[SECURITY RISK] Your NAS could be infected. Please read.

[Toxic17]

I see the QNAP "Derek" Script is now at version 1.4 obviously older version of this did not clear out all remnants of malware.

Code: Select all

curl https://download.qnap.com/Storage/tsd/utility/derek-be-gone.sh | sh

Code: Select all

#!/bin/sh

######################
# Derek Be Gone v1.4 #
# Author: qnapd      #
######################

set_mutable() {
    if [ ! -e "$1" ]; then
        return 0
    fi
    if [ -e /etc/IS_64BITS ]; then
        # 64bit set mutable
        SET_M_64="$1"
        #echo " [*] Setting mutable 64bit on $SET_M_64"
        python -c "import os,fcntl,sys,struct;fd = os.open('${SET_M_64}', os.O_RDONLY); rec = struct.pack('L', 0); x = fcntl.ioctl(fd, 0x80086601, rec); flags = struct.unpack('L',x)[0]; was_immutable = flags & 0x00000010; flags = flags & ~0x00000010; f = struct.pack('i', flags); fcntl.ioctl(fd, 0x40086602, f); os.close(fd)"
    else
        # 32bit set mutable
        SET_M_32="$1"
        #echo " [*] Setting mutable 32bit on $SET_M_32"
        python -c "import os,fcntl,sys,struct;fd = os.open('${SET_M_32}', os.O_RDONLY); rec = struct.pack('L', 0); x = fcntl.ioctl(fd, 0x80046601, rec); flags = struct.unpack('L',x)[0]; was_immutable = flags & 0x00000010; flags = flags & ~0x00000010; f = struct.pack('i', flags); fcntl.ioctl(fd, 0x40046602, f); os.close(fd)"
    fi
}

remove_bad_thing() {
    badpath="$1"
    if [ -e "$badpath" ]; then
        echo " [*] Removing $badpath"
        rm -rf "$badpath"
        if [ $? -eq 0 ]; then
            echo "  [+] Success!"
        else
            echo "  [-] Failed"
        fi
    fi
}

sterilise() {
	FILE="$1"
	KEY='7C0vK4SzMO15zBxLD7XCi5hbjgP1ZjkJ'
	if grep -q $KEY $FILE; then
		set_mutable "$FILE"
		echo " [*] Sterilise $FILE"
		sed -i 's/'"$KEY"'/NOPE/g' "$FILE"
		if grep $KEY $FILE; then
			echo "  [-] Failed"
		else
			echo "  [+] Success!"
		fi
	fi
}

echo ">>> derek-be-gone v1.4"

# clear fake qpkg
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in Public Download Multimedia Web Recordings homes; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }

echo "[o] System path: ${bdir}"
echo "[o] Removing fake qpkg"

set_mutable "${bdir}/.qpkg/.liveupdate/liveupdate.sh"
set_mutable "${bdir}/.qpkg/.liveupdate/"
remove_bad_thing "${bdir}/.qpkg/.liveupdate/liveupdate.sh"
remove_bad_thing "${bdir}/.qpkg/.liveupdate/"
ln -sf /dev/null "${bdir}/.qpkg/.liveupdate"

set_mutable "${bdir}/.qpkg/.config/backup_conf.sh"
set_mutable "${bdir}/.qpkg/.config/"
remove_bad_thing "${bdir}/.qpkg/.config/backup_conf.sh"
remove_bad_thing "${bdir}/.qpkg/.config/"
ln -sf /dev/null "${bdir}/.qpkg/.config"

for i in /etc/rcK_init.d/K0*.sh; do
	remove_bad_thing "$i"
done
echo "---"

# infected qpkg
echo "[o] Sterilising infected QPKG"
for i in $(grep -i shell /etc/config/qpkg.conf | cut -d'=' -f2 | grep -v null); do
	sterilise "$i"
done

# clear dom
mdir=/tmp/config
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } 
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }

echo "[o] Cleaning DOM"
set_mutable "$mdir/autorun.sh"
remove_bad_thing "$mdir/autorun.sh"
for i in $mdir/K0*.sh; do
	set_mutable "$i"
    remove_bad_thing "$i"
done
umount "$mdir"
echo "---"

# naughty xml
echo "[o] Remove bad XML"
for i in /etc/config/rssdoc/qpkgcenter_*.xml; do
	set_mutable "$i"
    remove_bad_thing "$i"
done
echo "---"

