Strange folders and cronjobs

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
User avatar
Don
Guru
Posts: 12004
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Strange folders and cronjobs

Post by Don » Sun Sep 09, 2018 10:45 pm

You got infected because you opened one or more ports on your router from the internet to your NAS. Either intentionally or via uPnP. The only safe way to access your NAS from the internet is to use a VPN.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.4.2.1320 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Sun Sep 09, 2018 11:12 pm

Don wrote:You got infected because you opened one or more ports on your router from the internet to your NAS. Either intentionally or via uPnP. The only safe way to access your NAS from the internet is to use a VPN.

Lesson learned now :-( UPNP is disabled from day 1 though.
For a commercial home NAS I doubt many users even know how to use VPN, and it is not mentioned by QNAP's guide on how to make the NAS more secure:
https://www.qnap.com/en/how-to/faq/arti ... re-secure/
Still the hacker knows QNAP OS and the vulnerability in QTS apps, and therefore better for QNAP to explain what exactly happened on 25/8 - we know at least three users got the malware (either deployed or executed) on the same date.

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Mon Sep 10, 2018 12:28 am

somy1982 wrote:
Don wrote:Still the hacker knows QNAP OS and the vulnerability in QTS apps

That's for sure, sadly.

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Mon Sep 10, 2018 3:57 pm

Got some info from QNAP:
1) The next version of malware remover will be able to remove it (not sure if it will recover the system files changed by the malware)
2) The malware replaced the default Apache web server with another one - intention is unknown.
3) Seems like the hacker scanned ip addresses for the attach.
4) The current version of music station allows command injection - same problem as photo station which was fixed back in May.
Will keep update.

benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 » Mon Sep 10, 2018 7:01 pm

somy1982 wrote:Got some info from QNAP:
1) The next version of malware remover will be able to remove it (not sure if it will recover the system files changed by the malware)
2) The malware replaced the default Apache web server with another one - intention is unknown.
3) Seems like the hacker scanned ip addresses for the attach.
4) The current version of music station allows command injection - same problem as photo station which was fixed back in May.
Will keep update.

Thank you

dolbyman
Guru
Posts: 19672
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman » Mon Sep 10, 2018 9:32 pm

you wonder if the music station vulnerability would be something they would want to communicate asap to custumers....no?

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Mon Sep 10, 2018 9:37 pm

dolbyman wrote:you wonder if the music station vulnerability would be something they would want to communicate asap to custumers....no?

I asked - as many other users might also be hit, possibly some are already without even knowing it.

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Tue Sep 11, 2018 12:10 am

somy1982 wrote:Got some info from QNAP:
...
2) The malware replaced the default Apache web server with another one - intention is unknown.
...
Will keep update.


This sounds pretty scary... so I (might) have something running on my system, which is a major component of QTS (because of the web-admin interface) that was modified and can log my admin password, send it out to any remote system without notice, open bi-directional channels from the inside into my network...

IMO this is a design-basis security error. An QNAP is not communicating what to do, how to check for infection etc.?

I would prefer to have to apache instances (with two binaries) running on my QNAP. One for admin access, that's never accessible over the internet at all. And one, which can (temporarily) be accessed (for example file-sharing).
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

dolbyman
Guru
Posts: 19672
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman » Tue Sep 11, 2018 12:24 am

from what mouestik found out, it is to scoop off your account credentials ... (get the password right from the apache session)

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Tue Sep 11, 2018 1:10 am

What I don't understand is, there was the command injection problem in Photo Station back in May, why QNAP hasn't check all QTS apps to ensure such is not used by the hackers.
Who knows what's next, download station?

dolbyman
Guru
Posts: 19672
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman » Tue Sep 11, 2018 1:19 am

well that's why it is always ill advised to expose any NAS part to the outside ... those units are not hardened enough to be exposed (and even if they were.. who is guaranteeing that they are always updated with the latest patches ?)

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Tue Sep 11, 2018 1:26 am

dolbyman wrote:well that's why it is always ill advised to expose any NAS part to the outside ... those units are not hardened enough to be exposed (and even if they were.. who is guaranteeing that they are always updated with the latest patches ?)

