How to find dir and file in PuTTy

[ozstar]

Hi,

IN my NAS I have the PuTTy panel open with the prompt at [~] #

I want to find the dir where 7z.log file is and then open that file it it is there.

How to do please?

EDIT::

Well I managed to find a kong command which took me to {/usr/local/sbin] and after ls, it shows these files..
I am looking for the pwd that may be there somewhere after Qlocker. They say 7z.log but that file is not here. Could it be somewhere else?

Code: Select all

7z*         app_route_monitor*  clamd@       dcraw*        flv_convertd*       iscsiadm*    JMFwUpdate*  lpmove*     mount.fuse-ext2@  nc_tool@      qpkg_service*   qulog-archive@  restart_copy*     syslog_maild*
7z.bak*     aumix*              cnid_dbd*    debugfs@      ftptop*             iscsid*      jpegtran*    lpoptions*  msgfmt@           notify@       qrencode*       qulogd@         rsyslogd@         _thttpd_*
7z.orig*    blkid@              cnid_metad*  debugfs_64*   gen_2sv_qrcode.sh*  iscsi_logd*  jq*          lpq*        natpmpc-static*   proftpd*      qrm*            qulogdb@        smbtools*         unrar*
7z.so*      blkid_64*           Codecs/      dhcpd*        gifinter*           iscsi_util*  losetup*     lpr*        nc@               qboostd@      qsh*            qulog-session@  sound_ctl*        unzip*
afpd*       brctl*              composite@   djpeg*        gifrsize*           isns_cd*     lp*          lprm*       ncd@              qboost_util@  qsh-static*     radclient@      speaker.sh*       vdd_control*
apcaccess*  cancel*             convert@     dumpe2fs@     identify@           isns_cli*    lpadmin*     lpstat*     ncdb@             qpkg_cli*     qsyncsrv_util*  radiusd@        static_defender*  wfm_thttpd@
apcupsd*    cjpeg*              dbd*         dumpe2fs_64*  ImR_all*            jhead*       lpinfo*      mcelog*     ncloud@           qpkgd*        Qthttpd@        radtest@        stx_ihm*          zip*

EDIT 2 I have finally found where the file is..

Code: Select all

[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # ls
7z.log         common.sh*       MalwareRemover_scan.sh*  modules/     www/
backupfolder/  MalwareRemover@  MalwareRemover.sh*       Upgrade.sh*

How can I get the file open to see if a pwd is in there?

[Mousetick]

It's a text file that can be opened in a text editor or viewer.

First you should make a copy of it in case you goof up later:

Code: Select all

# cd /share/CACHEDEV1_DATA/.qpkg/MalwareRemover
# cp 7z.log 7z.copy.log

Then you can do one of 2 things:

a) Look at it directly from your SSH session:

Code: Select all

# cd /share/CACHEDEV1_DATA/.qpkg/MalwareRemover
# more 7z.copy.log

The 'more' command will display the contents of the file in your Putty window one page at a time. To go to the next page, press the Space bar. To exit, press the q key.

b) Move the file to a shared folder that you can access from a PC. For example, the Public shared folder:

Code: Select all

# cd /share/CACHEDEV1_DATA/.qpkg/MalwareRemover
# mv 7z.copy.log /share/CACHEDEV1_DATA/Public

Then open the Public shared folder from a PC, and open the 7z.copy.log file in a text editor that can read Unix files such as Notepad.

[ozstar]

Many thanks. You're a wonderful help.

I did all commands and here is the results of the more command.

Doesn't look like any pwd here.

Code: Select all

[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # more 7z.copy1.log
/usr/local/sbin/7z.orig "aumix" "cnid_dbd" "debugfs@" "ftptop" "iscsid" "jpegtran" "lpoptions" "msgfmt@" "notify@" "qrencode" "qulogd@" "rsyslogd@" "_thttpd_"
/proc/18078:/bin/sh
Uid:    0       0       0       0
/proc/23844:/bin/sh
Uid:    0       0       0       0
/proc/23174:/usr/sbin/sshd
Uid:    0       0       0       0
/proc/17432:/usr/sbin/sshd
Uid:    0       0       0       0
/usr/local/sbin/7z.orig "aumix" "cnid_dbd" "debugfs@" "ftptop" "iscsid" "jpegtran" "lpoptions" "msgfmt@" "notify@" "qrencode" "qulogd@" "rsyslogd@" "_thttpd_"
/proc/18940:/bin/sh
Uid:    0       0       0       0
/proc/23844:/bin/sh
Uid:    0       0       0       0
/proc/23174:/usr/sbin/sshd
Uid:    0       0       0       0
/proc/17432:/usr/sbin/sshd
Uid:    0       0       0       0
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] #

Maybe the MalwarRemover removed the pwd thinking it was malware ? If so, would it be in some sort of quarantine area?

[Mousetick]

Doesn't look like any pwd here.

No password indeed.

Maybe the MalwarRemover removed the pwd thinking it was malware ? If so, would it be in some sort of quarantine area?

No, it's either in that file or it is not. It's not removed and it's not anywhere else. The purpose of the 7z.log file was to capture the password while the ransomware was still encrypting files. That capture mechanism was installed by Malware Remover.

The problem is that QNAP put out the Malware Remover update too late, and by that time all the damage had already been done and the ransomware had stopped encrypting and infecting devices. The password can only be captured in the log file if the ransomware is (still) running after installing/updating MalwareRemover, it can't be obtained post-mortem once the ransomware has done its job.

I'm not aware of any victim having been successful in retrieving the password this way. In most cases, it was either too late, or they had restarted the NAS.

[ozstar]

Oh what a drag! Well, it was stimulating while the hope lasted, although not the result we wanted. So not actually deleted even? If that was the case we could maybe retrieve the deleted log file.

As soon as I found out about the problem via an email that Malware had Removed something the morning of the attack, Qnap said to immediately update, which I did.
As you say, too late !

I suppose we have to bite the bullet and realise we are up the creek .. without a boat !

Many thanks again.

[Mousetick]

So not actually deleted even? If that was the case we could maybe retrieve the deleted log file.

It's not the ransomware which created the log file, it's Malware Remover. The ransomware was doing its job without leaving any trace behind, beside the .7z and the Readme files.

Before Malware Remover update: ransomware encrypts files silently, no log file created or deleted anywhere.
After Malware Remover update: log file created, ransomware encryption neutralized. If ransomware still running, password captured in log file. If ransomware not running anymore, no password captured in log file.

Makes sense?

[ozstar]

Ah Haa. Yes, penny dropped !!
Shame there wasn't some way the Malware Remover could have saved a copy of the log file before it stopped the process. If that makes sense.
Anyway all over Rover except for the cleanup and oh what a cleanup !