# reinstall MR
echo "[o] Remove old MR"
mrpath="${bdir}/.qpkg/MalwareRemover/"
set_mutable "$mrpath"
set_mutable "$mrpath/modules/10_derek_3.pyc"
set_mutable "$mrpath/modules/12_derek_3.pyc"
remove_bad_thing "$mrpath"
set_mutable /etc/config/qpkg.conf
rmcfg MalwareRemover -f /etc/config/qpkg.conf
echo "---"

echo "[o] Install new MR"
mrpkg=MalwareRemover_3.4.1_20190125_182348
echo "" > /etc/hosts
wget -nv "https://download.qnap.com/QPKG/${mrpkg}.zip"
unzip "${mrpkg}.zip"
sh "${mrpkg}.qpkg" > /dev/null 2>&1
getcfg MalwareRemover Enable -f /etc/config/qpkg.conf > /dev/null
if [ $? -eq 0 ]; then
    echo " [+] Success!"
else
    echo " [-] Failed"
fi
rm -f "${mrpkg}.zip" "${mrpkg}.qpkg"
echo "---"
echo "Finished!"
rm -f "$0"

[FSC830]

In /mnt/HDA_ROOT/.config there are some files all created on the same date as the dodgy ones from crontab:
-rw-r--r-- 1 admin administ 388 Aug 26 08:56 xVdlgrz.B.txdl
-rw-r--r-- 1 admin administ 203 Aug 26 08:56 vnhtXkhv
-rw-r--r-- 1 admin administ 1679 Aug 26 08:56 SOMtbGclrShqqZvCzwi
-rw-r--r-- 1 admin administ 203 Aug 26 08:56 .qsync.conf

...
As mentioned above, I can install packages if I download the .qpkg file (for x86 where there's a choice). Most of them then say there's an update available but the update fails with the same "wrong architecture" message, and then the app vanishes from app center.

I am afraid that you need to set up the NAS from scratch on, starting with a DOM recovery.
If this NAS would be mine I would do that.
But take care, a DOM recovery is an action you need to know exactly what are you doing! If not, you can brick your NAS!
If you are not familiar with such stuff ask an IT expert.

You should have a clean and recent backup of your data!

regards

[Ron1963]

I see the QNAP "Derek" Script is now at version 1.4 obviously older version of this did not clear out all remnants of malware.

And is now if needed installing Malware Remover 3.4.1 instead of 3.4.0

[ldir-EDB0]

Some sort of announcement https://www.qnap.com/en/security-advisory/nas-201902-13

I assume it's related to this 'Derek' thing. Not a lot of detail.

[Ron1963]

Well, step one for problem solving is admitting you have a problem

[FSC830]

Does someone know (or suspect) what is behind this warning message when installing Malware Remover:

"[Malware Remover] Repaired official app list in App Center." ???

I have seen this when installing version 3.4.0, when updating to v3.4.1 the message was not created.
Actually I did saw this only at FW version 4.3.3 with an OEM NAS (Fujitsu Celvin), at origin QNAP with FW 4.2.6 the message was not created when installing v.3.4.0 .

All scans are negative, no dodgy entries in hosts, autorun.sh or crontab, no strange .sh scripts, MR reports all is fine, but this message makes me feeling unhappy in some way...

Regards

[Toxic17]

Looks like the Register is now taking more of an interest in QNAPs findings with a second blog.

https://www.theregister.co.uk/2019/02/1 ... _thickens/

I've reposted the Security Advisory on these forums too: viewtopic.php?f=45&t=146899

[robincm]

Just to update: QNAP support guy says he's deleted the malware and told me to reboot and change the admin password (again - I changed it the other day anyway).
The apps seem to be up to date in the app center now, and I can install new ones with getting the "wrong architecture" message - only tried one so far mind you!
I'm still not convinced that my problem is the same as the one originally mentioned in this thread though.

[autolux]

was hit by this. other qnap user .myqnapcloud addresses in known hosts, random bash script in crontab with a whole bunch of hidden stuff.

interestingly couldnt update apps or firmeware but didnt have any sabotage to /etc/hosts. i worked out kinda by accident when failing to update... upgrading firmware still caused all these weird version requirement issues with apps. malware remove was completely removed from the app center. i had to download it and manually etc. and it cleaned a bunch of things up and then i changed passes and added 2FA.

my suspicion is also a qnapcloud breach or vulnerability. my activity log does show some oddness. ip's i dont recognise from singapore and japan, ipv6 addresses that have no real info, but im unsure if this is just a weird thing to do with vpn's i may have been connected to. as i investigated i noticed some weird behaviour with how my vpn connection's ip would be logged.

