Recovering system from hack attack procedure??

[Deckart]

Hi,

My RAID1 2hdd nas was attacked and installed a kind of soft which delete/encrypted my data inside. Fortunately I realized very soon and unplug the power. What I need is a procedure to startup the nas avoiding the autoload of the several startup programs or demons, one o many of them are the hacking programs, and install a new fresh firm from the Finder, obviously maintaining my data.

I've search this subject in the forum but without success on how to proceed.

Regards

[CylonCenturion]

Hi,

My RAID1 2hdd nas was attacked and installed a kind of soft which delete/encrypted my data inside. Fortunately I realized very soon and unplug the power. What I need is a procedure to startup the nas avoiding the autoload of the several startup programs or demons, one o many of them are the hacking programs, and install a new fresh firm from the Finder, obviously maintaining my data.

I've search this subject in the forum but without success on how to proceed.

Regards

I recommend to start from scratch.
Meaning remove everything . Are you willing to do that?

You should have a backup of all your sensitive data.

[Deckart]

Obviously I try to avoid it

[CylonCenturion]

What do you want to accomplish?

Your NAS is hacked, and therefore no more reliable to use it, and to be exposed on the internet.

[Deckart]

Well, as I described I want to preserve my data (encrypted or not) in /Share/MD0_DATA , and start with a fresh installation of firm

[CylonCenturion]

Well, as I described I want to preserve my data (encrypted or not) in /Share/MD0_DATA , and start with a fresh installation of firm

Allright, i understand it.
However, do you trust your NAS after the hack?

So i recommend to make a backup of your important data, start all over from scratch, and install FW 4.3.2B20170203
I recommend as well to use a strong password for user admin.

You may install FW 4.3.3B0095

The goal is to retain the trustworthy of the NAS.

[Deckart]

Yes, this is what i want to do, but how?

Since the disks are part of RAID1, I cannot mount them individually as any other hdd on other host with the typical recovery/backup utilities, can I?

If I could recover all my /share/md0_data on other hdd I will format both disks of raid1 and start a new fresh installataion

[CylonCenturion]

Yes, this is what i want to do, but how?

Since the disks are part of RAID1, I cannot mount them individually as any other hdd on other host with the typical recovery/backup utilities, can I?

If I could recover all my /share/md0_data on other hdd I will format both disks of raid1 and start a new fresh installataion

Can you mount a USb disk to the NAS, and move your data to that disk?

[P3R]

Since the disks are part of RAID1, I cannot mount them individually as any other hdd on other host with the typical recovery/backup utilities, can I?

Since HS-210 is a cat1 model I think you can mount the disk in just about any Linux machine. Your data should be in the largest partition.

[P3R]

You may install FW 4.3.3B0095

QTS 4.3 is still in beta testing and therefore not recommended for general use.

[CylonCenturion]

You may install FW 4.3.3B0095

QTS 4.3 is still in beta testing and therefore not recommended for general use.

Clear, Thanks

[Deckart]

I already tried to mount on another host, but since each raid1 disk is part of the raid, is not possible to mount it individually, at least with RedoBackup, which inform properly that the disk is part of a raid1, and therefore in not possible to mount it as any classic spare disk.

[P3R]

...at least with RedoBackup...

I know nothing of that program.

...which inform properly that the disk is part of a raid1, and therefore in not possible to mount it as any classic spare disk.

It's been a very long time since I did it and may remember wrong but I'm pretty sure I did it with a single RAID 1 disk on Linux.

[Beemer2]

Deckart,

Two weeks ago I had exactly the same type of malware. It was the kind that places a file called Photo.scr in every MultiMedia folder. There also was numerous instances of "Info.zip".

Because of syncing I had many of these files in my Windows computer.

I spent many hours searching and deleting all these. I also use regedit to seek out any reference to these names. They kept returning but after manually updating the QNAP antivirus and my desktop AVG I was able to stop them returning.

I believe the problem was a type called a zero day virus where it is able to infect before the AV programs are updated especially as my QNAP runs continuously.

The only port I had opened was 443 to allow SSL.

Perhaps the one thing that saved me from real pain was that I never did open any of the Photo.scr or zip files.

Hope this helps a little,

Ian

[Deckart]

...at least with RedoBackup...

I know nothing of that program.

...which inform properly that the disk is part of a raid1, and therefore in not possible to mount it as any classic spare disk.

It's been a very long time since I did it and may remember wrong but I'm pretty sure I did it with a single RAID 1 disk on Linux.

I'll try with another programs, thanks