[SECURITY RISK] Your NAS could be infected. Please read.

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply

Are you infected? / Should QNAP make a Security Advisory Announcement? - SELECT TWO OPTIONS

Yes I my NAS has been with this issue.
68
30%
No, I my NAS is not infected
77
34%
Yes, Announcement by QNAP Critical.
75
33%
No, Just contact QNAP issue
4
2%
 
Total votes: 224

dolbyman
Guru
Posts: 19127
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by dolbyman » Tue Oct 22, 2019 10:18 pm

if the notice comes up every night then you still have an active infection..time to wipe it all

if your nas is your backup..then you still have the original files..so no problem

if you don't have the original files..then your nas is not a backup but your primary storage

ncnmra
Know my way around
Posts: 113
Joined: Sun Oct 10, 2010 8:24 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by ncnmra » Sun Oct 27, 2019 4:35 pm

Just getting back to this. What is the best way to do a full wipe, including DOM?

dolbyman
Guru
Posts: 19127
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by dolbyman » Sun Oct 27, 2019 10:22 pm

google
"qnap firmware recovery"

zeltpsi
Starting out
Posts: 16
Joined: Fri Nov 13, 2009 1:46 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by zeltpsi » Fri Nov 01, 2019 12:05 pm

One of my NAS is an older TS809(8-bay). It was infected with the QSNATCH. The Malware prevented any firmware updates, but I was able to manually download the latest firmware to a local drive then install it. This appears to have solved part one. Changed passwords and rebooted. Updated all apps.
Worried that the machine was still not fixed, I found the quoted steps below. Using PUTTY I could SSH to the NAS and run the cleanme.sh. This script found several apps that were infected, and claimed to have fixed them. It then cleaned and installed the "Malware Removal" tool. However, the tool would not run and would hang on "Loading...". I re-ran cleanme.sh, and re-installed the Malware Removal Tool (MRT). No malware was discovered but still the MRT would not run. I tried manual download of the MRT, but still no joy. I started a back up of my data so that I could do wipe-clean of the disks and re-install. But while I was waiting for files to copy, I believe I tried the MRT remove-and-re-install about four more times, and finally it worked. I believe what was happening, was the Malware was re-infecting the machine very rapidly after each clean sequence. On my fourth try, I likely just happened to get the MRT installed and it auto-runs itself (on the fourth try) faster than the malware re-infection. This appears to have removed all traces (fingers crossed).
Changed passwords and rebooted.

I hope this helps someone else !
...Brian
1) Refer the link below and access your NAS by SSH.

https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh

2) Execute the command lines over SSH.

# curl https://download.qnap.com/Storage/tsd/u ... cleanme.sh | sh

3) Restart the NAS and re-update the latest firmware manually.

https://www.qnap.com/en/how-to/tutorial ... s-firmware

The latest firmware can be downloaded from https://www.qnap.com/en-uk/download

4) After the latest firmware is re-updated, please change the all users password

5) Restart the NAS and check if all the apps can be updated or not.

ncnmra
Know my way around
Posts: 113
Joined: Sun Oct 10, 2010 8:24 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by ncnmra » Fri Nov 08, 2019 9:34 pm

zeltpsi,

Please see the thread below. There is a bunch of us fighting with the QSnatch issue:

viewtopic.php?f=50&t=151402&e=1&view=unread#unread

Despite me following the exact same steps as you, my device is repeatedly reinfected. I have since blocked all its access to the internet in hopes that my ISP will not ban me again.

pilaQ
Starting out
Posts: 14
Joined: Sat Nov 12, 2016 9:41 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by pilaQ » Thu Mar 19, 2020 2:47 am

While this may not help infected, may help them later to never again repeat the problem on any device.

Automatic and constant software updates are the worst security related move you can make. I know most will keep doing it. They may patch one problem, but will introduce 2 new. That is guaranteeed. I understand that most will see this as a heresy.

I have 4 separate networks, 24/7 online, with several QNAPs, well over 60 computers - never had an infection in any devices in decades. Networks are connected 24/7 to each other using OpenVPN. We are very heavy user, lives literary depend on us working. Never had any anti-virus or similar software installed anywhere.

Anyone can do it with some minimal learning.

1) Never update anything unles YOU have a problem and can find in docs that new fw/sw fixes that particular problem. If you can work around the problem, you may forgo the update. I use Word 2000 :) and am happy with it. And write professionally. I could provide many more examples.

2) Every interactively used computer (in the hands of users) must have its own whitelist outgoing firewall! Meaning: only selected apps which are explicitly allowed to go out can go out. All remaining apps are bared from the Internet. Particulary on bad OS's like Android. No updates of anything unless absolutelly needed, as rule 1) states.

3) Never allow any device to be connected to the Internet unless it really needs to be connected. It will still work perffectly within your LAN. Not a single one QNAP on my networks can go to the Internet. Problem solved. Not any of my SmartHome computers can go to the Internet. And many more. They can not be infected and even if they could, they can not do anything wrong (send any data anywhere). Use the router firewall. Make NTP servers available locally within your LAN and route all devices there. If not, allow devices to make only outhoing NTP connections if you must.

