Strange folders and cronjobs
- Don
- Guru
- Posts: 12289
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Strange folders and cronjobs
You got infected because you opened one or more ports on your router from the internet to your NAS. Either intentionally or via uPnP. The only safe way to access your NAS from the internet is to use a VPN.
Use the forum search feature before posting.
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Lesson learned now UPNP is disabled from day 1 though.Don wrote:You got infected because you opened one or more ports on your router from the internet to your NAS. Either intentionally or via uPnP. The only safe way to access your NAS from the internet is to use a VPN.
For a commercial home NAS I doubt many users even know how to use VPN, and it is not mentioned by QNAP's guide on how to make the NAS more secure:
https://www.qnap.com/en/how-to/faq/arti ... re-secure/
Still the hacker knows QNAP OS and the vulnerability in QTS apps, and therefore better for QNAP to explain what exactly happened on 25/8 - we know at least three users got the malware (either deployed or executed) on the same date.
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
That's for sure, sadly.somy1982 wrote:Don wrote:Still the hacker knows QNAP OS and the vulnerability in QTS apps
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Got some info from QNAP:
1) The next version of malware remover will be able to remove it (not sure if it will recover the system files changed by the malware)
2) The malware replaced the default Apache web server with another one - intention is unknown.
3) Seems like the hacker scanned ip addresses for the attach.
4) The current version of music station allows command injection - same problem as photo station which was fixed back in May.
Will keep update.
1) The next version of malware remover will be able to remove it (not sure if it will recover the system files changed by the malware)
2) The malware replaced the default Apache web server with another one - intention is unknown.
3) Seems like the hacker scanned ip addresses for the attach.
4) The current version of music station allows command injection - same problem as photo station which was fixed back in May.
Will keep update.
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
Thank yousomy1982 wrote:Got some info from QNAP:
1) The next version of malware remover will be able to remove it (not sure if it will recover the system files changed by the malware)
2) The malware replaced the default Apache web server with another one - intention is unknown.
3) Seems like the hacker scanned ip addresses for the attach.
4) The current version of music station allows command injection - same problem as photo station which was fixed back in May.
Will keep update.
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Strange folders and cronjobs
you wonder if the music station vulnerability would be something they would want to communicate asap to custumers....no?
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
I asked - as many other users might also be hit, possibly some are already without even knowing it.dolbyman wrote:you wonder if the music station vulnerability would be something they would want to communicate asap to custumers....no?
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
This sounds pretty scary... so I (might) have something running on my system, which is a major component of QTS (because of the web-admin interface) that was modified and can log my admin password, send it out to any remote system without notice, open bi-directional channels from the inside into my network...somy1982 wrote:Got some info from QNAP:
...
2) The malware replaced the default Apache web server with another one - intention is unknown.
...
Will keep update.
IMO this is a design-basis security error. An QNAP is not communicating what to do, how to check for infection etc.?
I would prefer to have to apache instances (with two binaries) running on my QNAP. One for admin access, that's never accessible over the internet at all. And one, which can (temporarily) be accessed (for example file-sharing).
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Strange folders and cronjobs
from what mouestik found out, it is to scoop off your account credentials ... (get the password right from the apache session)
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
What I don't understand is, there was the command injection problem in Photo Station back in May, why QNAP hasn't check all QTS apps to ensure such is not used by the hackers.
Who knows what's next, download station?
Who knows what's next, download station?
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Strange folders and cronjobs
well that's why it is always ill advised to expose any NAS part to the outside ... those units are not hardened enough to be exposed (and even if they were.. who is guaranteeing that they are always updated with the latest patches ?)
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
True, but many consumer buy those devices for convenience reasons, and use it as a private cloud for media files.dolbyman wrote:well that's why it is always ill advised to expose any NAS part to the outside ... those units are not hardened enough to be exposed (and even if they were.. who is guaranteeing that they are always updated with the latest patches ?)
All QTS mobile apps require the server to be reachable on internet.
