[SECURITY RISK] Your NAS could be infected. Please read.

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply

Are you infected? / Should QNAP make a Security Advisory Announcement? - SELECT TWO OPTIONS

Yes I my NAS has been with this issue.
59
30%
No, I my NAS is not infected
71
36%
Yes, Announcement by QNAP Critical.
66
33%
No, Just contact QNAP issue
4
2%
 
Total votes: 200

User avatar
Toxic17
Experience counts
Posts: 4938
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Toxic17 » Sat Feb 09, 2019 8:45 am

Looks like QNAP seem to be good at infections... old news but 2500 QNAPS infected a few years back.

https://www.bleepingcomputer.com/news/s ... as-botnet/
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.3.6.0993 • TVS-463-16GB 4.3.6.0993 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.0967 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 • QSonarr 3.0.1.503 • QNBZGet 21.0 • phpMyAdmin 4.8.5 • Qmono 5.20.1.19 • McAfee 2.2.0 • Lychee 3.2.15 • HBS 3.0.190802 • LEgo v3.0.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

User avatar
OneCD
Ask me anything
Posts: 6117
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by OneCD » Sat Feb 09, 2019 12:03 pm

If anyone's looking to get QNAP a Valentine's Day gift, I've just the thing. :wink:
Neowin wrote:Download the "Mastering Linux Security and Hardening" eBook (worth $23) for free

A comprehensive guide to mastering the art of preventing your Linux system from getting compromised. Claim your complimentary copy (worth $23) for free today, before the offer expires on Feb 19.

Image

What's it about?

This book has extensive coverage of techniques that will help prevent attackers from breaching your system, by building a much more secure Linux environment.

This eBook will help you:
  • Use various techniques to prevent intruders from accessing sensitive data
  • Prevent intruders from planting malware, and detect whether malware has been planted
  • Prevent insiders from accessing data that they aren’t authorized to access
  • Do quick checks to see whether a computer is running network services that it doesn’t need to run
  • Learn security techniques that are common to all Linux distros, and some that are distro-specific
By the end of this book, you will be confident in delivering a system that will be much harder to compromise.

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190730

one.cd.only@gmail.com

Image Image Image Image

ldir-EDB0
Starting out
Posts: 16
Joined: Tue Dec 04, 2018 12:22 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by ldir-EDB0 » Sat Feb 09, 2019 10:32 pm

The response I've just received from Qnap via the security contact is that "The vulnerability was patched and related security advisory was released last year: https://www.qnap.com/en/security-advisory/nas-201809-14"

From that advisory:

"Release date: September 14, 2018
Security ID: NAS-201809-14
Severity: Critical
CVE identifier: CVE-2018-0718
Affected products: Music Station 5.1.2 and earlier versions in QTS 4.3.3 and 4.3.4"

It would be good to confirm that those affected were running vulnerable versions of Music Station. If they're not, then another attack vector was/is being used.

Kevin

User avatar
Toxic17
Experience counts
Posts: 4938
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Toxic17 » Sun Feb 10, 2019 12:56 am

ldir-EDB0 wrote:
Sat Feb 09, 2019 10:32 pm
The response I've just received from Qnap via the security contact is that "The vulnerability was patched and related security advisory was released last year: https://www.qnap.com/en/security-advisory/nas-201809-14"

From that advisory:

"Release date: September 14, 2018
Security ID: NAS-201809-14
Severity: Critical
CVE identifier: CVE-2018-0718
Affected products: Music Station 5.1.2 and earlier versions in QTS 4.3.3 and 4.3.4"

It would be good to confirm that those affected were running vulnerable versions of Music Station. If they're not, then another attack vector was/is being used.

Kevin
most are running 4.3.5 or 4.3.6 sounds like HelpDesk is just fobbing people off with blaming this issue on MS. Since the hackers are now probably following all QNAP threads regarding this they can now look at QNAPs so called fix, see what it does and then adjust their code accordingly thus making QNAP play catch-up forever.

QNAP need to fix this once and for all without a script but with a firmware patch or update, and make an announcement ASAP.
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.3.6.0993 • TVS-463-16GB 4.3.6.0993 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.0967 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 • QSonarr 3.0.1.503 • QNBZGet 21.0 • phpMyAdmin 4.8.5 • Qmono 5.20.1.19 • McAfee 2.2.0 • Lychee 3.2.15 • HBS 3.0.190802 • LEgo v3.0.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

ldir-EDB0
Starting out
Posts: 16
Joined: Tue Dec 04, 2018 12:22 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by ldir-EDB0 » Mon Feb 11, 2019 5:29 pm

Toxic17 wrote:
Sun Feb 10, 2019 12:56 am

most are running 4.3.5 or 4.3.6 sounds like HelpDesk is just fobbing people off with blaming this issue on MS. Since the hackers are now probably following all QNAP threads regarding this they can now look at QNAPs so called fix, see what it does and then adjust their code accordingly thus making QNAP play catch-up forever.

