Virus on my QNAP?
-
- New here
- Posts: 4
- Joined: Wed Sep 27, 2017 11:00 pm
Virus on my QNAP?
Hi there! I'm a new user to QNAP, and recently I noticed that after updating to the latest QTS 4.3.3, my MalwareRemover has begun to remove some settings files which I do not seem to be able to see under the normal File Manager.
Does anyone know if I should be concerned about this and how do I go about resolving this if it is an issue?
Thank you!!
Type Date Time Users Source IP Computer name Content
Information 2017/09/27 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/27 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/27 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/27 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/27 00:49:17 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/26 03:00:07 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/26 00:49:21 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Information 2017/09/25 03:00:10 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/25 00:49:19 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Does anyone know if I should be concerned about this and how do I go about resolving this if it is an issue?
Thank you!!
Type Date Time Users Source IP Computer name Content
Information 2017/09/27 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/27 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/27 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/27 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/27 00:49:17 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/26 03:00:07 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/26 00:49:21 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Information 2017/09/25 03:00:10 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/25 00:49:19 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
To my opinion you should be concerned.
I hope this helps all people having the same issue. If someone knows how to decipher the shell script in the cgi files, I would appreciate if they reply what the malware wants to achieve.
- I suggest you close all ports to the outside world.
- Change all passwords (especially admin)
- Remove any additional users which you don't know (at my system an admin user was added)
- The cgi files contain a shell script (I still have to investigate, but I assume it calls home .. to my knowledge someone in Russia, looking to the ip address)
- Remove an additional entry from your crontab (it will probably start a script/executabel every hour at 10 minutes past). It can be recognised by a directory in the MD0_Data starting with a dot and having a 'random' name.
- Remove the directory which was referred to in the added entry in crontab (it will probably contain two executables, one disguised as shell script)
I hope this helps all people having the same issue. If someone knows how to decipher the shell script in the cgi files, I would appreciate if they reply what the malware wants to achieve.
-
- New here
- Posts: 4
- Joined: Mon Aug 14, 2017 8:51 am
Re: Virus on my QNAP?
I have this on my TS-451+ now where you able to successfully remove it?
Has anyone figured out what it is up to?
Has anyone figured out what it is up to?
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
all this seems to be in the webserver realm of the NAS
are you running an outdated wordpress,drupal, or other cms on it ?
maybe it's attacking the web components of your NAS(apache ,etc), ever thought about moving to a VM or container for webhosting ?
are you running an outdated wordpress,drupal, or other cms on it ?
maybe it's attacking the web components of your NAS(apache ,etc), ever thought about moving to a VM or container for webhosting ?
-
- New here
- Posts: 4
- Joined: Mon Aug 14, 2017 8:51 am
Re: Virus on my QNAP?
I had redis running on a vm at some point.
I have plex running but I usually keep that up to date.
I did have some plugins on plex and HD station that were old and seemingly not functional.
At this point though i have removed or disabled a lot of things.
Including removing and installing plex. (had more to do with https://forums.plex.tv/discussion/28790 ... s-with-pms )
I have found and removed some entries from crontab.
Malware remover, removes files from cgi-bin.
When i restart there are
ix 2 [ ACC ] STREAM LISTENING 45869 9930/alice /tmp/.@alice.xxx
unix 2 [ ACC ] STREAM LISTENING 55021 12908/qDmcd /tmp/.@qdmc.ipc.xxx
unix 2 [ ACC ] STREAM LISTENING 53711 12909/qRPlayerCente /tmp/.@qRPlayerCenter.xxx
udp 0 0 0.0.0.0:1900 0.0.0.0:* 12908/qDmcd
udp 0 0 localhost:60705 0.0.0.0:* 12908/qDmcd
udp 0 0 0.0.0.0:37208 0.0.0.0:* 12908/qDmcd
tcp 0 0 beecloud:49152 0.0.0.0:* LISTEN 12908/qDmcd
tcp 0 0 0.0.0.0:9813 0.0.0.0:* LISTEN 9930/alice
Stuck as how to track this down.
I have plex running but I usually keep that up to date.
I did have some plugins on plex and HD station that were old and seemingly not functional.
At this point though i have removed or disabled a lot of things.
Including removing and installing plex. (had more to do with https://forums.plex.tv/discussion/28790 ... s-with-pms )
I have found and removed some entries from crontab.
Malware remover, removes files from cgi-bin.
