Hulli wrote: ↑Wed Jan 26, 2022 6:37 pm
Hi I have done the following:
1. changed the index.html in /mnt/HDA_ROOT/ with SSH to the original one (index.html.bak which was still there). Now access to the nas is available again.
2. found a file 27139 which was loaded in the tasklist. I have killed the process (in SSH use following command: kill PID#).
3. found the file in /mnt/HDA_ROOT/ and deleted it (attention it has the attribute i which means immutable you have first SSH and do the following command: chattr -i /path/filename) Filename was 27139 in my case.
4. checked how many files are encryped and luckily did not found one file so far. So I was quick to find the ransomeware before it started decrypting.
5. shut down the NAS
6. Firewall is set up to block all traffic to the NAS
7 open this as a ticket in QNAP support and waiting for their advice
brgds
Hulli
Good to know ; it was perfect a big THANK YOU !
Usage: lsattr [-Radlv] [FILE]...
List file attributes on an ext2 fs
Usage: chattr [-R] [-+=AacDdijsStTu] [-v VERSION] [FILE]...
Change file attributes on an ext2 fs
For those interested to find (ssh) which files are encrypted with .deadbolt :
find / -type f -name "*.deadbolt" //or scaning a specific folder// find /folder_we_want_to_scan/ -type f -name "*.deadbolt"
Saving the result in a file :
find / -type f -name "*.deadbolt" > file_result.txt //or// find / -type f -name "*.deadbolt" | tee file_result.txt
For adding more info when the system was compromised :
QTS 4.5.4.1800
UPNP disable
open port on internet 80 (not 8080
with forced redirection on 443 that's all.
Jan 27 00:00 without asking QTS was automatically upgraded from version 4.5.4.1800 -> 5.0.0 1891 (not 1900).
After that an update was available for Malware Remover (4.6.1.1 -> 5.6.1.2) but nothing detected and the same thing later with automatic scan at 03:00.
Tonight Jan 27 20:34 another manual scan and finally the DEADBOLT portal was found and files deleted (index.hmtl, SDDPD.bin and 27139).