Strange folders and cronjobs

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 »

somy1982 wrote:
Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
AutorunDisable.png
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.
Today I go into .qpkg folder and found many files being hacked, now I reinstalled all apps. Hopefully that's it. Otherwise I have to start from scratch :-(
Anybody know if QNAP provide a way to completely reset QTS OS and leave data unchanged?
Where are located autorun.sh and crontab files?
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman »

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 »

i've already found crontab, but i I didn't imagine to mount a ramblock for the autorun script.
Thank you
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

Anybody knows the 10 second reset function, would that erase all system files?
robert_m_muench
Getting the hang of things
Posts: 93
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench »

A bit OT: How to reinstall the operating system completely while keeping the data? Would it recognize my disks again? Since this seems to only affect the qnap system, but no data-volumes with user data, I would like to only reinstall the operating system.

There is a "restore factory defaults" but this sounds more like resetting a couple of config files and that's it. Which would leave malware files around... or does this re-install the operating system?
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

robert_m_muench wrote:A bit OT: How to reinstall the operating system completely while keeping the data? Would it recognize my disks again? Since this seems to only affect the qnap system, but no data-volumes with user data, I would like to only reinstall the operating system.

There is a "restore factory defaults" but this sounds more like resetting a couple of config files and that's it. Which would leave malware files around... or does this re-install the operating system?
Same question but nobody seems to know. Better to contact QNAP, I have created a case now.
BTW, do you have the same symptom? did you check when the suspicious files are created?
robert_m_muench
Getting the hang of things
Posts: 93
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench »

Yes, same symptoms. My problematic files were created 25-Aug too. But I found some infected files with an earlier date. Not sure if this was done by not changing the date of the files (which would be much smarter to avoid detection). I^m currently transferring my shared folders (where I have my data) to a dedicated volume to free the pool where my system is installed on. Idea is to be ready to wipe the pool and system completely. For this I will remove the other pool and take out the disks.

With all this hassle it seems to be wise to not store any data with your system. So: pool-1 = system & apps, pool-2 ff. for data.

I still don't understand exactly how the QNAP system works. There is a firmware that seems to reside on something as it's possible to get installed without any disks in the system. And a piece (the Linux system) which gets installed on the 1st volume.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

Strange this must be a known security vunderbility - given in all three cases the attacks started on 25/8, I start to wonder if some app or content distributed by QNAP caused this, as otherwise the hacker needs to know the IP of the system to hack in and that's not normally done on the same date.
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

robert_m_muench wrote:Yes, same symptoms. My problematic files were created 25-Aug too. But I found some infected files with an earlier date. Not sure if this was done by not changing the date of the files (which would be much smarter to avoid detection). I^m currently transferring my shared folders (where I have my data) to a dedicated volume to free the pool where my system is installed on. Idea is to be ready to wipe the pool and system completely. For this I will remove the other pool and take out the disks.

With all this hassle it seems to be wise to not store any data with your system. So: pool-1 = system & apps, pool-2 ff. for data.

I still don't understand exactly how the QNAP system works. There is a firmware that seems to reside on something as it's possible to get installed without any disks in the system. And a piece (the Linux system) which gets installed on the 1st volume.
Before you do the hassle, suggest you create a helpdesk ticket and see what QNAP suggests.
I was informed on Thursday that they're working on a new version of malware remover which should solve the problem.
I have important documents in a encrypted volume so I just keep them locked for now and hope there is a short cut.
robert_m_muench
Getting the hang of things
Posts: 93
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench »

Is there a public reference to your ticket I could jump on?
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

robert_m_muench wrote:Is there a public reference to your ticket I could jump on?
I have a ref number but it's not public. You can create one from HelpDesk app or their website.
robert_m_muench
Getting the hang of things
Posts: 93
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench »

I think I'm going to install osquery.io and regularly run specific security queries like this set https://github.com/palantir/osquery-con ... otkit.conf

@qnap (if they are listening): IMO such a feature should go directly into the firmware.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Strange folders and cronjobs

Post by Mousetick »

robert_m_muench wrote:My problematic files were created 25-Aug too. But I found some infected files with an earlier date. Not sure if this was done by not changing the date of the files (which would be much smarter to avoid detection).
Indeed. The autorun.sh script that I decrypted contains some commands that modify some QNAP configuration and program files, and then change the modification date back in time to make it look that they are not modified.

Also, the August 25 date may not necessarily be the date the malware was installed. It could be the date the malware was created/built. This is just speculation, I have no means to verify.
robert_m_muench
Getting the hang of things
Posts: 93
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench »

Here is a Reddit link about the same topic and how QNAP handles such situations:

https://www.reddit.com/r/qnap/comments/ ... formation/
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

robert_m_muench wrote:Here is a Reddit link about the same topic and how QNAP handles such situations:

https://www.reddit.com/r/qnap/comments/ ... formation/
Thanks for the link!
I'm afraid this one we have now is not something fully recognised by malware remover.
The malware remover did found some threats on 26/8 when it was first run after the files were created on 25/8, so I believe 25/8 is the time when it started.
However I checked the files being recovered (I can see the timestamp they were changed when malware remover was scheduled to run on 26/8), however when I check the content of the files I still found the strange encrypted segments, so I delete the apps and install them again. This is all I can fix, I don't know how many system files/conf have been compromised, and I have no way to verify that.
Clearly the malware was produced to attach QNAP devices by using some security vulnerability of QTS (or its apps). QNAP owes us an explanation, and they should help us to solve the problem. I suggest everybody who is impacted create a help desk ticket, and update here in this thread.
Post Reply

Return to “System & Disk Volume Management”