QNAP need to fix this once and for all without a script but with a firmware patch or update, and make an announcement ASAP.
Certainly if systems on 4.3.5/4.3.6 have been infected then it suggests a different & new attack vector.

User avatar
Toxic17
Experience counts
Posts: 4938
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Toxic17 » Mon Feb 11, 2019 8:59 pm

I see TheRegister are running with this news too. I wonder how long QNAP can maintain its silence.

https://www.theregister.co.uk/2019/02/1 ... le_issues/
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.3.6.0993 • TVS-463-16GB 4.3.6.0993 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.0967 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 • QSonarr 3.0.1.503 • QNBZGet 21.0 • phpMyAdmin 4.8.5 • Qmono 5.20.1.19 • McAfee 2.2.0 • Lychee 3.2.15 • HBS 3.0.190802 • LEgo v3.0.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by iam@nas » Mon Feb 11, 2019 10:34 pm

I wonder whether current QTS versions got infected or a well-know bug of an older firmware was exploited. It seems that there are quite a few admins who do not update their NAS often enough. QNAP may want to update existing advisories with the information that working exploits are available in the wild.
Thinking about it an automated firmware download and installation like Microsoft it does may be great for those who do not really care about their NAS.

merlo
New here
Posts: 7
Joined: Tue Jan 29, 2013 10:02 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by merlo » Tue Feb 12, 2019 12:39 am

4.3.4 0486, and i don't think i'm affected, /etc/hosts is clean and malware remover, clam av and other apps can be used and updated normally.
music station is not installed and i'm not using cloudlink / myqnapcloud, accessible via https and openvpn.

regarding lazyness with firmware update, i can't update because BUV-748-71998 to a more recent version.

User avatar
Toxic17
Experience counts
Posts: 4938
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Toxic17 » Tue Feb 12, 2019 1:20 am


merlo wrote:regarding lazyness with firmware update, i can't BUV-748-71998update because BUV-748-71998 to a more recent version.
Sorry but my crystal ball is broken. Would you care to enlighten us on what ticket #BUV-748-71998 actually is, rather than posting a code I cannot look up?

Sent from my ONEPLUS A6003 using Tapatalk


Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.3.6.0993 • TVS-463-16GB 4.3.6.0993 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.0967 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 • QSonarr 3.0.1.503 • QNBZGet 21.0 • phpMyAdmin 4.8.5 • Qmono 5.20.1.19 • McAfee 2.2.0 • Lychee 3.2.15 • HBS 3.0.190802 • LEgo v3.0.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

merlo
New here
Posts: 7
Joined: Tue Jan 29, 2013 10:02 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by merlo » Tue Feb 12, 2019 1:28 am

memoryleak and nas gets unresponsive when transferring larger amount of data via iscsi, on newer firmware than 486..
not relevant here but, i just want to point out that, i'm not on this version because i'm lazy. :p

Jaginix
Starting out
Posts: 41
Joined: Fri Dec 29, 2017 1:08 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Jaginix » Tue Feb 12, 2019 2:40 am

iam@nas wrote:
Mon Feb 11, 2019 10:34 pm
Thinking about it an automated firmware download and installation like Microsoft it does may be great for those who do not really care about their NAS.
Hrhr. Good joke. After all the firmware chaos of the last time? No way.

FSC830
Starting out
Posts: 14
Joined: Thu Mar 03, 2016 1:11 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by FSC830 » Tue Feb 12, 2019 7:24 pm

howarmat wrote:
Thu Jan 31, 2019 11:57 pm
Im all good on multiple devices
Me too :D .

But I am also not using any stuff connected to Internet, except a Clouddrive Sync at one box. But this one is also clean.
No Webserver, no Plex, no access from external.
If needed, I setup a temporary VPN connection to my router to access some files.

In addition: I do not run the NAS at latest FW versions. Due to the fact that there have been some major bugs in the newer releases I still continue using a working one :wink: .
regards

robincm
New here
Posts: 6
Joined: Fri Feb 24, 2012 5:00 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by robincm » Wed Feb 13, 2019 4:25 am

My TS239 Pro II+ is misbehaving. It had some issues getting ClamAV updates but that seemed to be sorted out.

