Persistent backdoor discovered on 2 of my NAS's

[ScoobieDontBe]

I have discovered a persistent backdoor in 2 of my NAS's. DSM updates do not effect it and Security Adviser does not detect it. They allow my hacker full control of the NAS and of course various attacks on my network including ARP spoofing, DNS spoofing, SYN Floods and DDOS attacks. I have just discovered them and blocked them successfully with the NAS firewall. It seems it's based on a trojan called Backdoor. Smother [Symantec-2003-092310-2135-991] but I am just guessing because it uses the same port. I really have no idea.

As you can see there is no PID or service name so yeah. I also have IPv6 disabled on the NIC but that doesn't matter.

Any help would be appreciated.

 

[Sjeph]

Did you read DSM ports? These ports are listed in there. Also the fact that there is no service linked to them doesn't mean they are used by malware, the NFS port also has no service connected.

 

[ScoobieDontBe]

Did you read DSM ports? These ports are listed in there. Also the fact that there is no service linked to them doesn't mean they are used by malware, the NFS port also has no service connected.

Yes I have. It seems 3264 is the culprit but I blocked the other 2 jic. I got my info from here Port 3264 (tcp/udp) but have read it may be called linux/backdoor or something similar.

 

[Robbie]

One of mine:

Another NAS, not exposed to anything external:

I'm not worried.