anyway, confidence immediately compromised, opened ticketts but didnt bother waiting for qnap support, 24hour+ response times, and opening things up ssh wise when it was clear something to do with ssh was being compromised. decided to wipe and perform the firmware recovery steps here: https://wiki.qnap.com/wiki/Firmware_Recovery and completely wipe my disks and start again. definitely wont be opening anything on a NAS to qnap cloud or any services ever again really.

very surprised by this would love to know the actual attack vector/vulnerability because i didnt have it completely open. certainly some stupid stuff tho, was mainly enjoying music station on my android phone, and i had been playing around with container station and a phlexTV docker build for custom google home voice commands to control plex and couchpotato, which required IFTTT and had a high 30000 port open, but requiring a token.. hard to say. eitherway, i hadnt fully gotten around to actually setting the thing up security wise, so some valuable lessons learned.

[robincm]

In my case, I've had the two factor authentication enabled for years.

If you've not wiped yet, what are the timestamps (dates) on any dodgy looking .sh files?

[Jaginix]

What's going on QNAP? You have known the problem long enough.
Where is the patch?

[xavierh]

What's going on QNAP? You have known the problem long enough.
Where is the patch?

a patch? based on how the vulnerability behaves a patch may not solve this. proper setup of your NAS would have avoided this issue since it is not affecting all users. having said that support has already provided several steps to solve the issue.

[xavierh]

was hit by this. other qnap user .myqnapcloud addresses in known hosts, random bash script in crontab with a whole bunch of hidden stuff.

interestingly couldnt update apps or firmeware but didnt have any sabotage to /etc/hosts. i worked out kinda by accident when failing to update... upgrading firmware still caused all these weird version requirement issues with apps. malware remove was completely removed from the app center. i had to download it and manually etc. and it cleaned a bunch of things up and then i changed passes and added 2FA.

my suspicion is also a qnapcloud breach or vulnerability. my activity log does show some oddness. ip's i dont recognise from singapore and japan, ipv6 addresses that have no real info, but im unsure if this is just a weird thing to do with vpn's i may have been connected to. as i investigated i noticed some weird behaviour with how my vpn connection's ip would be logged.

anyway, confidence immediately compromised, opened ticketts but didnt bother waiting for qnap support, 24hour+ response times, and opening things up ssh wise when it was clear something to do with ssh was being compromised. decided to wipe and perform the firmware recovery steps here: https://wiki.qnap.com/wiki/Firmware_Recovery and completely wipe my disks and start again. definitely wont be opening anything on a NAS to qnap cloud or any services ever again really.

very surprised by this would love to know the actual attack vector/vulnerability because i didnt have it completely open. certainly some stupid stuff tho, was mainly enjoying music station on my android phone, and i had been playing around with container station and a phlexTV docker build for custom google home voice commands to control plex and couchpotato, which required IFTTT and had a high 30000 port open, but requiring a token.. hard to say. eitherway, i hadnt fully gotten around to actually setting the thing up security wise, so some valuable lessons learned.

i am also waiting for the postmortem on this. Thisn issue was mentioned today in the Internet Storm Center Podcast so if anybody has a samples of the scripts please send them to https://isc.sans.edu/

it woudl also be good to know, from the ones that have been affected by this issue, what services / apps you had exposed to the internet and how where they exposed (and country locations). in my case (touching wood while reviewing logs), my nas has not been affected (neither of them). i use my qnapcloud together with 2 factor authentication to reach the management console) and the other service that is exposed to the internet is Plex on a non standard port.

it woudl also be good to know if the network infrastructure (router) for the ones that have been affect has not been compromised too. like i said the more i read the more i see that this is not a "cookie cutter" security breach

[Jaginix]

a patch?

My NAS is not affected by the malware because it is not accessible from the internet. With Patch I mean Qnap finally close this vulnerability.

[xavierh]

a patch?

My NAS is not affected by the malware because it is not accessible from the internet. With Patch I mean Qnap finally close this vulnerability.

again a patch for what? firmware, apps, myqnapcloud? without understanding the vector of the infection it is impossible then to determine what needs to be patched, which is what we are seeing here. so far the only common denominator has been that the NAS is accessible directly from the internet. but without knowing what apps were installed at the time of infection, this is a needle in a haystack situation. the important thing here moving forward is the lesson that these devices are network devices and as such, they require that the setup is done properly and that only the necessary services are enabled and if some are exposed proper monitoring or countermeasures need to be put in place to reduce the risk and that is also the responsibility of the user