Recovering system from hack attack procedure??

[Deckart]

Deckart,

Two weeks ago I had exactly the same type of malware. It was the kind that places a file called Photo.scr in every MultiMedia folder. There also was numerous instances of "Info.zip".

Because of syncing I had many of these files in my Windows computer.

I spent many hours searching and deleting all these. I also use regedit to seek out any reference to these names. They kept returning but after manually updating the QNAP antivirus and my desktop AVG I was able to stop them returning.

I believe the problem was a type called a zero day virus where it is able to infect before the AV programs are updated especially as my QNAP runs continuously.

The only port I had opened was 443 to allow SSL.

Perhaps the one thing that saved me from real pain was that I never did open any of the Photo.scr or zip files.

Hope this helps a little,

Ian

Thanks for your advice, but in my case was not caused by malware but hack attack

[P3R]

I'll try with another programs, thanks

I would try straight Linux only. If you don't have a Linux computer and don't want to install it you can simply boot on a Live-CD or a bootable USB stick.

Another alternative would be to clear all partitions on one of the disks, reinstall the NAS on that disk only and attach the remaining disk externally with a USB-dock/exclosure.

[dolbyman]

I am perplexed that you identified the nas to be directly hacked ..yet have no clue how to mount the drives on a linux system... before I even ask what made you believe the nas itself is in fact infected/hacked...contact qnap via ticket so they can ID (and maybe fix) a potential security flaw

[Deckart]

Well, I finally discovered why I was incapable of mounting the partition. The filesystem type 'linux_raid_member' seems not to be included as standard in several free recovering utilities. It's necessary to have installed mdadm to manage with soft_raid partitions:

(From https://ubuntuforums.org/showthread.php?t=2191753)

1. sudo apt-get install mdadm and configure postfix to no configuration if you don't need it
2. sudo mdadm --assemble --scan
mdadm: /dev/md0 has been started with 1 drive.
mdadm: /dev/md/1 has been started with 1 drive.

Now the disk is available to mount!

tip: It's a good idea to clone the disk with DD and try this procedure on the cloned, but since my disks are 6TB...$$$