DNS resolutions seem to be working fine and the hosts file is clear. resolv.conf looks ok too

I mounted the config via: mount -t ext4 /dev/sdx6 /tmp/config
(but see https://wiki.qnap.com/wiki/Running_Your ... at_Startup because it's different for different models, that article seems to be old so I used trial and error until I found a mount command that worked).
There's a load of obfuscated stuff in auturun.sh that looks very similar to what's reported here https://isc.sans.edu/diary/Obfuscated+b ... oxes/24348
There's also a dodgy looking .sh file that's about the same size as the autorun.sh (11334b & 11880b respectively) both dated 26th Aug.


I've also got a load of dodgy looking stuff in my crontab.

I can't install or update most packages including Python 2, with errors telling me that the architecture is wrong. MalwareRemover won't run because apparently the Python QPKG is somehow missing. Python is present and I get a python prompt from ssh running /usr/bin/python

This NAS is available via MyQNAPCloud but there are not ports forwarded to it for several months on my firewall since changing ISP. Of course, it might have been like this for a while, but I did a firmware update some time towards the end of last year and updated packages no problem a month or so ago.

Ugh. I've logged a support ticket with QNAP.

On the plus side, the NAS is still doing it's main job of being an SMB server within my home network. I'm just not sure what else it's now also doing!!

And I'd like to know how this malware (and all previous malware) gets onto the QNAP boxes in the first place.

robincm
New here
Posts: 6
Joined: Fri Feb 24, 2012 5:00 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by robincm » Wed Feb 13, 2019 5:21 am

Update:
I downloaded via a web browser then manually installed Python_2.7.3_x86.qpkg via App Center.
Likewise downloaded the qpkg and installed MalwareRemover_3.4.1_20190125_182348.qpkg via App Center.
Malware Remover ran and logged three warnings:
[Malware Remover] Repaired official app list in App Center.
[Malware Remover] Detected high-risk malware. To maintain system security, change all user account passwords immediately.
[Malware Remover] Malware was detected and removed. You must restart the NAS.
Prior to the reboot there are still dodgy looking obfuscated .sh files (referenced in crontab) sitting on the disk.
After the reboot those files are still there.
However the autorun.sh (and the oddly named, similar sized other .sh in the same folder) are now only 11B and 10B big each, only containing #!/bin/sh
Some apps are still missing.
I only have: Photo Station, Music Station, Python 2.7.3, Helpdesk 1.2.2, QNAP Diagnostic Tool, Malware Remover.
Other apps seem to be missing. e.g. CloudLink - if I try and download/install that through App Center it fails with the "wrong architecture" message.
So something is still broken.
I'm just manually updating to 4.2.6 build 20181227 because the GUI wouldn't find that update - told me it was up to date.

robincm
New here
Posts: 6
Joined: Fri Feb 24, 2012 5:00 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by robincm » Wed Feb 13, 2019 8:03 am

In /mnt/HDA_ROOT/.config there are some files all created on the same date as the dodgy ones from crontab:
-rw-r--r-- 1 admin administ 388 Aug 26 08:56 xVdlgrz.B.txdl
-rw-r--r-- 1 admin administ 203 Aug 26 08:56 vnhtXkhv
-rw-r--r-- 1 admin administ 1679 Aug 26 08:56 SOMtbGclrShqqZvCzwi
-rw-r--r-- 1 admin administ 203 Aug 26 08:56 .qsync.conf

I also noticed that most of the dodgy entries from crontab seem to be commented out (prefixed with # - that is what that does, right?). I've removed them all anyway.

The contents of .qsync.conf looks worrying: (bearing in mind I am just going by what seem to be odd filenames!)
Port 51163
StrictModes no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePrivilegeSeparation no
HostKey "/etc/config/SOMtbGclrShqqZvCzwi"
AuthorizedKeysFile "/etc/config/xVdlgrz.B.txdl"

Has something been trying to sync data off my NAS?

I've now renamed all the suspicious looking files and/or folders above and mentioned in crontab. Hopefully none of them are legitimate and I haven't just broken something!

I still get the "wrong architecture" error trying to install or update apps directly in app center, even after the firmware update.
For info: uname -m gives me: i686
As mentioned above, I can install packages if I download the .qpkg file (for x86 where there's a choice). Most of them then say there's an update available but the update fails with the same "wrong architecture" message, and then the app vanishes from app center.

Post Reply

Return to “Users' Corner”