confidence shaken after QSnatch email

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
Waypastme
New here
Posts: 5
Joined: Mon Apr 12, 2021 3:54 am

confidence shaken after QSnatch email

Post by Waypastme » Mon Apr 12, 2021 4:35 am

Hi
i received an email from my ISP, saying "The qsnatch malware was detected on a device using your internet connection or home network on 04 April 2021."
Naturally i have tried to fix this, by raising a ticket with QNAP, changing my password to access the NAS drive, downloading the malware remover , which has found nothing.No logs are generated neither. I also tried to run a security scan and found my virus defender is no longer updating, last update on 1/March/2021. I have tried to update this via clamav.net, but i have no idea what i am doing on that site. I cannot find a .cvd file to download and update.
In terms of removing the malware I have read through some of the posts on what to do, and it completely baffles me, not to mention scares me, that changing a port will block my access to the NAS. I cannot see how you can insert lines of code into the control panel, or if its somewhere else you do it. To be honest, apart from using the NAS drive as an external storage drive, I do not open it up from one month to the next. I tried to stop the uPnP and that only meant it blocked my own computer from accessing the NAS drive, i had to use a phone to connect to the NAS to stop that option.
What I've now done, is set up the NAS drive to only accept IP address starting from within my own range AAA.BBB.CC.1 - AAA.BBB.CC.255, after i set up a notification event and then started to failed to log in via user account every few minutes from various different IP addresses. I only use the NAS drive internally, it has no need to be accessed from the internet.
Now i am completely paranoid, that A) the malware is still present, B) the NAS drive is still vulnerable and C) only accepting from the limited range of address, means that i may block access to the NAS drive from my own network, which is all i want it to do.
I can see Web Server and WebDav are both enabled, should these be disabled?
Can anyone advise if i have done the right thing, or is there a better way to prevent access?

i have TS-231 , 2 drive 1TB
Firmware version 4.3.6.1620 Build 20210322

User avatar
OneCD
Ask me anything
Posts: 8975
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: confidence shaken after QSnatch email

Post by OneCD » Mon Apr 12, 2021 4:46 am

Hi and welcome to the forum. :)

First thing to do: login to your router and ensure there are no port-forward rules that point to your NAS IP. Also ensure the UPnP service is disabled in your router. Then reboot the router. This will stop any incoming attacks so you can begin to fix the NAS.

It's OK to ignore QNAP's advice to change ports in the NAS. It's not needed and won't make things any better.
Waypastme wrote:
Mon Apr 12, 2021 4:35 am
I can see Web Server and WebDav are both enabled, should these be disabled?
If you don't use these services (and it sounds like you don't), then disable them. Disabling services you don't use (and the NAS doesn't require) is always a good idea.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Waypastme
New here
Posts: 5
Joined: Mon Apr 12, 2021 3:54 am

Re: confidence shaken after QSnatch email

Post by Waypastme » Mon Apr 12, 2021 5:45 am

Thank you OneCD.
i had no port forwarding rules set up, but i want to be sure if i stop the UPnP , it doesnt affect anything else. my router is saying to turn off Port forwarding and Port trigger. I see no rules under these, but are these used by devices on my network for any reason? Such as games machines?
I have disabled the webserver on the qnap.

User avatar
OneCD
Ask me anything
Posts: 8975
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: confidence shaken after QSnatch email

Post by OneCD » Mon Apr 12, 2021 6:02 am

Waypastme wrote:
Mon Apr 12, 2021 5:45 am
i had no port forwarding rules set up, but i want to be sure if i stop the UPnP , it doesnt affect anything else. my router is saying to turn off Port forwarding and Port trigger. I see no rules under these, but are these used by devices on my network for any reason? Such as games machines?
I can't guarantee that as I've no-idea what else is on your LAN. ;)

If you've disabled the UPnP service in your router, then any LAN devices that run services listening for connections from the Internet (not within your LAN) may require you to manually create port-forwarding rules for them in the router. For now, the important bit is to ensure there are no port-forwards to your NAS.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Waypastme
New here
Posts: 5
Joined: Mon Apr 12, 2021 3:54 am

Re: confidence shaken after QSnatch email

Post by Waypastme » Mon Apr 12, 2021 6:17 am

ok thank you. I will perform that overnight and check it hasnt effected anyone else in the house.

User avatar
OneCD
Ask me anything
Posts: 8975
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: confidence shaken after QSnatch email

Post by OneCD » Mon Apr 12, 2021 6:30 am

Waypastme wrote:
Mon Apr 12, 2021 4:35 am
Now i am completely paranoid, that A) the malware is still present, B) the NAS drive is still vulnerable and C) only accepting from the limited range of address, means that i may block access to the NAS drive from my own network, which is all i want it to do.
OK, you've taken care of B) and C) which just leaves A).

Is the NAS behaving in a way that might suggest it is running malware? Any strange-looking filenames in your shared folders? Any oddly-named QPKGs installed in your QTS App Center? Any high CPU usage (or is the NAS slow to respond to requests?) - although this last one might be quite normal for your old NAS. ;)

If you're still unsure, you can create a support ticket with QNAP and allow their help-desk to remote-access your NAS so they can check.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9877
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: confidence shaken after QSnatch email

Post by Moogle Stiltzkin » Mon Apr 12, 2021 8:25 am

Waypastme wrote:
Mon Apr 12, 2021 4:35 am
Now i am completely paranoid, that A) the malware is still present, B) the NAS drive is still vulnerable and C) only accepting from the limited range of address, means that i may block access to the NAS drive from my own network, which is all i want it to do.
I can see Web Server and WebDav are both enabled, should these be disabled?
Can anyone advise if i have done the right thing, or is there a better way to prevent access?

i have TS-231 , 2 drive 1TB
Firmware version 4.3.6.1620 Build 20210322
A few things here

1. Qsnatch is known as a zero day vulnerability. it went undetected for many months for which is infected devices.

2. the devices that got infected were IMPROPERLY EXPOSED TO THE INTERNET (you shouldn't do this to begin with). Use a VPN instead. Usually updating frequently especially if you are using for remote access is recommended, but like i said, qsnatch at the time was a zero day malware so even when you updated regularly, you may have still been susceptible at the time for a few months when it was undetected. BUT EVEN THEN, you would still have exposed your nas online e.g. by port forwarding 8080 which is your qts page, to the internet.

