TS-439 Pro - Unknown login

[stanley_chung]

I have unknown user login every time when reboot NAS.
See the below snap-shot and anyone can advise how to fix it? I have submitted the helpdisk ticket, but still work in progress without conclusion.

Untitled.png

[OneCD]

Well, if this helps - it's coming from the NAS itself.

[stanley_chung]

Is it cause CPU high-load of the process "vpnfilter"?
Almost consuming 50% of CPU resource

[OneCD]

Uh-oh. Suggest you install and run the QNAP MalwareRemover immediately. It's available in the QNAP App Center.

Seems the 'vpnfilter' process has already been identified as malware.

[stanley_chung]

I have installed QNAP MalwareRemover 2.1.2, then upgrade to 2.1.3 and I found the problem.
downgrade to 2.1.2 still have problems

[OneCD]

Suggest you create a support ticket with QNAP.

[stanley_chung]

when uninstall malware remover, CPU high load has disappear.

[jacobite1]

Managed to remove vpnfilter about a week or so ago only for it to re-appear this morning with malware remover installed and running a daily scan.

Eugh.

[schumaku]

Find the attached short term fix to remove the crap again.

Double check the code before running it please.

[jacobite1]

Okay, question:

Why kill qsync? Is this a qsync vulnerability?
I have it running but use it sufficiently rarely I should probably disable it.

I'm not an SSH wizard (hell two weeks ago I didn't even know how to log in!) so I would appreciate if you would explain the purpose of this line

Code: Select all

sed -i '/qsync_init/d' /etc/config/crontab

before I run it.

[schumaku]

I've never seen the infection live on a NAS - however, obviously it's hiding under a faux qsync.php - this is unrelated to the real Qsync code in place.

The sed will remove a questionable entry from the crontab.

Code: Select all

#!/bin/sh
killall -9 qsync.php
killall -9 vpnfilter
rm -f /etc/config/qsync.php
rm -f /etc/config/qsync_init.sh
rm -rf /mnt/ext/opt/fsget
sed -i '/qsync_init/d' /etc/config/crontab

[jacobite1]

I killed vpnfilter earlier this week so there's no longer an active vpn process

Code: Select all

[~] # ps - ef | grep vpnfilter
28381 admin      1032 S   grep vpnfilter

Should I still run

Code: Select all

killall -9 vpnfilter

or is that now unnecessary.

Edit: I ran the script and got the following output

Code: Select all

[~] # #!/bin/sh
[~] # killall -9 qsync.php
killall: qsync.php: no process killed
[~] # killall -9 vpnfilter
killall: vpnfilter: no process killed
[~] # rm -f /etc/config/qsync.php
[~] # rm -f /etc/config/qsync_init.sh
[~] # rm -rf /mnt/ext/opt/fsget
[~] # sed -i '/qsync_init/d' /etc/config/crontab

What now?

[coolmacdude]

after contacting QNAP I received this reply and it worked no more vpnfilter hogging my processor, I copied these commands obviously without the #

Dear Darren

Thanks for writing us.

Please follow my instructions,

1. Then login to NAS via SSH using putty (Please refer the attached document for how to do it?)

2. Then copy & paste the following commands and execute it one-by-one in the SSH,

# killall -9 qsync.php

# killall -9 vpnfilter

# rm -f /etc/config/qsync.php

# rm -f /etc/config/qsync_init.sh

# rm -rf /mnt/ext/opt/fsget

# sed -i '/qsync_init/d' /etc/config/crontab


Please execute the above commands and make sure the VPNFILTER process removed or not? Kindly confirm.

Thanks!

Best Regards
Arun
QNAP Systems Inc.,

[javajam]

Script cleared things right up. Very helpful. Thanks.

[jase128]

Great job people.
Just logged in to my qnap ts251 (which had the same issues) using putty and copied/pasted the code.
My CPU usage dropped from 100% to around 5% instantly.
fingers crossed it stays this way.

again, many thanks for the help

Jason