Thanks for your advice, but in my case was not caused by malware but hack attackBeemer2 wrote:Deckart,
Two weeks ago I had exactly the same type of malware. It was the kind that places a file called Photo.scr in every MultiMedia folder. There also was numerous instances of "Info.zip".
Because of syncing I had many of these files in my Windows computer.
I spent many hours searching and deleting all these. I also use regedit to seek out any reference to these names. They kept returning but after manually updating the QNAP antivirus and my desktop AVG I was able to stop them returning.
I believe the problem was a type called a zero day virus where it is able to infect before the AV programs are updated especially as my QNAP runs continuously.
The only port I had opened was 443 to allow SSL.
Perhaps the one thing that saved me from real pain was that I never did open any of the Photo.scr or zip files.
Hope this helps a little,
Ian
Recovering system from hack attack procedure??
-
- Starting out
- Posts: 34
- Joined: Thu Dec 20, 2007 1:26 am
Re: Recovering system from hack attack procedure??
Model: HS-210
FW Version 4.2.4
HDD Model: WD RED
HDD Capacity: 6TB in RAID 1 conf.
FW Version 4.2.4
HDD Model: WD RED
HDD Capacity: 6TB in RAID 1 conf.
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: Recovering system from hack attack procedure??
I would try straight Linux only. If you don't have a Linux computer and don't want to install it you can simply boot on a Live-CD or a bootable USB stick.Deckart wrote:I'll try with another programs, thanks
Another alternative would be to clear all partitions on one of the disks, reinstall the NAS on that disk only and attach the remaining disk externally with a USB-dock/exclosure.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Recovering system from hack attack procedure??
I am perplexed that you identified the nas to be directly hacked ..yet have no clue how to mount the drives on a linux system... before I even ask what made you believe the nas itself is in fact infected/hacked...contact qnap via ticket so they can ID (and maybe fix) a potential security flaw
-
- Starting out
- Posts: 34
- Joined: Thu Dec 20, 2007 1:26 am
Re: Recovering system from hack attack procedure??
Well, I finally discovered why I was incapable of mounting the partition. The filesystem type 'linux_raid_member' seems not to be included as standard in several free recovering utilities. It's necessary to have installed mdadm to manage with soft_raid partitions:
(From https://ubuntuforums.org/showthread.php?t=2191753)
1. sudo apt-get install mdadm and configure postfix to no configuration if you don't need it
2. sudo mdadm --assemble --scan
mdadm: /dev/md0 has been started with 1 drive.
mdadm: /dev/md/1 has been started with 1 drive.
Now the disk is available to mount!
tip: It's a good idea to clone the disk with DD and try this procedure on the cloned, but since my disks are 6TB...$$$
(From https://ubuntuforums.org/showthread.php?t=2191753)
1. sudo apt-get install mdadm and configure postfix to no configuration if you don't need it
2. sudo mdadm --assemble --scan
mdadm: /dev/md0 has been started with 1 drive.
mdadm: /dev/md/1 has been started with 1 drive.
Now the disk is available to mount!
tip: It's a good idea to clone the disk with DD and try this procedure on the cloned, but since my disks are 6TB...$$$
Model: HS-210
FW Version 4.2.4
HDD Model: WD RED
HDD Capacity: 6TB in RAID 1 conf.
FW Version 4.2.4
HDD Model: WD RED
HDD Capacity: 6TB in RAID 1 conf.