confidence shaken after QSnatch email

[Waypastme]

Hi
i received an email from my ISP, saying "The qsnatch malware was detected on a device using your internet connection or home network on 04 April 2021."
Naturally i have tried to fix this, by raising a ticket with QNAP, changing my password to access the NAS drive, downloading the malware remover , which has found nothing.No logs are generated neither. I also tried to run a security scan and found my virus defender is no longer updating, last update on 1/March/2021. I have tried to update this via clamav.net, but i have no idea what i am doing on that site. I cannot find a .cvd file to download and update.
In terms of removing the malware I have read through some of the posts on what to do, and it completely baffles me, not to mention scares me, that changing a port will block my access to the NAS. I cannot see how you can insert lines of code into the control panel, or if its somewhere else you do it. To be honest, apart from using the NAS drive as an external storage drive, I do not open it up from one month to the next. I tried to stop the uPnP and that only meant it blocked my own computer from accessing the NAS drive, i had to use a phone to connect to the NAS to stop that option.
What I've now done, is set up the NAS drive to only accept IP address starting from within my own range AAA.BBB.CC.1 - AAA.BBB.CC.255, after i set up a notification event and then started to failed to log in via user account every few minutes from various different IP addresses. I only use the NAS drive internally, it has no need to be accessed from the internet.
Now i am completely paranoid, that A) the malware is still present, B) the NAS drive is still vulnerable and C) only accepting from the limited range of address, means that i may block access to the NAS drive from my own network, which is all i want it to do.
I can see Web Server and WebDav are both enabled, should these be disabled?
Can anyone advise if i have done the right thing, or is there a better way to prevent access?

i have TS-231 , 2 drive 1TB
Firmware version 4.3.6.1620 Build 20210322

[OneCD]

Hi and welcome to the forum.

First thing to do: login to your router and ensure there are no port-forward rules that point to your NAS IP. Also ensure the UPnP service is disabled in your router. Then reboot the router. This will stop any incoming attacks so you can begin to fix the NAS.

It's OK to ignore QNAP's advice to change ports in the NAS. It's not needed and won't make things any better.

I can see Web Server and WebDav are both enabled, should these be disabled?

If you don't use these services (and it sounds like you don't), then disable them. Disabling services you don't use (and the NAS doesn't require) is always a good idea.

[Waypastme]

Thank you OneCD.
i had no port forwarding rules set up, but i want to be sure if i stop the UPnP , it doesnt affect anything else. my router is saying to turn off Port forwarding and Port trigger. I see no rules under these, but are these used by devices on my network for any reason? Such as games machines?
I have disabled the webserver on the qnap.

[OneCD]

i had no port forwarding rules set up, but i want to be sure if i stop the UPnP , it doesnt affect anything else. my router is saying to turn off Port forwarding and Port trigger. I see no rules under these, but are these used by devices on my network for any reason? Such as games machines?

I can't guarantee that as I've no-idea what else is on your LAN.

If you've disabled the UPnP service in your router, then any LAN devices that run services listening for connections from the Internet (not within your LAN) may require you to manually create port-forwarding rules for them in the router. For now, the important bit is to ensure there are no port-forwards to your NAS.

[Waypastme]

ok thank you. I will perform that overnight and check it hasnt effected anyone else in the house.

[OneCD]

Now i am completely paranoid, that A) the malware is still present, B) the NAS drive is still vulnerable and C) only accepting from the limited range of address, means that i may block access to the NAS drive from my own network, which is all i want it to do.

OK, you've taken care of B) and C) which just leaves A).

Is the NAS behaving in a way that might suggest it is running malware? Any strange-looking filenames in your shared folders? Any oddly-named QPKGs installed in your QTS App Center? Any high CPU usage (or is the NAS slow to respond to requests?) - although this last one might be quite normal for your old NAS.

If you're still unsure, you can create a support ticket with QNAP and allow their help-desk to remote-access your NAS so they can check.

