Can't edit autorun.sh

[JakiChan]

Last night I found out about this whole malware thing, and was today trying to clean up. My autorun.sh did have a bunch of garbage in it. While I have disabled autorun.sh via the control panel I did want to get rid of that infected file, so I tried following the instructions here:

https://wiki.qnap.com/wiki/Running_Your ... at_Startup

And so I mounted /tmp/config and tried to edit the file to remove the encrypted lines, but it won't let me save the file. (vi says "Can't open file for writing.") I can create and edit new files just fine, but it won't let me touch existing files. Checking/unchecking "Run user defined processes during startup" doesn't seem to do anything to autorun.sh - when it's unchecked the file is still executable. I tried manually removing the privileges and got:

Code: Select all

[/tmp/config] # chmod -x autorun.sh 
chmod: autorun.sh: Operation not permitted
[/tmp/config] # sudo chmod -x autorun.sh 
chmod: autorun.sh: Operation not permitted

Am I missing something? Why can't I edit this file?

Edit: This is on a TS-251.

[Briain]

Hi

On a Qnap, the admin login is as a su, so you don't have to use sudo (in fact, sudo does not exist in the Qnap builds).

When you have it mounted and navigate to /tmp/config, try running ls -l to show the existing permissions (as well as the owner and group) as that will likely show why you cannot change anything.

Then try chmod 664 autorun.sh and it should change to being as is shown below:

-rw-rw-r-- 1 admin administrators 22 2019-06-09 19:16 autorun.sh

That has set it to be a non-executable, and it should now be editable and savable. Also note that in my above example, the owner and the group are admin and administrators, respectively (anything unexpected can be changed via the chown command).

Bri

NB I just used ssh to 'touch' that file into existence (just on a standard share), then I used vi to add a few words, just to enable me to copy the output of ls - l to let you see the results. In a short while, I will mount the flash in my own Qnap and see how I set the permissions for my own autorun.sh, then post back.

[Briain]

Relating to my footnote in the above post, I have just mounted the flash and looked at own autorun.sh file (to remind me how it was set) and I see it was as is indicated below (which I would have achieved by running chmod 750 autorun.sh):

-rwxr-x--- 1 admin administrators 338 2018-02-27 10:15 autorun.sh*

Of course, you could instead use chmod 110 to make it ---x--x--- and it would still work, but malware with admin privileges could still replace it.

Handy tip

Incidentally, below is a tip that you might find useful (assuming that you are not already doing something similar):

I have the below lines in my autorun.sh file (the one that resides in flash):

Code: Select all

#!/bin/sh
if [ ! -f /share/CACHEDEV1_DATA/Scripts/autorun.sh ]; then
/sbin/log_tool -t 1 -a "[Autorun] For information only: custom autorun.sh wasn't found in the Scripts share."
else
/sbin/log_tool -t 0 -a "[Autorun] Custom autorun.sh file was successfully found in the Scripts share."
/share/CACHEDEV1_DATA/Scripts/autorun.sh
fi
exit 0

I first created a new share called 'Scripts' and in that I have a file (also called autorun.sh) which contains all the actions that I actually wish to run, so the above line '/share/CACHEDEV1_DATA/Scripts/autorun.sh' simply runs the 'autorun.sh' script in my Scripts share. It's quite handy as it means I don't have to mount the flash partition whenever I want to change anything (I just edit the autorun.sh in my 'Scripts' share and reboot). As you can see, for the one that resides in the flash, I've also added a couple of lines which populate the log file. That was done as I have also used this trick on other peoples' Qnaps, so if something doesn't autorun, I can ask them to look at their log file (and thus see if it's likely not working simply because they have accidentally deleted the autorun file in their Scripts share).

Obviously though, the path to the shares can be different with different Qnap models, for example, my older Qnap (and its RAID array), it was instead something like /share/MD0_DATA, and for my single disk Qnap, it was something like /share/HDA_DATA (I can't check as they are not powered up at the moment). Sorry, I do not know where the share directories reside on your model (though its easy enough to check via ssh and navigating about).

