DLNA server security

[LeGrandConde]

Hello
I am starting to learn about tech and cybersecurity. I have an issue at hand, with an adversary who had physical access to all devices and network credentials, installing a Cisco Remote Digital/Virtual WLC on a client-user home network. The Remote WLC was hiding in plain sight under a Friendly Name and IP address mimicking the ISP TV services name,192.168.1... IP address and MAC address. After some research it appears that the Remote WLC is on the AirReceiver app list of Media rendering services, inside the DLNA DMP.
We all know the dangerous capabilities of a Cisco Remote Wireless Controller (open on some dangerous ports such as port 9999 on the abyss server).
In addition it also appears that one of the client-user device (if not many) is used as an Internet Gateway. My best guess is one of the MacBook Pro laptops or maybe the TVs. If it's any indication the AFTKMS services keep going online and offline on their own even when the TVs are not in use.
Cisco is no help without contract number, and the ISP and Amazon confirm that it's nothing of their product (for due diligence purpose).
Tried blocking, erasing, and even disabling UpNP from the router to no avail.
There is no way to uncheck the DLNA DMP on the list.
Unchecked the DMP DMR box present for safety.
The Air Receiver contains a bunch of Media Renderer Services
AirPlay, Google Cast, DLNA DMR, Youtube TV, DLNA DMP and Samba client.

Look forward to hear from you guys!
Please be respectful and nice in your comments. The intrusion in the client systems are proven real and we're trying to find a solution. As I mentioned before, I am a beginner.

Thank You!

[dolbyman]

The first reaction you will get is a reminder not to necropost into 7 year old threads (see the forum rules) , so I split the topic into a new one.

What QNAP are we dealing with here ? If it is not a QNAP specific inquiry, it might be best directed to whatever product is in question here.

[LeGrandConde]

Yes I figured. I was really eager to get an answer. I see a Samba client += Samba/NAS Media Streaming. When I click on the icon, It directs me to a page with a SD card picture: Local device and under Add Samba/NAS Server.
When opening local device, and it seems linked the AirPlay&UPnP app and bunch of files show up: alarms, Android, DCIM, Download, Downloader, Movies etc..
When opening Add Samba/NAS Server, I am prompt to add a Samba Server, which I have no idea what it's about.

But again, the issue is to figure out how was the Cisco Remote WLC was configured into the DLNA DMP cache, how to remove it, and if the presence of Samba/NAS Media Streaming is linked to the deployment of the WLC.

Please advise on which forum I should better ask my question.
Thanks!

[dolbyman]

I do not see what you are seeing (Sd card picture etc)

What NAS are you using ?

[LeGrandConde]

That's the issue. All of these were installed unknowingly to the client-user. No direct information besides every mentioned above is available unfortunately.

[dolbyman]

What was installed where ? ... What NAS is the client using ? There is no mention of any QNAP NAS involvement anywhere.

[Poppy]

This issue appears to have nothing to do with any QNAP hardware or software unless you are suggesting that the rogue system is a virtual server hosted by a not-mentioned QNAP device.
Presumably you are trying to remove the rogue system.
You appear to have the IP address and MAC address of the rogue system so you can find out which switch port it is connected to, remove it/block it from DHCP or WLAN etc