[Moogle Stiltzkin]

Now i am completely paranoid, that A) the malware is still present, B) the NAS drive is still vulnerable and C) only accepting from the limited range of address, means that i may block access to the NAS drive from my own network, which is all i want it to do.
I can see Web Server and WebDav are both enabled, should these be disabled?
Can anyone advise if i have done the right thing, or is there a better way to prevent access?

i have TS-231 , 2 drive 1TB
Firmware version 4.3.6.1620 Build 20210322

A few things here

1. Qsnatch is known as a zero day vulnerability. it went undetected for many months for which is infected devices.

2. the devices that got infected were IMPROPERLY EXPOSED TO THE INTERNET (you shouldn't do this to begin with). Use a VPN instead. Usually updating frequently especially if you are using for remote access is recommended, but like i said, qsnatch at the time was a zero day malware so even when you updated regularly, you may have still been susceptible at the time for a few months when it was undetected. BUT EVEN THEN, you would still have exposed your nas online e.g. by port forwarding 8080 which is your qts page, to the internet.

3. it was adviced to use malware remover. but there were instances where using malware remover didn't quite remove it because they malware authored changed it up a bit. but that is fine because there is the nuclear option.

to remove the malware for good

- update qts
- install and use malware remover
- remove the hdds and format them (this deletes everything, make sure you have backups of your data. ideally you should be having backups PRIOR to being infected, not after the fact. This is why it's good practise to maintain backups in case of these events)
- reinitialize QTS
- re run malware remover
- DO NOT EXPOSE YOUR NAS ONLINE again, or lessons were not learned . Use a vpn, update regularly (your qnap qts, your router, all client devices on that network), and accept that even this has some risk (so have a backup plan just in case)


afaik no other brands guarantee protection against zero day malware or vulnerabilities that is the way it is.

how to vpn remote
https://www.youtube.com/watch?v=PgielyUFGeQ

https://www.reddit.com/r/qnap/comments/ ... _from_the/
https://www.reddit.com/r/qnap/comments/ ... _a_backup/

[Waypastme]

Thank you for your kind words and advice OneCD and Moogle. QNAP remoted onto my NAS drive, ran the logs and confirmed no malware present. I am not going down the nuclear option Moogle, I don't have the technical capability nor the required bravery to pull that one off. I've blocked all access to the NAS drive, except from IP addresses on my own network. If that interferes with the updates and so forth, then i will lift the list for a little while.
When i use the webpage to log into the QTS from my home PC it comes up with the 8080 number, which i assume is the port forwarding. is it okay to change that to another number and the NAS still be visible on my network? Or is this a waste of time , or overkill?
Thank you again.

[syncthing]

Hi
i received an email from my ISP, saying "The qsnatch malware was detected on a device using your internet connection or home network on 04 April 2021."

just out of curiosity, the email was really from your ISP?

[Waypastme]

it was. the places it told me to check were bonafide and the mail contained no hyperlinks. i was also able to cross reference it to another website and also QNAP's website

[QNAPDanielFL]

If you don't forward ports that should prevent you from getting Qsnatch the first time. But if you have it already, and then disable port forwarding, Qsnatch can update itself by calling out to a C2 server.
"There are lots of variants. Since it remotely connects to C2 server, it can be modified to resist new updates from malware remover."
https://www.reddit.com/r/qnap/comments/ ... 020_march/

If you have trouble getting rid of Qsnatch, tech support can help. If you get rid of it, then you can change your username and password.

[OneCD]

QNAP remoted onto my NAS drive, ran the logs and confirmed no malware present.

Great!

When i use the webpage to log into the QTS from my home PC it comes up with the 8080 number, which i assume is the port forwarding. is it okay to change that to another number and the NAS still be visible on my network? Or is this a waste of time , or overkill?

Yup, a waste-of-time. As long as port 8080 isn't exposed in your router (via port-forwarding to your NAS), you're fine.

[Moogle Stiltzkin]

Thank you for your kind words and advice OneCD and Moogle. QNAP remoted onto my NAS drive, ran the logs and confirmed no malware present. I am not going down the nuclear option Moogle, I don't have the technical capability nor the required bravery to pull that one off. I've blocked all access to the NAS drive, except from IP addresses on my own network. If that interferes with the updates and so forth, then i will lift the list for a little while.
When i use the webpage to log into the QTS from my home PC it comes up with the 8080 number, which i assume is the port forwarding. is it okay to change that to another number and the NAS still be visible on my network? Or is this a waste of time , or overkill?
Thank you again.

if you're not comfortable doing it urself, send it to a tech repair shop and ask them to do it for you. thats what i do when i have something difficult i can't do myself