SMB/CIFS stuff.

 

[VirtualLarry]

So, wait, what is the router's DNS pointed to? Like what does it use for DNS records it doesn't know? The 'broken' one, as well as the 'backup' one.

I just had it using DHCP, on the WAN, so I assume, the ISP's DNS servers.

 

[[DHT]Osiris]

I just had it using DHCP, on the WAN, so I assume, the ISP's DNS servers.

If that's the case, its likely your ISP is just doing general DNS interception for unknown addresses, which is a little asinine if you're querying the local network for responses. At any rate, I'd let the router/modem doodad pull IP from DHCP, but set the DNS to something else like google (8.8.8.8, 8.8.4.4) or my current preferred, adguard dns (176.103.130.130 and 176.103.130.131).