Is my NAS hacked? tunnel_agent/bin/cloudinstallagent

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
Sugarcube21
New here
Posts: 6
Joined: Mon Feb 06, 2023 3:03 am

Is my NAS hacked? tunnel_agent/bin/cloudinstallagent

Post by Sugarcube21 »

Hi,
So my NAS has become sluggish/slow to boot.

In the top command, i see a reference to cloudinstallagent? Is this a rogue process?

Code: Select all

Mem: 7721984K used, 560704K free, 717760K shrd, 3598016K buff, 2695936K cached
CPU:  0.4% usr  0.6% sys  0.0% nic 98.9% idle  0.0% io  0.0% irq  0.0% sirq
Load average: 0.00 0.11 0.75 2/261 32385
  PID  PPID USER     STAT   VSZ %VSZ CPU %CPU COMMAND
 2514     1 admin    S    2031m 25.1   0  0.6 /sbin/hal_daemon -f
 7505     1 admin    S    30016  0.3   2  0.0 /sbin/lcdmond
 9008  8908 admin    S    22208  0.2   0  0.0 sshd: admin@pts/0
32103  9044 admin    R     4096  0.0   1  0.0 top
   10     2 admin    SW       0  0.0   1  0.0 [migration/1]
22319     1 admin    S     294m  3.6   1  0.0 /sbin/cs_qdaemon
 7404     1 admin    S     252m  3.1   0  0.0 /tunnel_agent/python/bin/python /tunnel_agent/bin/cloudinstallagent
21139     1 admin    S     219m  2.7   0  0.0 /usr/sbin/rsyslogd -f /etc/rsyslog_only_klog.conf -c4 -M /usr/local/lib/rsyslog/
 6747     1 admin    S     172m  2.1   2  0.0 /sbin/qShield
 3179     1 admin    S     110m  1.3   2  0.0 /sbin/bcclient
 2859     1 admin    S    85824  1.0   0  0.0 /sbin/lvmetad
 6725     1 admin    S    37056  0.4   2  0.0 qLogEngined: Write log is disabled...
 6735     1 admin    S    36864  0.4   2  0.0 qNoticeEngined: Write notice is enabled...
 8178     1 admin    S    23104  0.2   0  0.0 /sbin/upnpcd -i 300
 8197     1 admin    S    22656  0.2   3  0.0 /sbin/daemon_mgr
24708  8908 admin    S    22208  0.2   0  0.0 sshd: admin@notty
 8908     1 admin    S    22208  0.2   2  0.0 /usr/sbin/sshd -f /etc/config/ssh/sshd_config -p 22
 6585     1 admin    S    22144  0.2   2  0.0 /usr/local/sbin/_thttpd_ -p 8080 -nor -nos -u admin -d /home/httpd -c **.* -i /var/lock/._thttpd_.pid
 6710     1 admin    S    20544  0.2   2  0.0 /usr/sbin/ntpdated
 5830     1 admin    S    19840  0.2   3  0.0 /usr/local/bin/ifd
 5955     1 admin    S    11648  0.1   1  0.0 /usr/sbin/dhclient -6 -nw -S -cf /etc/dhcp/dh6dns.conf -lf /dev/null -e FPATH=/var/lib/dh6dns -sf /sbin/dh6dns-script -pf /var/lib/dh6dns/eth2.pid eth2
 5858     1 admin    S    11648  0.1   2  0.0 /usr/sbin/dhclient -4 -nw -D CLID -cf /etc/dhcp/dhclient.conf -lf /etc/config/dhclient/eth2.leases -pf /var/lib/dhclient/eth2.pid eth2
 6813     1 admin    S     7040  0.0   2  0.0 /usr/sbin/stunnel /etc/stunnel/stunnel.conf
20812     1 admin    S     6912  0.0   1  0.0 /sbin/cs_daemon
 9044  9008 admin    S     6208  0.0   1  0.0 -sh
 7079     1 guest    S     4736  0.0   0  0.0 avahi-daemon: running [NAS2BE447.local]
24713 24708 admin    S     4416  0.0   1  0.0 -sh
 7922     1 admin    S     3776  0.0   3  0.0 {cloudinstall_ag} /bin/sh /tunnel_agent/bin/cloudinstall_agent_daemon.sh
 7921     1 admin    S     3776  0.0   3  0.0 {cloudinstall_ag} /bin/sh /tunnel_agent/bin/cloudinstall_agent_disconnect_daemon.sh start
 2113     1 admin    S     3712  0.0   1  0.0 udevd --daemon
 6948     1 guest    S     3712  0.0   3  0.0 /usr/sbin/dbus-daemon --system
23892  2113 admin    S     3712  0.0   0  0.0 udevd --daemon
23899  2113 admin    S     3712  0.0   1  0.0 udevd --daemon
    1     0 admin    S     3520  0.0   1  0.0 init
 4047     1 admin    S     3520  0.0   2  0.0 tail -f /var/log/network/err_log
