Unknown product - I found it from a customer

Hello to all.

We acquired a new customer following the crack of the previous IT manager.
I found myself a folder on a QNAP, shared in ftp, with files called “duplicates …” inside. By searching, I therefore became aware of this product. I tried to open the web console but I can’t find any configuration but I know for sure that it’s working because every night I find new files. I tried logging in as Administrator and new user but in the web GUI I can’t find any configured jobs. I only know that there is a service that runs as “DOMAIN \ Administrator”.
I tried to search in command line management without success. Would anyone know how to help me find the info on how to view and possibly manage the existing job?
Have archive protection passwords been implemented? In the event there is a way to recover them? Reset them?

Thank you all for the support (IT and morals).
filloweb

On the machine where you see the Duplicati service running, open a web browser and go to http://localhost:8200

Hopefully that will bring up the Duplicati web interface.

Hi.

On the web interface “No scheduled Task”… Sigh… sigh… sigh…

Can you tell for sure which machine is saving Duplicati files to the QNAP?

Hello.

“Duplicates” is installed on my infrastructure on a single server.
Is it possible that there is a “standalone” version planned on “Scheduled activity” on another server?

Thanks a lot.
filloweb

Lots of possibilities. Maybe it’s installed on a workstation… maybe it’s set up in Task Scheduler on the server and it’s running Duplicati.CommandLine.exe instead of using the web UI…

You mention QNAP, but the reference to “DOMAIN \ Administrator” leads me to believe that Duplicati is running on a windows machine? If the Windows system went through a major Windows update, the config files might be located in

C:\Windows.old\Windows\System32\config\systemprofile\AppData\Local\Duplicati

and the web GUI would exhibit the behavior you are describing because the config files were not included as part of the update and Duplicati can’t see them. I don’t know if that’s been addressed in the latest beta, but earlier versions had this problem.

If that’s the case, copy the contents of that directory to

C:\Windows\System32\config\systemprofile\AppData\Local\Duplicati

(You’ll need an account with administrator privileges to do this). Then stop and restart the Duplicati service in Service Manager. That will reload the config files (including the existing backup jobs) and (hopefully) start you on your path to recovery.

1 Like

seems inconsistent with loss of config files (although the idea is great for safeguarding future ones).

AFAIK default location in the SYSTEM profile is still a risk. I don’t know where domain admin profile resides, however if that’s a domain administrator, I wonder why such a powerful account was used?

It sounds like FTP was the access method of Duplicati, though perhaps it’s actually done over SMB.

Regardless, a look in a QNAP manual shows that at least the one I looked at has system connection logs that can show logging on and off of many protocols such as FTP and SMB including source IPs.

That might be one way to figure out what system is doing it. Or if server can be slept at usual time of files showing up on QNAP, that would rule out that server, although it wouldn’t show which one did it.

For the network-savvy, tools like netstat and tcpdump might also be used to suggest what wrote files.

EDIT:

Another clue might come from starting down a Direct restore from backup files (don’t need to restore). Possibly seeing source file names would mean something to the right person, and find the origination.

He would need the encryption key for that… which is stored in the config he can’t find…

Scratch another idea… I still like the IP based ones though. A variation on the sleep-the-server would be to see if server has disk activity (and ideally a Duplicati process in Task Manager run as Administrator) at times when QNAP is receiving files. Another is to look at the service that’s known there and see what it’s starting (redacting any sensitive information). There might be some options showing why it’s hard to find.

But is the service running right now? If so, something should be visible. If not, then maybe it’s not related.

DOH! Missed that important tidbit of information! :flushed:

Other options:

If http://localhost:8200 says “No scheduled tasks”, you can try 8300 and on up, especially if you allow user logins on the server and there are multiple user profiles. Duplicati processes can appear in pairs due to the autoupdater. [SOLVED] Is it ok that I see 5 processes of Duplicati in Windows Task manager? bottom three would be a typical Windows service install as SYSTEM. Top two would be if a Duplicati.GUI.TrayIcon.exe is used by someone to keep an eye on the server (icon color change, etc.).

People can also start a TrayIcon to do personal Duplicati backups using the server inside the TrayIcon.

If there is actually a Duplicati running on the system when QNAP gets files, it can also be tracked down using Sysinternals Process Monitor (Run as Administrator) to see what’s using files ending in .sqlite