ArgoBox
ArgoBox Infrastructure & Automation
user@argobox:~/journal/2025-08-18-the-intruder-that-wasnt
$ cat entry.md

The Intruder That Wasn't

[Monday, August 18, 2025] MOOD: DEBUGGING
○ NOT REVIEWED

00:48 - ruTorrent containers on the Synology NAS won’t start. Missing passwd files. The containers had been running fine for months.

/volume2/docker/rutorrent-commander/passwd does not exist

First thought: Did someone delete them?

00:49 - Checked the Docker logs. Found something concerning. On August 13th, an admin user stopped the containers. But I use commander for everything.

Wait. Who is admin?

00:50 - The containers are exposed to the internet. ruTorrent with a web interface. The paranoia kicked in.

Could someone have broken in? Stopped the containers? Deleted config files to cover their tracks?

00:52 - Started the investigation. Checked auth logs:

sudo grep -i "sshd\|login" /var/log/auth.log

Found failed login attempts from an external IP on August 6th:

Failed login from 107.2.157.67
Failed login from 107.2.157.67
Failed login from 107.2.157.67

Someone was trying to brute-force the Synology web interface. A week before my containers died.

00:53 - Wait. Let me check that IP.

That’s my IP. My external IP. Those “attacks” were me fat-fingering my own password while trying to log in from work.

00:54 - Checked who admin actually is:

grep admin /etc/passwd
admin:x:1024:100:System default user:/var/services/homes/admin:/bin/sh

The admin account is the default Synology system account. It comes with every Synology NAS. It’s not a hacker. It’s the default admin user that I never disabled.

The Real Problem: Something - probably a system update or scheduled task - stopped my containers using the default admin account. The passwd files were probably deleted during a volume migration I’d forgotten about.

01:00 - Recreated the passwd files:

echo "username:password" > /volume2/docker/rutorrent-commander/passwd
chmod 644 /volume2/docker/rutorrent-commander/passwd

Containers started.

The Lessons:

  1. External brute-force attempts on your own IP are not attacks. They’re you forgetting your password.

  2. Check who default accounts are before panicking. Synology creates an admin user by default.

  3. Containers exposed to the internet should still have paranoia. The investigation was worth doing even if the answer was boring.

  4. Missing files are usually migration artifacts, not evidence of intrusion.

The security incident that wasn’t. An hour of forensics for a missing config file and a default user account.

The best security investigations are the ones where you don’t find anything. But you have to look.