QNAP should really look into the security of their official apps, which provide the convenience and therefore used by many.
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Hi guys,
Just to understand where the malware sends data to, I tried the command "netstat -nputw" to see any outgoing connection suspicious (incoming is blocked). Don't see any suspicious external IP addresses, but there are a lot connection to localhost (127.0.0.1), not sure if there is any problem.
Just to understand where the malware sends data to, I tried the command "netstat -nputw" to see any outgoing connection suspicious (incoming is blocked). Don't see any suspicious external IP addresses, but there are a lot connection to localhost (127.0.0.1), not sure if there is any problem.
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
- That command shows you only the open outgoing connections at the time it is run, it's a snapshot at a certain point in time. You could have a program sending some data one minute before or after, and you didn't see it. It's not a good way to monitor realtime network activity.somy1982 wrote:I tried the command "netstat -nputw" to see any outgoing connection suspicious (incoming is blocked). Don't see any suspicious external IP addresses, but there are a lot connection to localhost (127.0.0.1), not sure if there is any problem.
- Connections from/to 127.0.0.1 are expected as part of the NAS normal operation, nothing to worry about here.
- You can also use the command "netstat -nputl" which shows all programs listening for incoming connections, and all ports open on the NAS. There you can see whether unknown servers are running or unknown ports are open.
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
Here is my list: Interesting things are
1. bcclient = Bitcoin Network Probing Tool (https://github.com/ivanpustogarov/bcclient), going to kill this one.
2. xl2tpcd = not sure what this is, xl2tpd is known
And the different python instances I don't have an idea what they do. Any chance to query what script is executed?
1. bcclient = Bitcoin Network Probing Tool (https://github.com/ivanpustogarov/bcclient), going to kill this one.
2. xl2tpcd = not sure what this is, xl2tpd is known
And the different python instances I don't have an idea what they do. Any chance to query what script is executed?
Code: Select all
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:58080 0.0.0.0:* LISTEN 17083/_thttpd_
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6050 0.0.0.0:* LISTEN 14575/python2.7
tcp 0 0 127.0.0.1:6051 0.0.0.0:* LISTEN 14575/python2.7
tcp 0 0 127.0.0.1:6053 0.0.0.0:* LISTEN 14432/qbusd
tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 14435/dockerd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1449/smbd
tcp 0 0 127.0.0.1:23310 0.0.0.0:* LISTEN 27028/mysqld
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 10108/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2517/portmap
tcp 0 0 0.0.0.0:30000 0.0.0.0:* LISTEN 2730/rpc.mountd
tcp 0 0 0.0.0.0:30001 0.0.0.0:* LISTEN 3058/rpc.statd
tcp 0 0 0.0.0.0:30002 0.0.0.0:* LISTEN 2648/rpc.rquotad
tcp 0 0 0.0.0.0:46547 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 18550/sshd
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 16363/cupsd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1449/smbd
tcp 0 0 :::2049 :::* LISTEN -
tcp 0 0 :::45575 :::* LISTEN -
tcp 0 0 :::18888 :::* LISTEN 24908/gottymc
