[SECURITY RISK] Your NAS could be infected. Please read.
-
- Starting out
- Posts: 39
- Joined: Thu Nov 19, 2009 1:33 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
i should have saved the bash script that was installed in cron but tbh was too paranoid and wanted to nuke everything. has anyone posted it? surely QNAP has seen it...
it was running every 10mins and had a lot of control over apps, stopping them. almost every app had been messed with and there was an <app_name>.sh file removed by the malware remover, and references in the script. the rest of the bash script was obfuscated. im not sure of the technical term, but it was all encoded/encrypted, so you couldnt tell what it was doing.
it was running every 10mins and had a lot of control over apps, stopping them. almost every app had been messed with and there was an <app_name>.sh file removed by the malware remover, and references in the script. the rest of the bash script was obfuscated. im not sure of the technical term, but it was all encoded/encrypted, so you couldnt tell what it was doing.
- spikemixture
- Been there, done that
- Posts: 890
- Joined: Wed Mar 07, 2018 11:04 pm
- Location: 3rd World
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I have just finished a 7 day rebuild.
A few strange network related things.
Installed malware remover this morning and it runs for like 15 secs!
I suspect that is not right.
Help desk ticket has been opened
A few strange network related things.
Installed malware remover this morning and it runs for like 15 secs!
I suspect that is not right.
Help desk ticket has been opened
Last edited by spikemixture on Tue Feb 19, 2019 12:03 pm, edited 1 time in total.
Qnap TS-1277 1700 (48gb RAM) 8x10TB WD White,- Raid5, 2x M.2 Crucial 1TB (Raid 1 VM),
2x SSD 860 EVO 500gb (Raid1 QTS), 2x SSD 860 EVO 250GB (Cache), 2x M.2 PCIe 970 500gb NVME (Raid1 Plex and Emby server)
GTX 1050 TI
Qnap TVS-1282 i7 (32GB RAM) 6x8TB WD White - JBOD, 2x M.2 Crucial 500gb (Raid1 VM),
2x SSD EVO 500gb (Raid1 QTS), 2x SSD EVO 250gb (Raid1 Cache), 2x M.2 PCIe Intel 512GB NVME (Raid1-Servers)
Synology -1817+ - DOA
Drobo 5n - 5x4TB Seagate, - Drobo Raid = 15TB
ProBox 8 Bay USB3 - 49TB mixed drives - JBOD
All software is updated asap.
I give my opinion from my experience i.e. I have (or had) that piece of equipment/software and used it!
2x SSD 860 EVO 500gb (Raid1 QTS), 2x SSD 860 EVO 250GB (Cache), 2x M.2 PCIe 970 500gb NVME (Raid1 Plex and Emby server)
GTX 1050 TI
Qnap TVS-1282 i7 (32GB RAM) 6x8TB WD White - JBOD, 2x M.2 Crucial 500gb (Raid1 VM),
2x SSD EVO 500gb (Raid1 QTS), 2x SSD EVO 250gb (Raid1 Cache), 2x M.2 PCIe Intel 512GB NVME (Raid1-Servers)
Synology -1817+ - DOA
Drobo 5n - 5x4TB Seagate, - Drobo Raid = 15TB
ProBox 8 Bay USB3 - 49TB mixed drives - JBOD
All software is updated asap.
I give my opinion from my experience i.e. I have (or had) that piece of equipment/software and used it!
-
- Starting out
- Posts: 39
- Joined: Thu Nov 19, 2009 1:33 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Do you mean the malware remover scan only takes 15 seconds or that it begins to fail to run properly?
This infection is persistent as far as I'm aware. Personally, I wouldnt be putting anything near it without a DOM recovery.
2 Options -- if you've not already, engage QNAP via the helpdesk and have them take a look, OR.....
Perform a DOM recovery ASAP. It's also a good opportunity to make sure anything else on your network is not behaving strangely, router firmware wipes etc making sure they are fully hardened. I stupidly had UPnP enabled on one router, so I nuked every network device I had.
This infection is persistent as far as I'm aware. Personally, I wouldnt be putting anything near it without a DOM recovery.
2 Options -- if you've not already, engage QNAP via the helpdesk and have them take a look, OR.....
Perform a DOM recovery ASAP. It's also a good opportunity to make sure anything else on your network is not behaving strangely, router firmware wipes etc making sure they are fully hardened. I stupidly had UPnP enabled on one router, so I nuked every network device I had.
-
- New here
- Posts: 2
- Joined: Wed Feb 20, 2019 3:08 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Hi!
Had also quite a strange experience with my TS-119P+.
Malware Remover (3.4.1) found and removed something, but after a restart, it found and removed the same files. It was also getting stuck during the scan at 21%, even after >48h. Always with 100% CPU load.
So I did a full recovery, according to: https://wiki.qnap.com/wiki/Firmware_Recovery and deleted the partitions of the harddisk inbetween.
I think it was succesfull, because the version was set back to 4.0.1 .