True, but many consumer buy those devices for convenience reasons, and use it as a private cloud for media files.
All QTS mobile apps require the server to be reachable on internet.
QNAP should really look into the security of their official apps, which provide the convenience and therefore used by many.

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Tue Sep 11, 2018 2:20 am

Hi guys,
Just to understand where the malware sends data to, I tried the command "netstat -nputw" to see any outgoing connection suspicious (incoming is blocked). Don't see any suspicious external IP addresses, but there are a lot connection to localhost (127.0.0.1), not sure if there is any problem.

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: Strange folders and cronjobs

Post by Mousetick » Tue Sep 11, 2018 3:02 am

somy1982 wrote:I tried the command "netstat -nputw" to see any outgoing connection suspicious (incoming is blocked). Don't see any suspicious external IP addresses, but there are a lot connection to localhost (127.0.0.1), not sure if there is any problem.

- That command shows you only the open outgoing connections at the time it is run, it's a snapshot at a certain point in time. You could have a program sending some data one minute before or after, and you didn't see it. It's not a good way to monitor realtime network activity.
- Connections from/to 127.0.0.1 are expected as part of the NAS normal operation, nothing to worry about here.
- You can also use the command "netstat -nputl" which shows all programs listening for incoming connections, and all ports open on the NAS. There you can see whether unknown servers are running or unknown ports are open.

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Tue Sep 11, 2018 3:32 am

Here is my list: Interesting things are

1. bcclient = Bitcoin Network Probing Tool (https://github.com/ivanpustogarov/bcclient), going to kill this one.
2. xl2tpcd = not sure what this is, xl2tpd is known

And the different python instances I don't have an idea what they do. Any chance to query what script is executed?