4) Never port forward anything or allow any external access. The only excpetion is an e-mail server. Use only OpenVPN server, preferably on your router. Than you have access to all your computers from anywhere using OpenVPN client. I repeat: all devices in any of my networks are perfectly accesible from any location in the world uisng OpenVPN and from any of my LANs.

5) In Web browsers, always use Java Script blocking.

And no worries for you are likely :) Ever.

This is not limiting users in any way. Just to be clear: I have several VPNservers, on my QNAPs there are several Virtual Machines running 24/7, including crucial business apps. They are all accesible 24/7 but only from the corresponding VPN. My business VPN is not allowed to access anything but its dedicated VM and apps, and apps from QNAP print the data through the same VPN back in the office printer. But, my QNAPs can never access the Internet.

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9026
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Moogle Stiltzkin » Thu Mar 19, 2020 5:12 am

pilaQ wrote:
Thu Mar 19, 2020 2:47 am
While this may not help infected, may help them later to never again repeat the problem on any device.

Automatic and constant software updates are the worst security related move you can make. I know most will keep doing it. They may patch one problem, but will introduce 2 new. That is guaranteeed. I understand that most will see this as a heresy.

I have 4 separate networks, 24/7 online, with several QNAPs, well over 60 computers - never had an infection in any devices in decades. Networks are connected 24/7 to each other using OpenVPN. We are very heavy user, lives literary depend on us working. Never had any anti-virus or similar software installed anywhere.

Anyone can do it with some minimal learning.

1) Never update anything unles YOU have a problem and can find in docs that new fw/sw fixes that particular problem. If you can work around the problem, you may forgo the update. I use Word 2000 :) and am happy with it. And write professionally. I could provide many more examples.

2) Every interactively used computer (in the hands of users) must have its own whitelist outgoing firewall! Meaning: only selected apps which are explicitly allowed to go out can go out. All remaining apps are bared from the Internet. Particulary on bad OS's like Android. No updates of anything unless absolutelly needed, as rule 1) states.

3) Never allow any device to be connected to the Internet unless it really needs to be connected. It will still work perfectly within your LAN. Not a single one QNAP on my networks can go to the Internet. Problem solved. Not any of my SmartHome computers can go to the Internet. And many more. They can not be infected and even if they could, they can not do anything wrong (send any data anywhere). Use the router firewall. Make NTP servers available locally within your LAN and route all devices there. If not, allow devices to make only outhoing NTP connections if you must.

4) Never port forward anything or allow any external access. The only excpetion is an e-mail server. Use only OpenVPN server, preferably on your router. Than you have access to all your computers from anywhere using OpenVPN client. I repeat: all devices in any of my networks are perfectly accesible from any location in the world uisng OpenVPN and from any of my LANs.

5) In Web browsers, always use Java Script blocking.

And no worries for you are likely :) Ever.

This is not limiting users in any way. Just to be clear: I have several VPNservers, on my QNAPs there are several Virtual Machines running 24/7, including crucial business apps. They are all accesible 24/7 but only from the corresponding VPN. My business VPN is not allowed to access anything but its dedicated VM and apps, and apps from QNAP print the data through the same VPN back in the office printer. But, my QNAPs can never access the Internet.
i see that you do some things right.

while i do agree that updating day zero may not necessarily be the best thing. i don't agree that going cold turkey is a good solution either. a lot of nasty things got found and patched eventually.

Just take winxp for example. This is why updating is important
https://www.wired.com/story/microsoft-w ... -bad-sign/


i take a middle approach as in deferring updates to give sufficient time to know whether a qts update is fine or not, usually a week or a couple even. always check the forum for other user comments in regards to the latest qts builds.


in regards to reinfection, i'm not sure that most users get this. okay so if they do manage to remove the infection, were lessons learned to improve on their security practises so they don't get hit again? or are they going to continue to live dangerously until their ISP notify them that their ip got blocked due to botnet activity from their NAS device on their network. I hope they realize that a compromised NAS could mean hackers have access to their data and possibly their network, and potentially do all sorts of nasty :S

it's not a simple matter of oo my ISP is mad so i can't use my internet kinda deal only (it's amazing how only the symptoms get some concern but not the whole house burning down so to speak.....). No, it's a far more extensive issue than just that :roll:

well it's their data, but i hope they understand the stakes at play here.
Last edited by Moogle Stiltzkin on Thu Mar 19, 2020 7:55 am, edited 2 times in total.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

P3R
Guru
Posts: 12204
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by P3R » Thu Mar 19, 2020 6:22 am

pilaQ wrote:
Thu Mar 19, 2020 2:47 am
While this may not help infected, may help them later to never again repeat the problem on any device.
In these malware threads probably 90-95% are relatively inexperienced home users that are unable/unwilling to do your advice 2-5 and without that, not keeping firmware updated and not using antivirus will only worsen their situation.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

Post Reply

Return to “Users' Corner”