3. it was adviced to use malware remover. but there were instances where using malware remover didn't quite remove it because they malware authored changed it up a bit. but that is fine because there is the nuclear option.

to remove the malware for good

- update qts
- install and use malware remover
- remove the hdds and format them (this deletes everything, make sure you have backups of your data. ideally you should be having backups PRIOR to being infected, not after the fact. This is why it's good practise to maintain backups in case of these events)
- reinitialize QTS
- re run malware remover
- DO NOT EXPOSE YOUR NAS ONLINE again, or lessons were not learned :S . Use a vpn, update regularly (your qnap qts, your router, all client devices on that network), and accept that even this has some risk (so have a backup plan just in case)


afaik no other brands guarantee protection against zero day malware or vulnerabilities :' that is the way it is.

NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

Waypastme
New here
Posts: 5
Joined: Mon Apr 12, 2021 3:54 am

Re: confidence shaken after QSnatch email

Post by Waypastme » Thu Apr 15, 2021 4:14 am

Thank you for your kind words and advice OneCD and Moogle. QNAP remoted onto my NAS drive, ran the logs and confirmed no malware present. I am not going down the nuclear option Moogle, I don't have the technical capability nor the required bravery to pull that one off. I've blocked all access to the NAS drive, except from IP addresses on my own network. If that interferes with the updates and so forth, then i will lift the list for a little while.
When i use the webpage to log into the QTS from my home PC it comes up with the 8080 number, which i assume is the port forwarding. is it okay to change that to another number and the NAS still be visible on my network? Or is this a waste of time , or overkill?
Thank you again.

syncthing
Know my way around
Posts: 119
Joined: Mon Aug 13, 2018 4:58 pm

Re: confidence shaken after QSnatch email

Post by syncthing » Thu Apr 15, 2021 4:40 am

Waypastme wrote:
Mon Apr 12, 2021 4:35 am
Hi
i received an email from my ISP, saying "The qsnatch malware was detected on a device using your internet connection or home network on 04 April 2021."
just out of curiosity, the email was really from your ISP?

Waypastme
New here
Posts: 5
Joined: Mon Apr 12, 2021 3:54 am

Re: confidence shaken after QSnatch email

Post by Waypastme » Thu Apr 15, 2021 4:53 am

it was. the places it told me to check were bonafide and the mail contained no hyperlinks. i was also able to cross reference it to another website and also QNAP's website

QNAPDanielFL
Easy as a breeze
Posts: 344
Joined: Fri Mar 31, 2017 7:09 am

Re: confidence shaken after QSnatch email

Post by QNAPDanielFL » Thu Apr 15, 2021 5:17 am

If you don't forward ports that should prevent you from getting Qsnatch the first time. But if you have it already, and then disable port forwarding, Qsnatch can update itself by calling out to a C2 server.
"There are lots of variants. Since it remotely connects to C2 server, it can be modified to resist new updates from malware remover."
https://www.reddit.com/r/qnap/comments/ ... 020_march/

If you have trouble getting rid of Qsnatch, tech support can help. If you get rid of it, then you can change your username and password.

User avatar
OneCD
Ask me anything
Posts: 8975
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: confidence shaken after QSnatch email

Post by OneCD » Thu Apr 15, 2021 5:20 am

Waypastme wrote:
Thu Apr 15, 2021 4:14 am
QNAP remoted onto my NAS drive, ran the logs and confirmed no malware present.
Great! :D
Waypastme wrote:
Thu Apr 15, 2021 4:14 am
When i use the webpage to log into the QTS from my home PC it comes up with the 8080 number, which i assume is the port forwarding. is it okay to change that to another number and the NAS still be visible on my network? Or is this a waste of time , or overkill?
Yup, a waste-of-time. As long as port 8080 isn't exposed in your router (via port-forwarding to your NAS), you're fine. Image

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9877
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: confidence shaken after QSnatch email

Post by Moogle Stiltzkin » Thu Apr 15, 2021 7:51 am

Waypastme wrote:
Thu Apr 15, 2021 4:14 am
Thank you for your kind words and advice OneCD and Moogle. QNAP remoted onto my NAS drive, ran the logs and confirmed no malware present. I am not going down the nuclear option Moogle, I don't have the technical capability nor the required bravery to pull that one off. I've blocked all access to the NAS drive, except from IP addresses on my own network. If that interferes with the updates and so forth, then i will lift the list for a little while.
When i use the webpage to log into the QTS from my home PC it comes up with the 8080 number, which i assume is the port forwarding. is it okay to change that to another number and the NAS still be visible on my network? Or is this a waste of time , or overkill?
Thank you again.
if you're not comfortable doing it urself, send it to a tech repair shop and ask them to do it for you. thats what i do when i have something difficult i can't do myself :)
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D
[^] QNAP TS-228
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

Post Reply

Return to “Users' Corner”