 4050     1 admin    S     3520  0.0   1  0.0 tail -f /var/log/network/events_log
 8240     1 admin    S     3520  0.0   0  0.0 /sbin/getty 115200 ttyS0
 8241     1 admin    S     3520  0.0   2  0.0 /sbin/getty 115200 tty2
32380  7922 admin    S     3328  0.0   2  0.0 sleep 5
32384  7921 admin    S     3328  0.0   2  0.0 sleep 5
 5971     1 admin    S     3200  0.0   1  0.0 /sbin/dnsmasq
 5818  5817 admin    S     3136  0.0   3  0.0 /sbin/rdnssd -r /var/lib/rdnssd/ -p /var/run/network/rdnssd.pid -u admin
 5817     1 admin    S     2560  0.0   1  0.0 /sbin/rdnssd -r /var/lib/rdnssd/ -p /var/run/network/rdnssd.pid -u admin
 3075     1 admin    S <   2432  0.0   3  0.0 {qwatchdogd} qWatchdogd: keeping alive every 1 seconds...
 4048     1 admin    S     2240  0.0   3  0.0 /usr/local/network/bin/logrotate /var/log/network/err.log 102400
 4051     1 admin    S     2048  0.0   3  0.0 /usr/local/network/bin/logrotate /var/log/network/events.log 102400
 1764     2 admin    SW       0  0.0   1  0.0 [irq/233-mv14xx-]
 1765     2 admin    SW       0  0.0   2  0.0 [irq/234-mv14xx-]
   15     2 admin    SW       0  0.0   2  0.0 [ksoftirqd/2]
   11     2 admin    SW       0  0.0   1  0.0 [ksoftirqd/1]
23832     2 admin    SW       0  0.0   1  0.0 [md1_raid5]
    7     2 admin    SW       0  0.0   0  0.0 [rcu_sched]
  645     2 admin    SW       0  0.0   2  0.0 [kswapd0]
    3     2 admin    SW       0  0.0   0  0.0 [ksoftirqd/0]
30536     2 admin    SW       0  0.0   0  0.0 [kworker/u8:2]
24224     2 admin    SW       0  0.0   1  0.0 [jbd2/dm-16-8]
16930     2 admin    SW       0  0.0   3  0.0 [md2_raid5]
   19     2 admin    SW       0  0.0   3  0.0 [ksoftirqd/3]
 1766     2 admin    SW       0  0.0   0  0.0 [irq/235-mv14xx-]
   18     2 admin    SW       0  0.0   3  0.0 [migration/3]
  459     2 admin    SW<      0  0.0   0  0.0 [kworker/0:1H]
  457     2 admin    SW       0  0.0   2  0.0 [kworker/2:1]
   14     2 admin    SW       0  0.0   2  0.0 [migration/2]
 1767     2 admin    SW       0  0.0   3  0.0 [irq/236-mv14xx-]
    9     2 admin    SW       0  0.0   0  0.0 [migration/0]
20001     2 admin    SW       0  0.0   3  0.0 [dmcrypt_write]
 1662     2 admin    SW       0  0.0   1  0.0 [mmcqd/0]
22265     2 admin    SW       0  0.0   3  0.0 [kworker/3:2]
26975     2 admin    SW       0  0.0   1  0.0 [kworker/u8:1]
 9508     2 admin    SW       0  0.0   0  0.0 [kworker/0:2]
30523     2 admin    SW       0  0.0   1  0.0 [kworker/1:2]
 2018     2 admin    SW<      0  0.0   2  0.0 [kworker/2:1H]
 2022     2 admin    SW<      0  0.0   1  0.0 [kworker/1:1H]
21513     2 admin    SW       0  0.0   2  0.0 [jbd2/dm-8-8]
 2024     2 admin    SW<      0  0.0   3  0.0 [kworker/3:1H]
 7321     2 admin    SW<      0  0.0   2  0.0 [loop0]
30952     2 admin    SW       0  0.0   1  0.0 [kworker/u8:0]
 3068     2 admin    SW       0  0.0   1  0.0 [notify thread]
    2     0 admin    SW       0  0.0   0  0.0 [kthreadd]
    5     2 admin    SW<      0  0.0   0  0.0 [kworker/0:0H]
    8     2 admin    SW       0  0.0   0  0.0 [rcu_bh]
   13     2 admin    SW<      0  0.0   1  0.0 [kworker/1:0H]
Mem: 7717824K used, 564864K free, 717760K shrd, 3598016K buff, 2695936K cached
CPU:  0.2% usr  0.5% sys  0.0% nic 99.1% idle  0.0% io  0.0% irq  0.0% sirq
Load average: 0.00 0.11 0.75 2/261 32399
Top
User avatar
dolbyman
Guru
Posts: 35275
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Is my NAS hacked? tunnel_agent/bin/cloudinstallagent

