[SECURITY RISK] Your NAS could be infected. Please read.

[autolux]

i should have saved the bash script that was installed in cron but tbh was too paranoid and wanted to nuke everything. has anyone posted it? surely QNAP has seen it...

it was running every 10mins and had a lot of control over apps, stopping them. almost every app had been messed with and there was an <app_name>.sh file removed by the malware remover, and references in the script. the rest of the bash script was obfuscated. im not sure of the technical term, but it was all encoded/encrypted, so you couldnt tell what it was doing.

[spikemixture]

I have just finished a 7 day rebuild.
A few strange network related things.
Installed malware remover this morning and it runs for like 15 secs!
I suspect that is not right.

Help desk ticket has been opened

[autolux]

Do you mean the malware remover scan only takes 15 seconds or that it begins to fail to run properly?

This infection is persistent as far as I'm aware. Personally, I wouldnt be putting anything near it without a DOM recovery.

2 Options -- if you've not already, engage QNAP via the helpdesk and have them take a look, OR.....

Perform a DOM recovery ASAP. It's also a good opportunity to make sure anything else on your network is not behaving strangely, router firmware wipes etc making sure they are fully hardened. I stupidly had UPnP enabled on one router, so I nuked every network device I had.

[aehm_key]

Hi!

Had also quite a strange experience with my TS-119P+.

Malware Remover (3.4.1) found and removed something, but after a restart, it found and removed the same files.

QNAP2.PNG

It was also getting stuck during the scan at 21%, even after >48h. Always with 100% CPU load.


So I did a full recovery, according to: https://wiki.qnap.com/wiki/Firmware_Recovery and deleted the partitions of the harddisk inbetween.
I think it was succesfull, because the version was set back to 4.0.1 .

After an update to 4.3.3.0789, without copying any files back on the NAS (so I tought I had a factory fresh system), I got the following after the first scan:

QNAP4.png

Great!

Is Malware Remover the malaware??

Kind regards,
MK

[dolbyman]

firmware recovery was done with empty/new disks ?

[aehm_key]

As I wrote, I've deleted the partitions.
Did as well a reformating. Did not override with zeros though.

[dolbyman]

hm .. did you close the infection vectors ? (upnp/port forwards ) ?

[Mavalok]

Sounds like the DOM/Flash is infected. I think, you have to made a Recovery.

[FSC830]

...
After an update to 4.3.3.0789, without copying any files back on the NAS (so I tought I had a factory fresh system), I got the following after the first scan:
QNAP4.png

Is Malware Remover the malaware??
...

As far as I understood a clean fw recovery was already done.

Just to still curiosity:

Why are you pointing to Malware Remover?
May be the firmware itself is infected?

This is just a question, not a statement.
But you did two changes:

1. FW update
2. Installation of Malware Remover

So I guess it is logical to ask which of this tasks (if any) brings back the malware.

Regards

[jacobite1]

Okay so I'm not really sure how to tell if my NAS has been infected.

Malware remover runs nightly without any issues, I manually replaced the the current 3.4.1 install following the instructions written here: https://www.qnap.com/en/security-advisory/nas-201902-13 and it returns a clean system with no issues.

All the apps on the system are up to date, and I'm running the most recent firmware (4.3.6.0805) and I haven't noticed any strange behaviour, but I'd like to be absolutely sure my system is clean - what does this forum recommend?

[dolbyman]

Did you ever expose your system to the web ? if not chances are very low that you are infected

[jacobite1]

Yeah, Plex, 1194 for OpenVPN and 443 for secure web are all public facing.

I tried to put everything behind a VPN years ago but my router was never fully happy with it.

I've never had any security issues in the past, with the exception of that photo station issue nearly everyone had a few years ago that led to the creation of malware remover. As a result, I now turn off applications if I'm not using them.

[dolbyman]

a router with VPN server should be your solution

not sure if anyone can guarantee your NAS is not infected

[jacobite1]

There's nothing confidential on there, and everything is backed up offline twice so I'm not worried about data loss.

Just would be nice to have some confirmation/a tool from QNAP.

[dolbyman]

don't think they have a tool, that's the problem that all their scripts and apps seem to be one step behind currently

open a ticket if you want QNAPs take on it