[SECURITY RISK] Your NAS could be infected. Please read.

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply

Are you infected? / Should QNAP make a Security Advisory Announcement? - SELECT TWO OPTIONS

Yes I my NAS has been with this issue.
59
30%
No, I my NAS is not infected
71
36%
Yes, Announcement by QNAP Critical.
66
33%
No, Just contact QNAP issue
4
2%
 
Total votes: 200

iam@nas
Easy as a breeze
Posts: 267
Joined: Wed Jun 15, 2016 2:49 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by iam@nas » Sat Feb 02, 2019 6:49 pm

As long as your NAS does need access to the internet and you want to keep it connected in your LAN: Block it on your router. NTP, DNS / Proxy, Live Firmware updates will fail. Anyhow no data can be uploaded. One can still upload a new firmware (2nd tab in the UI).
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?

User avatar
Petep74093
Getting the hang of things
Posts: 51
Joined: Thu Jul 02, 2015 10:20 pm
Location: Sandhurst, UK

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Petep74093 » Sun Feb 03, 2019 1:27 am

I will ask the question as sure there are users like myself, who are not familiar with checking the file mentioned. All of my setup on the NAS is done via the apps etc installed and so I don't go delving into the directories and associated scripts.
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks
Model: TS-453 Pro -- RAM: 8GB
FW: QTS 4.3.6.0867(20190228)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G

Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.

NAS is only a storage facility and not a magical place protected by knights and elves.

Back it up and secure it or lose it - your choice ! :mrgreen:

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 7380
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Moogle Stiltzkin » Mon Feb 04, 2019 1:21 am

Petep74093 wrote:
Sun Feb 03, 2019 1:27 am
I will ask the question as sure there are users like myself, who are not familiar with checking the file mentioned. All of my setup on the NAS is done via the apps etc installed and so I don't go delving into the directories and associated scripts.
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks

use winscp.
https://winscp.net/eng/download.php

in qnap qts enable ssh > sftp.

in winscp login to the qnap, then on the right side directory panel, go to root. then browse until you go to the directory that was mentioned for where these suspect files are.

you can open the file with notepad++ to view the file :)

when done checking, logout, and in qts disable the ssh access.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

peb
New here
Posts: 8
Joined: Mon Feb 08, 2010 2:47 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by peb » Mon Feb 04, 2019 1:47 am

The symptoms I observed where:
- Firmware and Antivirus update check failed
- Unable to install Malware Remover (even manually)

Dereck-be-gone script resolved both. Only weird thing that was still there (and known) werr strange known-host entries.

hillaj1
New here
Posts: 5
Joined: Sat Feb 28, 2015 4:13 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by hillaj1 » Mon Feb 04, 2019 2:37 am

iam@nas wrote:
Sat Feb 02, 2019 6:49 pm
As long as your NAS does need access to the internet and you want to keep it connected in your LAN: Block it on your router. NTP, DNS / Proxy, Live Firmware updates will fail. Anyhow no data can be uploaded. One can still upload a new firmware (2nd tab in the UI).
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?
Yes, that's the curl script I said I ran a couple times. It works for a couple hours, but then the 0.0.0.0 entries come back. Malware Remover 3.4.1 does not take care of it, only running the older version installed via derek-be-gone script seems to work.

A QNAP tech replied to my ticket and we are going to work on it tomorrow.

hillaj1
New here
Posts: 5
Joined: Sat Feb 28, 2015 4:13 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by hillaj1 » Mon Feb 04, 2019 2:39 am

peb wrote:
Mon Feb 04, 2019 1:47 am
The symptoms I observed where:
- Firmware and Antivirus update check failed
- Unable to install Malware Remover (even manually)

Dereck-be-gone script resolved both. Only weird thing that was still there (and known) werr strange known-host entries.
Same, but check your hosts file a few hours later and the 0.0.0.0 entries will probably be back. So, it fixes the problem, but the malware unfixes it.

User avatar
Petep74093
Getting the hang of things
Posts: 51
Joined: Thu Jul 02, 2015 10:20 pm
Location: Sandhurst, UK

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Petep74093 » Mon Feb 04, 2019 3:45 am

Moogle Stiltzkin wrote:
Mon Feb 04, 2019 1:21 am

use winscp.
https://winscp.net/eng/download.php

in qnap qts enable ssh > sftp.

in winscp login to the qnap, then on the right side directory panel, go to root. then browse until you go to the directory that was mentioned for where these suspect files are.

you can open the file with notepad++ to view the file :)

when done checking, logout, and in qts disable the ssh access.
Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to' :DD
Model: TS-453 Pro -- RAM: 8GB
FW: QTS 4.3.6.0867(20190228)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G

Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.

NAS is only a storage facility and not a magical place protected by knights and elves.

