Miner DOVECAT

[onehans]

Hi i just noticed that i got DOVECAT running of tmp folder. after deleting it, it comes back.
is there anything suspicious in here? (where else i can look for traces?)
thanks

Code: Select all

[~] # crontab -l
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
0-59/20 3 * * * /sbin/adjust_time
0 1 * * * /etc/init.d/flush_memory.sh >/dev/null 2>&1
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0 2 * * * /sbin/qfstrim
0-59/10 * * * * /etc/init.d/storage_usage.sh
30 3 * * * /sbin/notice_log_tool -v -R
*/10 * * * * /sbin/config_cache_util 0
0 3 * * * /bin/rm -rf /mnt/HDA_ROOT/twonkymedia/twonkymedia.db/cache/*
34 9,21 * * * /sbin/notify_update --nc 1>/dev/null 2>&1
00 03 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan;#_QSC_:MalwareRemover:malware_remover_schedule:None:d::
0 4,16 * * * /sbin/hwclock -s
0 3 * * 0 /sbin/hal_event --pd_self_test dev_id=0x00000002,action=2
12 2 * * * /sbin/hal_event --pd_self_test dev_id=0x00000002,action=1
49 4 * * * /share/CACHEDEV1_DATA/.qpkg/HybridBackup/rr2/scripts/insight/insight.sh -runall >/dev/null 2>&1
00 02 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/Upgrade.sh;#_QSC_:MalwareRemover:malware_remover_upgrade:None:d::
0 0 * * * /share/CACHEDEV1_DATA/.qpkg/Qcenter/qnap-cms/bin/log_retention.sh > /dev/null
0 0 * * * /share/CACHEDEV1_DATA/.qpkg/Qcenter/qnap-cms/bin/nasconfig_retention.sh > /dev/null
* * * * * /var/cache/netmgr/lock_timer.sh
50 7 * * * /sbin/qpkg_cli --check_license 0 > /dev/null 2>/dev/null
0 4 * * * /etc/init.d/wsd.sh restart
0 3 * * * /sbin/vs_refresh
4 3 * * 3 /etc/init.d/backup_conf.sh
0 2 * * 0 /usr/local/medialibrary/bin/mymediadbcmd checkRepairDB  >/dev/null 2>&1
0 12 * * * /mnt/ext/opt/LicenseCenter/bin/qlicense_tool local_check
0 0 * * * /usr/local/sbin/qsh nc.archive >/dev/null 2>&1
40 10 * * * /mnt/ext/opt/QcloudSSLCertificate/bin/ssl_agent_cli
35 7 * * * /sbin/qsyncsrv_util -c  > /dev/null 2>/dev/null
0 0 * * * /sbin/qsyncsrv_tool --fix  > /dev/null 2>/dev/null
* 4 * * * /usr/sbin/logrotate /etc/config/mc_logr.conf

[jaysona]

https://www.qnap.com/en/how-to/knowledg ... as-system/

[pgh1949]

I've had the same problem and reported it to Qnap using the link on the page referred to in the previous post. The reply was basically turn everything unnecessary off, change passwords and keep firmware up to date. With all due respect this is very generic advice which I follow anyway.

After further research it seems this is a Bitcoin miner malware. As well as running the CPU at almost maximum there was a constant upload of approx 3 MB/s. Using SSH I found a dovecat folder and dovecat.b64 in the /tmp folder and deleted them both. I then rebooted the NAS and it seemed to be running normally. However it would be good to have some sort of official response that others could refer to.

After a couple of weeks I just discovered dovecat was installed and running again. It's not been picked up by QNAP Malware remover, Antivirus nor McAffee Antivirus which I bought. So I'm at a loss as to what more I can do to stop it.

[dolbyman]

Kill your NAS and start from scratch ..after that do not expose your NAS to WAN(no upnp or manual port forwards) to avoid getting hacked again

Qnap does not come here..so no official statement will arise from your post