TS-439 Pro - Unknown login
-
- Know my way around
- Posts: 103
- Joined: Tue Jun 09, 2009 10:20 pm
- Location: HK
TS-439 Pro - Unknown login
I have unknown user login every time when reboot NAS.
See the below snap-shot and anyone can advise how to fix it? I have submitted the helpdisk ticket, but still work in progress without conclusion.
See the below snap-shot and anyone can advise how to fix it? I have submitted the helpdisk ticket, but still work in progress without conclusion.
You do not have the required permissions to view the files attached to this post.
- OneCD
- Guru
- Posts: 12141
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
-
- Know my way around
- Posts: 103
- Joined: Tue Jun 09, 2009 10:20 pm
- Location: HK
Re: TS-439 Pro - Unknown login
Is it cause CPU high-load of the process "vpnfilter"?
Almost consuming 50% of CPU resource
Almost consuming 50% of CPU resource
- OneCD
- Guru
- Posts: 12141
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: TS-439 Pro - Unknown login
Uh-oh. Suggest you install and run the QNAP MalwareRemover immediately. It's available in the QNAP App Center.
Seems the 'vpnfilter' process has already been identified as malware.
Seems the 'vpnfilter' process has already been identified as malware.
-
- Know my way around
- Posts: 103
- Joined: Tue Jun 09, 2009 10:20 pm
- Location: HK
Re: TS-439 Pro - Unknown login
I have installed QNAP MalwareRemover 2.1.2, then upgrade to 2.1.3 and I found the problem.
downgrade to 2.1.2 still have problems
downgrade to 2.1.2 still have problems
- OneCD
- Guru
- Posts: 12141
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
-
- Know my way around
- Posts: 103
- Joined: Tue Jun 09, 2009 10:20 pm
- Location: HK
Re: TS-439 Pro - Unknown login
when uninstall malware remover, CPU high load has disappear.
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: TS-439 Pro - Unknown login
Managed to remove vpnfilter about a week or so ago only for it to re-appear this morning with malware remover installed and running a daily scan.
Eugh.
Eugh.
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
- schumaku
- Guru
- Posts: 43579
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: TS-439 Pro - Unknown login
Find the attached short term fix to remove the crap again.
Double check the code before running it please.
Double check the code before running it please.
You do not have the required permissions to view the files attached to this post.
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: TS-439 Pro - Unknown login
Okay, question:
Why kill qsync? Is this a qsync vulnerability?
I have it running but use it sufficiently rarely I should probably disable it.
I'm not an SSH wizard (hell two weeks ago I didn't even know how to log in!) so I would appreciate if you would explain the purpose of this line
before I run it.
Why kill qsync? Is this a qsync vulnerability?
I have it running but use it sufficiently rarely I should probably disable it.
I'm not an SSH wizard (hell two weeks ago I didn't even know how to log in!) so I would appreciate if you would explain the purpose of this line
Code: Select all
sed -i '/qsync_init/d' /etc/config/crontab
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
- schumaku
- Guru
- Posts: 43579
- Joined: Mon Jan 21, 2008 4:41 pm
- Location: Kloten (Zurich), Switzerland -- Skype: schumaku
- Contact:
Re: TS-439 Pro - Unknown login
I've never seen the infection live on a NAS - however, obviously it's hiding under a faux qsync.php - this is unrelated to the real Qsync code in place.
The sed will remove a questionable entry from the crontab.
The sed will remove a questionable entry from the crontab.
Code: Select all
#!/bin/sh
killall -9 qsync.php
killall -9 vpnfilter
rm -f /etc/config/qsync.php
rm -f /etc/config/qsync_init.sh
rm -rf /mnt/ext/opt/fsget
sed -i '/qsync_init/d' /etc/config/crontab
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: TS-439 Pro - Unknown login
I killed vpnfilter earlier this week so there's no longer an active vpn process
Should I still run
or is that now unnecessary.
Edit: I ran the script and got the following output
What now?
Code: Select all
[~] # ps - ef | grep vpnfilter
28381 admin 1032 S grep vpnfilter
Code: Select all
killall -9 vpnfilter
Edit: I ran the script and got the following output
Code: Select all
[~] # #!/bin/sh
[~] # killall -9 qsync.php
killall: qsync.php: no process killed
[~] # killall -9 vpnfilter
killall: vpnfilter: no process killed
[~] # rm -f /etc/config/qsync.php
[~] # rm -f /etc/config/qsync_init.sh
[~] # rm -rf /mnt/ext/opt/fsget
[~] # sed -i '/qsync_init/d' /etc/config/crontab
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
-
- Starting out
- Posts: 21
- Joined: Sat May 21, 2011 10:12 pm
- Location: Hertfordshire, UK
- Contact:
Re: TS-439 Pro - Unknown login
after contacting QNAP I received this reply and it worked no more vpnfilter hogging my processor, I copied these commands obviously without the #
Dear Darren
Thanks for writing us.
Please follow my instructions,
1. Then login to NAS via SSH using putty (Please refer the attached document for how to do it?)
2. Then copy & paste the following commands and execute it one-by-one in the SSH,
# killall -9 qsync.php
# killall -9 vpnfilter
# rm -f /etc/config/qsync.php
# rm -f /etc/config/qsync_init.sh
# rm -rf /mnt/ext/opt/fsget
# sed -i '/qsync_init/d' /etc/config/crontab
Please execute the above commands and make sure the VPNFILTER process removed or not? Kindly confirm.
Thanks!
Best Regards
Arun
QNAP Systems Inc.,
Dear Darren
Thanks for writing us.
Please follow my instructions,
1. Then login to NAS via SSH using putty (Please refer the attached document for how to do it?)
2. Then copy & paste the following commands and execute it one-by-one in the SSH,
# killall -9 qsync.php
# killall -9 vpnfilter
# rm -f /etc/config/qsync.php
# rm -f /etc/config/qsync_init.sh
# rm -rf /mnt/ext/opt/fsget
# sed -i '/qsync_init/d' /etc/config/crontab
Please execute the above commands and make sure the VPNFILTER process removed or not? Kindly confirm.
Thanks!
Best Regards
Arun
QNAP Systems Inc.,
-
- First post
- Posts: 1
- Joined: Fri Jun 23, 2017 1:16 am
Re: TS-439 Pro - Unknown login
Script cleared things right up. Very helpful. Thanks.
-
- First post
- Posts: 1
- Joined: Thu Jan 21, 2016 5:09 am
Re: TS-439 Pro - Unknown login
Great job people.
Just logged in to my qnap ts251 (which had the same issues) using putty and copied/pasted the code.
My CPU usage dropped from 100% to around 5% instantly.
fingers crossed it stays this way.
again, many thanks for the help
Jason
Just logged in to my qnap ts251 (which had the same issues) using putty and copied/pasted the code.
My CPU usage dropped from 100% to around 5% instantly.
fingers crossed it stays this way.
again, many thanks for the help
Jason