When i restart there are
ix 2 [ ACC ] STREAM LISTENING 45869 9930/alice /tmp/.@alice.xxx
unix 2 [ ACC ] STREAM LISTENING 55021 12908/qDmcd /tmp/.@qdmc.ipc.xxx
unix 2 [ ACC ] STREAM LISTENING 53711 12909/qRPlayerCente /tmp/.@qRPlayerCenter.xxx
udp 0 0 0.0.0.0:1900 0.0.0.0:* 12908/qDmcd
udp 0 0 localhost:60705 0.0.0.0:* 12908/qDmcd
udp 0 0 0.0.0.0:37208 0.0.0.0:* 12908/qDmcd
tcp 0 0 beecloud:49152 0.0.0.0:* LISTEN 12908/qDmcd
tcp 0 0 0.0.0.0:9813 0.0.0.0:* LISTEN 9930/alice
Stuck as how to track this down.
- Trexx
- Ask me anything
- Posts: 5393
- Joined: Sat Oct 01, 2011 7:50 am
- Location: Minnesota
Re: Virus on my QNAP?
Easiest answer: Open a helpdesk ticket with QNAP. If it is a NEW malware version that Malware Remover isn't getting, they will update the tool for it.
Paul
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
check your autostart.sh there might be some infection in there too
I think you had some part of you NAS exposed to the web (photostation, web login, etc) and that got you hacked, happened (and apparently still happens) a lot
I think you had some part of you NAS exposed to the web (photostation, web login, etc) and that got you hacked, happened (and apparently still happens) a lot
-
- New here
- Posts: 4
- Joined: Mon Aug 14, 2017 8:51 am
Re: Virus on my QNAP?
I have a help desk ticket open.
I don't know where autostart.sh is. I have seen https://wiki.qnap.com/wiki/Running_Your ... at_Startup
but I have never set up one, is there a system defualt one?
Services I do access from outside, Plex, download station, file station, which I guess includes the main web interface(8080).
I don't know where autostart.sh is. I have seen https://wiki.qnap.com/wiki/Running_Your ... at_Startup
but I have never set up one, is there a system defualt one?
Services I do access from outside, Plex, download station, file station, which I guess includes the main web interface(8080).
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
there is always an autostart.sh ..no need to create it
consider settings up a vpn ...presenting all those stations to the world,is asking for trouble
consider settings up a vpn ...presenting all those stations to the world,is asking for trouble
- makreuro
- First post
- Posts: 1
- Joined: Wed Oct 25, 2017 10:15 pm
Re: Virus on my QNAP?
This month I got well known message from Malware Remover Scan completed - malware removed. After the upgrade of MalwareRemover when we could finaly see what is the reason, I find out that the problem could be in the:
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/QPKG_RSS.cgi
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
I tried to change password every day and receive the same notification all the time (log file never lists any login to the system).
Frustrated I did backup of my data to the external disk, reset QNAP, reformat the disk. After this procedure, that took most of the weekend, MalwareRemover did not find anything wrong. Setting new admin password and allowing access from only my IP addresses .. and .. around 10 hours of copying files back to the NAS. Checking again with Malwareremover (clean). Recreating users with different account privileges and disabling all services except minimum I need. MalwareRemover (still clean)
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # grep '\[\|Shell' /etc/config/qpkg.conf
[helpdesk]
Shell = /mnt/HDA_ROOT/update_pkg/helpdesk/helpdesk.sh
[ResourceMonitor]
Alt_Shell = /mnt/ext/opt/ResourceMonitor/qpkg_res.sh
[QcloudSSLCertificate]
Alt_Shell = /mnt/ext/opt/QcloudSSLCertificate/QcloudSSLCertificate.sh
[Python3]
Shell = /share/CACHEDEV1_DATA/.qpkg/Python3/Python3.sh
[MalwareRemover]
Shell = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh
[QsyncServer]
Shell = /share/CACHEDEV1_DATA/.qpkg/QsyncServer/qsyncsrv.sh
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] #
---------------
The life seems bright again ... for a week.
---------------
but ...
Today the electricity failed and UPS safely shutdown NAS. After restart the system logs lists
...
[Malware Remover] Scan failed, error = 1
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/QPKG_RSS.cgi
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
HOW!!!!
I make drastic measure and delete all corrupted .cgi files and later find out that ...
[Malware Remover] Scan completed and malware deleted.
[MalwareRemover] Malware removed: /share/CACHEDEV1_DATA/.BmuVyk/IOcBij
[MalwareRemover] Malware process killed: /share/CACHEDEV1_DATA/.BmuVyk/IOcBij(12956)
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
[Malware Remover] Start scanning.
I remove the .BmyVyk folder and files and MalwareRemover notified me with the satisfying message
[Malware Remover] Scan completed.