After an update to 4.3.3.0789, without copying any files back on the NAS (so I tought I had a factory fresh system), I got the following after the first scan: Great!
Is Malware Remover the malaware??
Kind regards,
MK
Had also quite a strange experience with my TS-119P+.
Malware Remover (3.4.1) found and removed something, but after a restart, it found and removed the same files. It was also getting stuck during the scan at 21%, even after >48h. Always with 100% CPU load.
So I did a full recovery, according to: https://wiki.qnap.com/wiki/Firmware_Recovery and deleted the partitions of the harddisk inbetween.
I think it was succesfull, because the version was set back to 4.0.1 .
After an update to 4.3.3.0789, without copying any files back on the NAS (so I tought I had a factory fresh system), I got the following after the first scan: Great!
Is Malware Remover the malaware??
Kind regards,
MK
You do not have the required permissions to view the files attached to this post.
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [SECURITY RISK] Your NAS could be infected. Please read.
firmware recovery was done with empty/new disks ?
-
- New here
- Posts: 2
- Joined: Wed Feb 20, 2019 3:08 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
As I wrote, I've deleted the partitions.
Did as well a reformating. Did not override with zeros though.
Did as well a reformating. Did not override with zeros though.
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [SECURITY RISK] Your NAS could be infected. Please read.
hm .. did you close the infection vectors ? (upnp/port forwards ) ?
-
- First post
- Posts: 1
- Joined: Mon Feb 16, 2015 4:40 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Sounds like the DOM/Flash is infected. I think, you have to made a Recovery.
-
- Experience counts
- Posts: 2043
- Joined: Thu Mar 03, 2016 1:11 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
As far as I understood a clean fw recovery was already done.
Just to still curiosity:
Why are you pointing to Malware Remover?
May be the firmware itself is infected?
This is just a question, not a statement.
But you did two changes:
1. FW update
2. Installation of Malware Remover
So I guess it is logical to ask which of this tasks (if any) brings back the malware.
Regards
A raid is never a substitute for backup! Never!
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
Deadbolt - READ 1st post!!!
Deadbolt - information
Deadbolt - find your OP_RETURN!
VPN=VPN? No!
How to clean up your NAS after malware attack
www.raidisnotabackup.com
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Okay so I'm not really sure how to tell if my NAS has been infected.
Malware remover runs nightly without any issues, I manually replaced the the current 3.4.1 install following the instructions written here: https://www.qnap.com/en/security-advisory/nas-201902-13 and it returns a clean system with no issues.
All the apps on the system are up to date, and I'm running the most recent firmware (4.3.6.0805) and I haven't noticed any strange behaviour, but I'd like to be absolutely sure my system is clean - what does this forum recommend?
Malware remover runs nightly without any issues, I manually replaced the the current 3.4.1 install following the instructions written here: https://www.qnap.com/en/security-advisory/nas-201902-13 and it returns a clean system with no issues.
All the apps on the system are up to date, and I'm running the most recent firmware (4.3.6.0805) and I haven't noticed any strange behaviour, but I'd like to be absolutely sure my system is clean - what does this forum recommend?
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Did you ever expose your system to the web ? if not chances are very low that you are infected
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Yeah, Plex, 1194 for OpenVPN and 443 for secure web are all public facing.
I tried to put everything behind a VPN years ago but my router was never fully happy with it.
I've never had any security issues in the past, with the exception of that photo station issue nearly everyone had a few years ago that led to the creation of malware remover. As a result, I now turn off applications if I'm not using them.
I tried to put everything behind a VPN years ago but my router was never fully happy with it.
I've never had any security issues in the past, with the exception of that photo station issue nearly everyone had a few years ago that led to the creation of malware remover. As a result, I now turn off applications if I'm not using them.
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [SECURITY RISK] Your NAS could be infected. Please read.
a router with VPN server should be your solution
not sure if anyone can guarantee your NAS is not infected
not sure if anyone can guarantee your NAS is not infected
-
- Easy as a breeze
- Posts: 389
- Joined: Fri Aug 07, 2015 7:02 pm
- Location: London, England
Re: [SECURITY RISK] Your NAS could be infected. Please read.
There's nothing confidential on there, and everything is backed up offline twice so I'm not worried about data loss.
Just would be nice to have some confirmation/a tool from QNAP.
Just would be nice to have some confirmation/a tool from QNAP.
TVS-872XT-i5-16GB with 6*ST12000VNZ008 in RAID 6.
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
Backed up to a stack of a half dozen 'cold' external 12TB and 8TB HDDs - please back up your data, RAID is not the same as a backup!
Formerly TVS-463 with 4*WD60EFRX in RAID5, planning to reuse as an additional backup destination in the new year.
All protected by an APC SMT750VA UPS - protect your NAS from bad power!
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: [SECURITY RISK] Your NAS could be infected. Please read.
don't think they have a tool, that's the problem that all their scripts and apps seem to be one step behind currently
open a ticket if you want QNAPs take on it
open a ticket if you want QNAPs take on it