Post by dolbyman »

Was your NAS web exposed ? If not, a compromised NAS is unlikely

Only reference I find is some malware report on (what looks like) a qsync install script

https://www.hybrid-analysis.com/sample/ ... 5b200ff4f3
Top
Sugarcube21
New here
Posts: 6
Joined: Mon Feb 06, 2023 3:03 am

Re: Is my NAS hacked? tunnel_agent/bin/cloudinstallagent

Post by Sugarcube21 »

Only recently i locked it down to be plex only.

That malware site seems to match the 64mb RAMDISK im seeing:

Malware extract:

Code: Select all

 # create ramdisk and create a 64mb file
/bin/dd if=/dev/zero of=$CLOUD_INSTALL_RAMDISK_PATH/image bs=1M count=64
/bin/mkdir -p $CLOUD_INSTALL_RAMDISK_PATH
/bin/mount -t tmpfs -o size=64m tmpfs $CLOUD_INSTALL_RAMDISK_PATH
/bin/rm -rf $CLOUD_INSTALL_RAMDISK_PATH
/sbin/mke2fs -b 1024 $CLOUD_INSTALL_RAMDISK_PATH/image
CLOUD_INSTALL_RAMDISK_PATH=/tunnel_agent_ramdisk
export USED_LOOP_DEVICE=`/usr/local/sbin/losetup -f $CLOUD_INSTALL_RAMDISK_PATH/image`

Code: Select all

[~] # df -h
Filesystem                Size      Used Available Use% Mounted on
none                    650.0M    632.1M     17.9M  97% /
devtmpfs                  3.9G         0      3.9G   0% /dev
tmpfs                    64.0M      4.2M     59.8M   7% /tmp
tmpfs                     3.9G         0      3.9G   0% /dev/shm
tmpfs                    16.0M         0     16.0M   0% /share
tmpfs                    16.0M         0     16.0M   0% /mnt/snapshot/export
cgroup_root               3.9G         0      3.9G   0% /sys/fs/cgroup
tmpfs                    24.0M    512.0K     23.5M   2% /smb_tmp
tmpfs                    64.0M     64.0M         0 100% /tunnel_agent_ramdisk
/dev/loop0               62.0M     51.9M      6.9M  88% /tunnel_agent
Last edited by Sugarcube21 on Tue Feb 07, 2023 1:01 pm, edited 1 time in total.
Top
User avatar
dolbyman
Guru
Posts: 35275
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Is my NAS hacked? tunnel_agent/bin/cloudinstallagent

Post by dolbyman »

Best to contact QNAP support for checking into it
Top
Post Reply

Return to “Miscellaneous”