tcp 0 0 :::2376 :::* LISTEN 14612/dockerd
tcp 0 0 :::139 :::* LISTEN 1449/smbd
tcp 0 0 :::111 :::* LISTEN 2517/portmap
tcp 0 0 :::30000 :::* LISTEN 2730/rpc.mountd
tcp 0 0 :::80 :::* LISTEN 11413/apache
tcp 0 0 :::8080 :::* LISTEN 17727/apache_proxy
tcp 0 0 :::30001 :::* LISTEN 3058/rpc.statd
tcp 0 0 :::22 :::* LISTEN 18550/sshd
tcp 0 0 :::631 :::* LISTEN 16363/cupsd
tcp 0 0 :::3737 :::* LISTEN 7419/apache_proxys
tcp 0 0 :::443 :::* LISTEN 11413/apache
tcp 0 0 :::445 :::* LISTEN 1449/smbd
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 214272 0 255.255.255.255:8097 0.0.0.0:* 19493/bcclient
udp 2304 0 255.255.255.255:8097 0.0.0.0:* 19493/bcclient
udp 2304 0 255.255.255.255:8097 0.0.0.0:* 19493/bcclient
udp 214272 0 255.255.255.255:8097 0.0.0.0:* 19493/bcclient
udp 2304 0 255.255.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 169.254.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 255.255.255.255:8097 0.0.0.0:* 19493/bcclient
udp 0 0 0.0.0.0:40887 0.0.0.0:* 11891/dhcpd_lxcbr0
udp 0 0 0.0.0.0:40913 0.0.0.0:* 3201/avahi-daemon:
udp 0 0 0.0.0.0:44506 0.0.0.0:* -
udp 0 0 0.0.0.0:45766 0.0.0.0:* 11877/dhcpd_docker0
udp 0 0 0.0.0.0:48667 0.0.0.0:* 11559/python2
udp 0 0 0.0.0.0:57077 0.0.0.0:* 11559/python2
udp 0 0 0.0.0.0:59113 0.0.0.0:* 11559/python2
udp 0 0 0.0.0.0:30000 0.0.0.0:* 2730/rpc.mountd
udp 0 0 0.0.0.0:30001 0.0.0.0:* 3058/rpc.statd
udp 0 0 0.0.0.0:30002 0.0.0.0:* 2648/rpc.rquotad
udp 0 0 0.0.0.0:67 0.0.0.0:* 11891/dhcpd_lxcbr0
udp 0 0 0.0.0.0:67 0.0.0.0:* 11877/dhcpd_docker0
udp 0 0 0.0.0.0:68 0.0.0.0:* 12305/dhcpcd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2517/portmap
udp 0 0 169.254.255.255:137 0.0.0.0:* 1514/nmbd
udp 0 0 169.254.4.231:137 0.0.0.0:* 1514/nmbd
udp 0 0 192.168.1.255:137 0.0.0.0:* 1514/nmbd
udp 0 0 192.168.1.105:137 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.3.255:137 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.3.1:137 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.5.255:137 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.5.1:137 0.0.0.0:* 1514/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 1514/nmbd
udp 0 0 169.254.255.255:138 0.0.0.0:* 1514/nmbd
udp 0 0 169.254.4.231:138 0.0.0.0:* 1514/nmbd
udp 0 0 192.168.1.255:138 0.0.0.0:* 1514/nmbd
udp 0 0 192.168.1.105:138 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.3.255:138 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.3.1:138 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.5.255:138 0.0.0.0:* 1514/nmbd
udp 0 0 10.0.5.1:138 0.0.0.0:* 1514/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 1514/nmbd
udp 0 0 0.0.0.0:500 0.0.0.0:* 22481/charon
udp 0 0 127.0.0.1:690 0.0.0.0:* 3058/rpc.statd
udp 0 0 0.0.0.0:993 0.0.0.0:* 2517/portmap
udp 0 0 0.0.0.0:1702 0.0.0.0:* 22506/xl2tpcd
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:3702 0.0.0.0:* 11559/python2
udp 0 0 0.0.0.0:36536 0.0.0.0:* 11559/python2
udp 0 0 0.0.0.0:4500 0.0.0.0:* 22481/charon
udp 0 0 0.0.0.0:38009 0.0.0.0:* 11559/python2
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3201/avahi-daemon:
udp 0 0 :::46207 :::* -
udp 0 0 :::56399 :::* 11877/dhcpd_docker0
udp 0 0 :::58042 :::* 11891/dhcpd_lxcbr0
udp 0 0 :::30000 :::* 2730/rpc.mountd
udp 0 0 :::30001 :::* 3058/rpc.statd
udp 0 0 :::111 :::* 2517/portmap
udp 0 0 :::500 :::* 22481/charon
udp 0 0 :::993 :::* 2517/portmap
udp 0 0 :::2049 :::* -
udp 0 0 :::4500 :::* 22481/charon
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)