Back it up and secure it or lose it - your choice ! :mrgreen:

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 7380
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Moogle Stiltzkin » Mon Feb 04, 2019 3:48 am

Petep74093 wrote:
Mon Feb 04, 2019 3:45 am
Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to' :DD
np, just a hobby of mine to help :)

i find that a lot of the help on the forum ASSUMES a certain level of understanding about technical matters. But some users may require more specifics and guidance than others. So i'll get into those nitty gritty details if and when required 8)

but most of the time it's just basic help to generally point in the right direction :)
Last edited by Moogle Stiltzkin on Tue Feb 05, 2019 7:48 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 + 16gb ddr4 Crucial + QWA-AC2600 wireless adapter.
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[^] QNAP TS-659 Pro II 1x 4TB HGST Deskstar NAS
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228 w. 1x 1TB WD RE3 (WD1002FBYS)
[^] QNAP TS-128
Mobile NAS TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Windows 10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review

https://www.patreon.com/mooglestiltzkin

User avatar
Petep74093
Getting the hang of things
Posts: 51
Joined: Thu Jul 02, 2015 10:20 pm
Location: Sandhurst, UK

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Petep74093 » Mon Feb 04, 2019 10:26 pm

Moogle Stiltzkin wrote:
Mon Feb 04, 2019 3:48 am
Petep74093 wrote:
Mon Feb 04, 2019 3:45 am
Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to' :DD
np, just a hobby of mine to help :)
Anyone not sure how to check then use the pointers given by Moogle- spot on and easy to do. Glad to say mine all looks clear and long may it stay that way :DD
Model: TS-453 Pro -- RAM: 8GB
FW: QTS 4.3.6.0867(20190228)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G

Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.

NAS is only a storage facility and not a magical place protected by knights and elves.

Back it up and secure it or lose it - your choice ! :mrgreen:

benny.evangelisat
New here
Posts: 4
Joined: Tue Mar 20, 2018 1:47 am

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by benny.evangelisat » Tue Feb 05, 2019 6:59 pm

I personally got into this malware affaire with my QNAP TS-253A and QNAP support sent me the derek-be-gone.sh script telling me to change all user passwords. They didn't mention about possibile DOM corruption.

Before launching the script I found something strange in my crontab (a couple of unknown scripts, one with the typical random unreadable name, the other was backup_config.sh, but not the legitimate one usually found in etc/init.d/), now it seems clean.

Anyway I reinitialized system and disk (actually I switched to a brand new disk), and hosts file is clean. Truth is I'm not sure everything is REALLY clean.

User avatar
Toxic17
Experience counts
Posts: 4938
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Toxic17 » Wed Feb 06, 2019 6:01 pm

the derek-be-gone.sh script is now at v1.2.

Code: Select all

curl https://download.qnap.com/Storage/tsd/utility/derek-be-gone.sh | sh
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.3.6.0993 • TVS-463-16GB 4.3.6.0993 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.0967 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 • QSonarr 3.0.1.503 • QNBZGet 21.0 • phpMyAdmin 4.8.5 • Qmono 5.20.1.19 • McAfee 2.2.0 • Lychee 3.2.15 • HBS 3.0.190802 • LEgo v3.0.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

Ron1963
Easy as a breeze
Posts: 352
Joined: Wed Apr 28, 2010 9:22 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Ron1963 » Thu Feb 07, 2019 5:12 pm

The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff
1x TS431, 1x TS251, 1x TS253

User avatar
Toxic17
Experience counts
Posts: 4938
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Toxic17 » Fri Feb 08, 2019 5:27 am

Ron1963 wrote:
Thu Feb 07, 2019 5:12 pm
The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff
I take it you have reported this to QNAP?
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-473-32GB QM2-2P QXG-10G1T 4.3.6.0993 • TVS-463-16GB 4.3.6.0993 QM2-2S10G1TB • TS-459 Pro 2GB 4.2.6 • TS-121 4.3.3.0967 • APC Back-UPS ES 700G •
QPKG's: TwonkyServer 8.51 • Apache73 • QSonarr 3.0.1.503 • QNBZGet 21.0 • phpMyAdmin 4.8.5 • Qmono 5.20.1.19 • McAfee 2.2.0 • Lychee 3.2.15 • HBS 3.0.190802 • LEgo v3.0.0
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey Gen2+• UniFi G3-Flex • UAP AC Pro • UAP AC Lite • SLM2008 • Dell 7050 MFF •

Ron1963
Easy as a breeze
Posts: 352
Joined: Wed Apr 28, 2010 9:22 pm

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by Ron1963 » Fri Feb 08, 2019 4:32 pm

Toxic17 wrote:
Fri Feb 08, 2019 5:27 am
Ron1963 wrote:
Thu Feb 07, 2019 5:12 pm
The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff
I take it you have reported this to QNAP?
I haven't and I won't. This is not a bug, but lazy QNAP if that script is revised and the Malware Remover as well to take care of this infection but still not downloading that revised Malware remover from their own server.
1x TS431, 1x TS251, 1x TS253

P3R
Guru
Posts: 10755
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [SECURITY RISK] Your NAS could be infected. Please read.

Post by P3R » Fri Feb 08, 2019 5:51 pm

There will always be new and slightly different infections in the future and it will always take a while for Qnap to understand the infection and properly implement the antidote for it. Putting out an official warning for every new infection separately before they've properly fixed the issue will only make users even more numb to future warnings.

Before Qnap have implemented the fix in malware remover these infections are in my opinion best dealt with like in this thread, the user community share their experiences and the really motivated users can read about it.

Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!

The real problems that I see with Qnap are:
  • The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn't understand the risks and the last part is a lie.
  • Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.
Those are the two things that I would rather like to see change with how Qnap deal with that the ship is slowly sinking.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

Post Reply

Return to “Users' Corner”