[SECURITY RISK] Your NAS could be infected. Please read.

[Toxic17]

Following an issue that some users have experienced, I feel it is time to make my own announcement since there appears a reluctance to disclose a serious issue that users maybe experiencing.

It appears that on the initial findings, some users found the /etc/hosts file has become infected with numerous (700+) entries of hostnames pointing to 0.0.0.0 which stops applications from updating over the internet.

I suggest you submit a ticket if you are experiencing this issue: https://helpdesk.qnap.com/index.php/Tickets/Submit

At time of writing QNAP Helpdesk have said they are "working on it" but no Public announcement/Security Advisory has been raised by QNAP Security.

Malware remover has been updated, however if infected, your malware remover will not automatically update, and users have already noticed not all infected files are removed.

I suspect QNAP will bring out further updates to Malware remover

The initial discussion on this issue was started here: viewtopic.php?f=50&t=146352

Thanks for listening. the thread will be sticky until a security advisory has been made public.

Please feel free to discuss you issues with this here.

If you suspect your NAS is somehow infected, please contact QNAP support via the Helpdesk app (on your NAS) or by submitting a Ticket here:

https://helpdesk.qnap.com/index.php/Tickets/Submit

[Moogle Stiltzkin]

It appears that on the initial findings, some users found the /etc/hosts file has become infected with numerous (700+) entries of hostnames pointing to 0.0.0.0 which stops applications from updating over the internet.

i checked mine but i did not see anything off here.

i didn't port forward my nas or use any remote features. and i keep my nas, router and desktop pc updated regularly. maybe thats how i avoided this issue :/

how else are these systems getting compromised?

[Thisisnotmyname]

no issues for me. Of course I'm not exposing phpmyadmin or such to the open internet either.

[howarmat]

Im all good on multiple devices

[iam@nas]

I suspect that some personal data leaked. So QNAP has to inform the supervisory authority and the affected customers. And the affected business companies may have to do the same to avoid penalties.

My QNAP runs in LAN and so far it was not infected as far as I can tell.

[dolbyman]

Don't think penalties apply, terms and conditions were accepted

https://www.qnap.com/en/before_buy/con_ ... one&cid=15

[...]
Business uses of the Services

If you are using our Services on behalf of a business, that business accepts these terms. It will hold harmless and indemnify QNAP and its affiliates, officers, agents, and employees from any claim, suit or action arising from or related to the use of the Services or violation of these terms, including any liability or expense arising from claims, losses, damages, suits, judgments, litigation costs and attorneys’ fees.
[...]

[Toxic17]

So why does Qnap have a malware remover? The terms and conditions say they accept no responsibility, yet malware remover says something else to the contrary.

Sent from my ONEPLUS A6003 using Tapatalk

[dolbyman]

Windows has the builtin antivirus as well .. yet they will not reimburse you if you got yourself a crypt trojan or virus

[iam@nas]

Sorry I missed to mention GDPR. EU penalties are quite high.
"Up to €20 million, or 4% of the worldwide annual revenue ... whichever is higher." @ https://www.gdpreu.org/compliance/fines-and-penalties/
"... the controller shall ... not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority ..." @ https://gdpr-info.eu/art-33-gdpr/
Unless no EU data is affected it may be fine to suppress any incident ...

[dolbyman]

but they are not losing/exposing customer data hosted on their own premises

back to the windows example, is data privacy on your own personal windows computer, a thing Microsoft is guilty of ? (and I am not talking about data they collect via Cortana or other logs)

[iam@nas]

"is data privacy on your own personal windows computer, a thing Microsoft is guilty of " No.
One may read here https://www.qnap.com/en/privacy-notice/qid about all the personal data collected by QNAP, also Microsoft collects personal data. Maybe some of the data leaked allowing this attack.

[chokai]

but they are not losing/exposing customer data hosted on their own premises

back to the windows example, is data privacy on your own personal windows computer, a thing Microsoft is guilty of ? (and I am not talking about data they collect via Cortana or other logs)

Well they are supporting their clients who are subject to GDPR. The failure of a vendor to respond in a timely manner to business customer asking questions about the software and services you provide that are related to GDPR is very very bad for future business. If I was a business client of QNAP this incident would be coming up in the QBR/QAR. I would hope the business customers are getting better service than those of us calling about consumer devices. (They are also less likely to get hacked. )

[Toxic17]

Just to get back on topic - I wanted to inform users of this type infection, since QNAP have not as yet publicly announced the possible infection that users are now facing.

[xavierh]

Just to get back on topic - I wanted to inform users of this type infection, since QNAP have not as yet publicly announced the possible infection that users are now facing.

thank you for doign this. Regardless of possible privacy interpretation and GDPR implications, it would be good if QNAP could provide us some sort of update for this. i will check both my devices as soon as i get home and like others sia i do not expose my nas to the outside and i keep my network updated (firmware, etc.)

[hillaj1]

After reading the discussions in the forums, I have found my NAS to be affected by the same malware that prevents updates. I have ran the curl script several times to install malware remover 3.4.0 and this allowed me to update my firmware and my apps. However, the malware returns and prevents updating or checking for updates. Malware remover 3.4.1 does not seem to remove it, but running the curl script to reinstall 3.4.0 does work.

The 0.0.0.0 hosts entry returns after a few hours. I just submitted a ticket.

My router was set with upnp on and there was a port forwarded to a process called lilpcupnp(?) on port 51136. My known_hosts file had 4 entries similar to those in the other thread and I have since deleted them. I have turned off upnp on both my router and on the NAS under myQNAPcloud.

What else can I do to address this?