Intel servers and Chinese hackers

18 months ago, Intel dropped off an SS4000-E NAS box for me to look at. It was a desirable little box on the surface – Linux-based, four drive bays, dual gigabit Ethernet ports – and I lost no time in installing it in the ZDNet UK Laboratory (Holloway).

18 months ago, Intel dropped off an SS4000-E NAS box for me to look at. It was a desirable little box on the surface – Linux-based, four drive bays, dual gigabit Ethernet ports – and I lost no time in installing it in the ZDNet UK Laboratory (Holloway). It came configured with four 250 GB drives, which I turned into a single 1TB system: it supports the usual RAID configurations for those who rate reliability over size.

My experiences thereafter were mixed. I run Linux and Windows at home – sorry, ZDNet UK Laboratory (Holloway) – and the SS4000-E supposedly supports both, with CIFS for Windows and NFS for Linux/Mac. Since it's easier to run CIFS on Linux than NFS on Windows (on Vista, for example, you have to buy either the Enterprise or Business Super Premium Four Star editions to get NFS support. MS won't let you have it otherwise), I decided to configure the various users for that.

Didn't work; after much enormo-pain, this proved to be a known bug to do with permissions in the version of CIFS in the SS4000-E – and I had a strong suspicion, backed by various email conversations with Intel support, that I'd probably die of old age or apoplexy before I extracted a fix or managed to get enough information to fix it myself. Intel had bought the SS4000-E from another company and didn't have in-house support who really knew the system, and the source code was available but in a form that promised nothing but misery.

So, I decided to use it for the Linux computers under NFS and use FTP for the Windows boxes. After learning more than I wanted about file ownership and permissions under Linux, I got things how I wanted them. It's been very reliable in those roles, although the gigabit ethernet ports only ever really aspire to 100 Mbps speeds, the box is a trifle noisy for domestic surroundings, and I've found the web management interface to be rather clumsy and limited (I'd kill for shell access to the root; the things I could fix...).

Nevertheless, it's sat under my computer desk storing all sorts of nice things for me. I also routed incoming FTP requests from the Net to it, so I could get my files when out and about – that, combined with VNC on the main server, has proved really useful. It's also been useful for friends: I have a couple of semi-private FTP accounts on it I give out to those with special needs. There's only so much harm they can do, right?

One evening last week, I was moving some photos around. I logged onto the FTP server – which told me I was “user 4 of 8 allowed”. That was... interesting. So I changed the log-in details of the friend accounts, emailed my pals with the news and assumed that somewhere along the line, the old logins had slipped out. A reset (the management interface gives no control over the FTP server beyond enabling or disabling it), and I was back to being number one on my own system.

Last night, I checked again. And again, I was number 4. This time, I asked my router to show incoming connections – and there were three persistent IP addresses, all on the FTP port. I tracerouted them: they vanished in a constellation of asterixes before I could find their home ISP – but not before it was clear that they'd originated in China.

Fascinating, captain. I'd used the FTP server the last couple of times I'd visited China – had someone been sniffing my connection? But even so, how were they still there, after I'd changed the login details? And what on earth were they doing?

I still can't answer the last question: there's not enough logging in the SS4000-E to watch users by file operation or examine the whole filing system. But I soon found out that I'd mistakenly included the Guest account (which you can't delete – why not?) in a group with access privileges to a shared directory; removing that group link and resetting freed my incoming IP log of any and all FTP connections from China. They haven't been back since. (I did check the share that the Guest account had access to, and there was nothing amiss – nor anything that anyone would particularly want to download, so that mystery remains).

But. What would happen if my drive had been filled with warez – or worse? -- and I'd had a knock on the door from the fuzz? Is there any connection between this and the ongoing (and badly underpublicised) online hacking war between the US and us, and China? Would I be breaking the law if I started to take a closer interest in those IP addresses? I was very tempted to nmap them. (Incidentally, recommendations of good tools to investigate suspicious IP addresses are very welcome; I know a few tricks, but sure ain't l33t).

Perhaps, over the weekend, I'll hook up a completely different server – one I can watch with much more detail – and see who comes visiting.