PhotoStation shared folder 9cd00ccc-d02f-11ea-87d0-0242ac130010

Post your questions about myQNAPcloud service here.
Post Reply
Schiiba
New here
Posts: 2
Joined: Tue May 11, 2021 3:14 am

PhotoStation shared folder 9cd00ccc-d02f-11ea-87d0-0242ac130010

Post by Schiiba »

On my TS-231P2 I found some logs relating to external IPs with "wasthere" user and with shared folder "9cd00ccc-d02f-11ea-87d0-0242ac130010".
Within 4 month, there are 6 different IPs are in my logs with such system events and 12 sequences of similar system events .

One sample sequence for an external IP is :
Informations 2021-03-10 00:10:37 [appuser] 185.44.76.189 --- --- [Users] New user [wasthere] deleted.
Informations 2021-03-10 00:10:34 System 127.0.0.1 --- --- [Home Folders] The home folder for user wasthere has been deleted.
Informations 2021-03-10 00:10:25 wasthere 185.44.76.189 --- --- [Share Folders] New share folder [9cd00ccc-d02f-11ea-87d0-0242ac130010] created.
Informations 2021-03-10 00:10:23 System 127.0.0.1 --- --- [Home Folders] The home folder for user wasthere has been created.
Informations 2021-03-10 00:10:21 [appuser] 185.44.76.189 --- --- [Users] New user [wasthere] added.

Some post (viewtopic.php?t=156695&p=764361) suggested Qsnatch malware.
Nevertheless my "Malware Removal" scan found nothing.

So, has somebody information about :
- 9cd00ccc-d02f-11ea-87d0-0242ac130010 shared folder ?
- "wasthere" User ?

In my investigation, I found that 9cd00ccc-d02f-11ea-87d0-0242ac130010 links to a "./photostation2" subfolder.
After removal and installation of "Photo Station", I saw that this subfolder is truly created by QNAP standard installation process.
The only googled information I found relating to 9cd00.. is a "WebPack" package for developpers that allows to keep javascripts outside from the webpages.
My Qnapcloud was also activated and I had "public folders" access.

So my main Assumption is that PhotoStation uses the "Webpack".
When external "Public guests" like robots check for files with myqnapcloud urls, the QNAP Photoshare generates a new user and shared link to make web exploration work with the "public folders" and users form the worldwide web !

Since I closed all access (myqnapcloud, server ports ...), updated QTS and some qkgs the "wasthere" don't showed again in logs.
But the shared link "9cd00ccc-d02f-11ea-87d0-0242ac13001" came back once ...without knowing who generated it !


I had like to know if the logs relating to that issue results from malwares or belongs to the normal behaviour of Photostation running.


Thanks for your feedbacks.
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: PhotoStation shared folder 9cd00ccc-d02f-11ea-87d0-0242ac130010

Post by dolbyman »

I would kill the nas ..format the harddrives and start from scratch

After, make sure you never ever expose your NAS to WAN again...
Schiiba
New here
Posts: 2
Joined: Tue May 11, 2021 3:14 am

Re: PhotoStation shared folder 9cd00ccc-d02f-11ea-87d0-0242ac130010

Post by Schiiba »

Thank's for strong advice.
I am expecting a feedback from QNAP support (first time experience)...
ColHut
Know my way around
Posts: 248
Joined: Sat Oct 14, 2017 12:13 am

Re: PhotoStation shared folder 9cd00ccc-d02f-11ea-87d0-0242ac130010

Post by ColHut »

https://www.abuseipdb.com/check/185.44.76.189

Possibly you are not alone

Regards
Post Reply

Return to “myQNAPcloud service”