Hi,
@RESolver
My Dlink NAS is a DNS-320LW (the White version of more widespread DNS-320L with full firmware compatibility), and I must confess that I had not updated the firmware so it should be a basical 1.01.
( Ironically I identified the need to updta just a few days before the attack, and downloaded the latest firmware but too late. I found more FW versions ere : https://support.dlink.com/ProductInfo.aspx?m=DNS-320L )
My NAS was exposed to WAN only through ports 8080 http, and ftp port 21 + range, with port forwarding.
I feel like the firmware has been modified because in addition of the .txt files that we all found on the root directory, I have a new "Application" with a bright red icon that appeared in the user interface. Or the malware was in the firmware from the beginning, designed to start on feb 16th, 2019 ?
(Seems strange that the malware opened up simulatneously, as we are now a few victims but no previous reference on the whole internet before my creation of this topic.)
Hope this info help, if you need more, ask for precisions !
Thank you for the infos, your informations makes the RCE hypotesis stronger.
If you have a way, try to dump the entire system, by ssh? telnet? whatever, or try with serial interface (some info https://groups.google.com/forum/#!topic/alt-f/FmpgPNfIwNs )
Has been a while since I play with embedded devices, but i guess, and i'm pretty sure that such device bootloader is based on uboot, so that means there is a way to dump the partitions from there (typically by tftp).
If you have the right skills, a full dump would be very appreciated!Alternatively, as i said before, a dump file by file by ssh or telnet can be enough
@Desdra
Here is what the user interface looks like. The red dot with README is the new thing.
ShareCenter <1.06 can be vulnerable check it out here: https://www.exploit-db.com/exploits/43434
Edited by RESolver, 21 February 2019 - 03:23 PM.