Code: Select all

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:58080         0.0.0.0:*               LISTEN      17083/_thttpd_
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6050          0.0.0.0:*               LISTEN      14575/python2.7
tcp        0      0 127.0.0.1:6051          0.0.0.0:*               LISTEN      14575/python2.7
tcp        0      0 127.0.0.1:6053          0.0.0.0:*               LISTEN      14432/qbusd
tcp        0      0 127.0.0.1:2375          0.0.0.0:*               LISTEN      14435/dockerd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      1449/smbd
tcp        0      0 127.0.0.1:23310         0.0.0.0:*               LISTEN      27028/mysqld
tcp        0      0 127.0.0.1:3310          0.0.0.0:*               LISTEN      10108/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2517/portmap
tcp        0      0 0.0.0.0:30000           0.0.0.0:*               LISTEN      2730/rpc.mountd
tcp        0      0 0.0.0.0:30001           0.0.0.0:*               LISTEN      3058/rpc.statd
tcp        0      0 0.0.0.0:30002           0.0.0.0:*               LISTEN      2648/rpc.rquotad
tcp        0      0 0.0.0.0:46547           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      18550/sshd
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      16363/cupsd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      1449/smbd
tcp        0      0 :::2049                 :::*                    LISTEN      -
tcp        0      0 :::45575                :::*                    LISTEN      -
tcp        0      0 :::18888                :::*                    LISTEN      24908/gottymc
tcp        0      0 :::2376                 :::*                    LISTEN      14612/dockerd
tcp        0      0 :::139                  :::*                    LISTEN      1449/smbd
tcp        0      0 :::111                  :::*                    LISTEN      2517/portmap
tcp        0      0 :::30000                :::*                    LISTEN      2730/rpc.mountd
tcp        0      0 :::80                   :::*                    LISTEN      11413/apache
tcp        0      0 :::8080                 :::*                    LISTEN      17727/apache_proxy
tcp        0      0 :::30001                :::*                    LISTEN      3058/rpc.statd
tcp        0      0 :::22                   :::*                    LISTEN      18550/sshd
tcp        0      0 :::631                  :::*                    LISTEN      16363/cupsd
tcp        0      0 :::3737                 :::*                    LISTEN      7419/apache_proxys
tcp        0      0 :::443                  :::*                    LISTEN      11413/apache
tcp        0      0 :::445                  :::*                    LISTEN      1449/smbd
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp   214272      0 255.255.255.255:8097    0.0.0.0:*                           19493/bcclient
udp     2304      0 255.255.255.255:8097    0.0.0.0:*                           19493/bcclient
udp     2304      0 255.255.255.255:8097    0.0.0.0:*                           19493/bcclient
udp   214272      0 255.255.255.255:8097    0.0.0.0:*                           19493/bcclient
udp     2304      0 255.255.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 169.254.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 255.255.255.255:8097    0.0.0.0:*                           19493/bcclient
udp        0      0 0.0.0.0:40887           0.0.0.0:*                           11891/dhcpd_lxcbr0
udp        0      0 0.0.0.0:40913           0.0.0.0:*                           3201/avahi-daemon:
udp        0      0 0.0.0.0:44506           0.0.0.0:*                           -
udp        0      0 0.0.0.0:45766           0.0.0.0:*                           11877/dhcpd_docker0
udp        0      0 0.0.0.0:48667           0.0.0.0:*                           11559/python2
udp        0      0 0.0.0.0:57077           0.0.0.0:*                           11559/python2
udp        0      0 0.0.0.0:59113           0.0.0.0:*                           11559/python2
udp        0      0 0.0.0.0:30000           0.0.0.0:*                           2730/rpc.mountd
udp        0      0 0.0.0.0:30001           0.0.0.0:*                           3058/rpc.statd
udp        0      0 0.0.0.0:30002           0.0.0.0:*                           2648/rpc.rquotad
udp        0      0 0.0.0.0:67              0.0.0.0:*                           11891/dhcpd_lxcbr0
udp        0      0 0.0.0.0:67              0.0.0.0:*                           11877/dhcpd_docker0
udp        0      0 0.0.0.0:68              0.0.0.0:*                           12305/dhcpcd
udp        0      0 0.0.0.0:111             0.0.0.0:*                           2517/portmap
udp        0      0 169.254.255.255:137     0.0.0.0:*                           1514/nmbd
udp        0      0 169.254.4.231:137       0.0.0.0:*                           1514/nmbd
udp        0      0 192.168.1.255:137       0.0.0.0:*                           1514/nmbd
udp        0      0 192.168.1.105:137       0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.3.255:137          0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.3.1:137            0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.5.255:137          0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.5.1:137            0.0.0.0:*                           1514/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           1514/nmbd
udp        0      0 169.254.255.255:138     0.0.0.0:*                           1514/nmbd
udp        0      0 169.254.4.231:138       0.0.0.0:*                           1514/nmbd
udp        0      0 192.168.1.255:138       0.0.0.0:*                           1514/nmbd
udp        0      0 192.168.1.105:138       0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.3.255:138          0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.3.1:138            0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.5.255:138          0.0.0.0:*                           1514/nmbd
udp        0      0 10.0.5.1:138            0.0.0.0:*                           1514/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           1514/nmbd
udp        0      0 0.0.0.0:500             0.0.0.0:*                           22481/charon
udp        0      0 127.0.0.1:690           0.0.0.0:*                           3058/rpc.statd
udp        0      0 0.0.0.0:993             0.0.0.0:*                           2517/portmap
udp        0      0 0.0.0.0:1702            0.0.0.0:*                           22506/xl2tpcd
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           -
udp        0      0 0.0.0.0:3702            0.0.0.0:*                           11559/python2
udp        0      0 0.0.0.0:36536           0.0.0.0:*                           11559/python2
udp        0      0 0.0.0.0:4500            0.0.0.0:*                           22481/charon
udp        0      0 0.0.0.0:38009           0.0.0.0:*                           11559/python2
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           3201/avahi-daemon:
udp        0      0 :::46207                :::*                                -
udp        0      0 :::56399                :::*                                11877/dhcpd_docker0
udp        0      0 :::58042                :::*                                11891/dhcpd_lxcbr0
udp        0      0 :::30000                :::*                                2730/rpc.mountd
udp        0      0 :::30001                :::*                                3058/rpc.statd
udp        0      0 :::111                  :::*                                2517/portmap
udp        0      0 :::500                  :::*                                22481/charon
udp        0      0 :::993                  :::*                                2517/portmap
udp        0      0 :::2049                 :::*                                -
udp        0      0 :::4500                 :::*                                22481/charon
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

Post Reply

Return to “System & Disk Volume Management”