FastCG1 - Virus?

deakgyuri · Post by **deakgyuri** » Mon Oct 18, 2021 4:43 pm

Hi,

I have noticed my Qnap TS-453A NAS getting really slow.

I find a process named FastCG1 which had 100% processor and memory usage. Killed it via SSH but came back always.

I have decided to upgrade firmware but I had to kill this process because nas would not restart because of high processor usage. During this I have noted a wget request see attached .

putty.png

Checked this site and I am not sure this is a system file.

The downloaded file attached as zip but ".zip" just written by me because it would not let me upload. Original file is xmrig.x86_64

What do you think?

AlastairStevenson · Post by **AlastairStevenson** » Mon Oct 18, 2021 5:30 pm

Checked this site and I am not sure this is a system file.

The file appears to be a crypto-currency miner.

https://www.google.co.uk/search?q=xmrig.x86_64

deakgyuri · Post by **deakgyuri** » Mon Oct 18, 2021 7:06 pm

Ahh yes, you are right.

How can I kill this? If I kill process, it comes back in few secs.

dolbyman · Post by **dolbyman** » Mon Oct 18, 2021 7:54 pm

Kill your NAS (you have no idea where and what has been compromised)
Start it from scratch
Never ever expose it again to WAN

you could also open a ticket with qnap..so they can update malware remover based on your case

deakgyuri · Post by **deakgyuri** » Mon Oct 18, 2021 8:07 pm

Thanks for info,

Killed processes continously it appeard in browser station, than appcenter, than container station.
killed all cron process and now it looks ok, updated malware scan, since then it nothing happens.
Unfortunately MalwareRemover has no logs...

I use this as VPN server and WebServer years ago. Sometimes I had few issues but those were solved more easy than this.

Ticket opened.

deakgyuri · Post by **deakgyuri** » Tue Oct 19, 2021 5:09 am

It looks issue solved for now:
- WAN disabled
- /usr/bin/FastCG1 -> Deleted
- /user/bin/config.json -> Deleted
- /tmp -> Deleted all files

Opened port limited for specific IP-s in firewall.

cfullmer · Post by **cfullmer** » Wed Nov 10, 2021 12:53 am

Hello,

I am having this same issue, I was wondering if it came back for you. I did what you tried. It did remove it and stop it but after a server restart it comes back.

Thanks for any info.

dolbyman · Post by **dolbyman** » Wed Nov 10, 2021 1:28 am

Did you read my posting about killing the NAS ?

cfullmer · Post by **cfullmer** » Wed Nov 10, 2021 2:14 am

That's not really an option at this stage. as we try to gather some of the important data and other functions of our system. I was more curious if Deakgyuri saw it return after a restart? I want to work with qnap more on this to update the malware tool with some of my info. I am curious how this form topic is the only info on this threat and it looks really new from what I can find.

Thanks again.

dolbyman · Post by **dolbyman** » Wed Nov 10, 2021 2:23 am

Probably limited to a specific kind of vulnerability (outdated wordpress or phpMyAdmin ran on NAS)

So did you contact QNAP already (if you want to work with them ..) ?

On top, you have no idea what this malware does next, could sideload ransomware and then all your (apparently business) data is gone

cfullmer · Post by **cfullmer** » Wed Nov 10, 2021 2:47 am

I have contacted them but no response as of yet. It does use PHPmyadmin for an internal website.

I am not to worried about the ransomware due to our back up strategy. I'm more trying to keep it going until an out of business day so i can do more to remedy the issue.

Do you think just a factory reset on the system but leaving data intact would be enough? Or recover data from an older back up. Loose about 3-4 days of work.

dolbyman · Post by **dolbyman** » Wed Nov 10, 2021 3:02 am

I would kill each drive with diskpart (OS is on the drives) and then restore the files from your most recent backups . also take a peek at your autorun.sh (malware likes to add encrypted stuff in there to bootstrap itself even after reset)

https://wiki.qnap.com/wiki/Running_Your ... at_Startup

cfullmer · Post by **cfullmer** » Wed Nov 10, 2021 3:27 am

From what i can see autorun.sh is not enabled and the file is empty. As soon as I started updating three of my apps in the app center. The prosses Fastcg1 started running again under the process of what ever app was updating. So it looks like it waits until something installs or updates or checks update then runs.

cfullmer · Post by **cfullmer** » Wed Nov 10, 2021 5:29 am

This is what i get looking at the conf folder. I don't see anything unless i am missing something.

deakgyuri · Post by **deakgyuri** » Sun Jan 02, 2022 1:20 am

Sorry I did not read post because I did not see that process and Qnap finally contacted me than they did nothig but deleted FastCG1.
Today I noticed again the XMRig. I have no idea where it came.

I did start the program, now I can see they coming from 8.214.124.124:17777

Actually I am making an other backup than I will delete the whole OS

QNAP NAS Community Forum

FastCG1 - Virus?

FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?

Re: FastCG1 - Virus?