All the best
Briain

[JakiChan]

On a Qnap, the admin login is as a su, so you don't have to use sudo (in fact, sudo does not exist in the Qnap builds).

1. I know. I was logged in as admin, but just to be sure I tried it as sudo just in case.
2. You sure about that?

Code: Select all

[~] # whoami
admin
[~] # which sudo
/usr/bin/sudo

Then try chmod 664 autorun.sh and it should change to being as is shown below:

That is the exact same thing as I did, and it wouldn't let me chmod it. (chmod -x removes the executable bit.) It didn't work.

What DID work however, was this advice from Reddit.

Try this script:

curl https://download.qnap.com/Storage/tsd/u ... cleanme.sh | sh

It is from QNAP support, check also here for reference:

viewtopic.php?t=146605&start=120

[Briain]

Hi

Interesting observation about the which sudo response, but unless something has recently changed (that I am unaware of) Qnap don't actually use sudo, so perhaps that was added when they added when they introduced bash (just for compatibility reasons)? It will be interesting to see if anyone can chime in with a comment to explain that suco related response as it is a totally new one on me (and I've been using Qnaps since the olden days).

Yes, I'm aware of the +x/-x trick (I run Debian on my laptop) but I suggested running ls -l such we could see more details, including both the rwx permissions and also memberships (and thus see what had been changed by the malware, perhaps indicating exactly why you couldn't use the +/- x trick nor save the vi changes) but the main thing is that you have now fixed it, so very happy days!

All the best,
Bri

[Qumbalero]

My QNAP is a TS-251+ and I had the same problem not being able to edit the autorun.sh

On the TS-251+ I mount with

Code: Select all

mount -t ext2 /dev/sdc6 /tmp/config

I.e mounts as an ext2 file system.

On https://wiki.archlinux.org/index.php/Fi ... attributes I found information about Acces Control Lists.

For ext2 and ext3 file systems, the e2fsprogs package contains the programs lsattr and chattr that list and change a file's attributes, respectively.

Examined the ACL on autorun.sh

Code: Select all

lsattr /tmp/config/autorun.sh
------a------ /tmp/config/autorun.sh

a = append only

Removed the attribute

Code: Select all

chattr -a /tmp/config/autorun.sh

I could now edit/update /tmp/config/autorun.sh

When done I added the "append only" attribute again

Code: Select all

chattr +a /tmp/config/autorun.sh

[romu92]

hi all,

I have the same problem, I cannot edit autorun.sh on my TS-251. I tried chattr -a /tmp/config/autorun.sh solution described above without success.
Any idea to fix the issue or is there another way to run application at startup (I want to launch my grafana-server at startup) ?

thanks for your help,
Romu

[dolbyman]

If you have the same issue (hijacked nas due to malware)

Fix your NAS first before worrying about grafana..

[romu92]

How do I know that my nas has been hijacked ? I just know that I cannot edit autorun.sh

[dolbyman]

what is the content of it ?

you can view your autorun.sh via gui

[romu92]

Just the standard content:
#!/bin/sh
/share/CACHEDEV1_DATA/Web/v3

I had a ransomware a year ago. I cleaned it with Malwarare remover but maybe be there are sill some troubles. It is possible to restore the initial setup without deleting my data ?

thanks for your help !

[dolbyman]

after a ransomware attack, your backup game should be solid now..so just kill the nas and restore from backups after

[romu92]

I don't have any backup of my NAS (personal use). I've found the below page which describes the different options:
https://www.qnap.com/en/how-to/knowledg ... -explained
Is it enough to use option 2 or 4 or should I use option 5 ?

[romu92]

hi,

I've tried to reinitialize my NAS using the option 5 described in the page below but I still have the same problem.
https://www.qnap.com/en/how-to/knowledg ... -explained

I cannot edit the autorun.sh script
Any idea ?

[OneCD]

How are you trying to edit it? At the CLI with a text editor? Or via the QTS webUI?