[Malware Remover] Start scanning.
But I still think that I'm not entirely clear
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # ./MalwareRemover.sh status
/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/modules/02_autoupgrade.pyc is running
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # 2017-10-25 16:38:12,721 gagdet.py:32 [qgagdet] CRITICAL Except Start
2017-10-25 16:38:12,722 gagdet.py:36 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,723 gagdet.py:37 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,724 gagdet.py:38 [qgagdet] CRITICAL <traceback object at 0x2b34e6e8>
2017-10-25 16:38:12,725 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,726 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,726 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e6e8>
2017-10-25 16:38:12,727 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź __call__
2017-10-25 16:38:12,728 gagdet.py:46 [qgagdet] CRITICAL fileďź modules/gagdet.py
2017-10-25 16:38:12,729 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,730 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,730 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e710>
2017-10-25 16:38:12,731 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź execute
2017-10-25 16:38:12,732 gagdet.py:46 [qgagdet] CRITICAL fileďź modules/gagdet.py
2017-10-25 16:38:12,733 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,734 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,734 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e788>
2017-10-25 16:38:12,735 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź __init__
2017-10-25 16:38:12,736 gagdet.py:46 [qgagdet] CRITICAL fileďź /share/CACHEDEV1_DATA/.qpkg/Python3/python3/lib/python3.5/subprocess.py
2017-10-25 16:38:12,737 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,738 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,738 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e738>
2017-10-25 16:38:12,739 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź _execute_child
2017-10-25 16:38:12,740 gagdet.py:46 [qgagdet] CRITICAL fileďź /share/CACHEDEV1_DATA/.qpkg/Python3/python3/lib/python3.5/subprocess.py
2017-10-25 16:38:12,741 gagdet.py:48 [qgagdet] CRITICAL Except Done
Is it possible to secure QNAP? This becomes annoyingly frustrating.
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/QPKG_RSS.cgi
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
I tried to change password every day and receive the same notification all the time (log file never lists any login to the system).
Frustrated I did backup of my data to the external disk, reset QNAP, reformat the disk. After this procedure, that took most of the weekend, MalwareRemover did not find anything wrong. Setting new admin password and allowing access from only my IP addresses .. and .. around 10 hours of copying files back to the NAS. Checking again with Malwareremover (clean). Recreating users with different account privileges and disabling all services except minimum I need. MalwareRemover (still clean)
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # grep '\[\|Shell' /etc/config/qpkg.conf
[helpdesk]
Shell = /mnt/HDA_ROOT/update_pkg/helpdesk/helpdesk.sh
[ResourceMonitor]
Alt_Shell = /mnt/ext/opt/ResourceMonitor/qpkg_res.sh
[QcloudSSLCertificate]
Alt_Shell = /mnt/ext/opt/QcloudSSLCertificate/QcloudSSLCertificate.sh
[Python3]
Shell = /share/CACHEDEV1_DATA/.qpkg/Python3/Python3.sh
[MalwareRemover]
Shell = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh
[QsyncServer]
Shell = /share/CACHEDEV1_DATA/.qpkg/QsyncServer/qsyncsrv.sh
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] #
---------------
The life seems bright again ... for a week.
---------------
but ...
Today the electricity failed and UPS safely shutdown NAS. After restart the system logs lists
...
[Malware Remover] Scan failed, error = 1
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/QPKG_RSS.cgi
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
HOW!!!!
I make drastic measure and delete all corrupted .cgi files and later find out that ...
[Malware Remover] Scan completed and malware deleted.
[MalwareRemover] Malware removed: /share/CACHEDEV1_DATA/.BmuVyk/IOcBij
[MalwareRemover] Malware process killed: /share/CACHEDEV1_DATA/.BmuVyk/IOcBij(12956)
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
[Malware Remover] Start scanning.
I remove the .BmyVyk folder and files and MalwareRemover notified me with the satisfying message
[Malware Remover] Scan completed.
[Malware Remover] Start scanning.
But I still think that I'm not entirely clear
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # ./MalwareRemover.sh status
/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/modules/02_autoupgrade.pyc is running
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # 2017-10-25 16:38:12,721 gagdet.py:32 [qgagdet] CRITICAL Except Start
2017-10-25 16:38:12,722 gagdet.py:36 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,723 gagdet.py:37 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,724 gagdet.py:38 [qgagdet] CRITICAL <traceback object at 0x2b34e6e8>
2017-10-25 16:38:12,725 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,726 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,726 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e6e8>
2017-10-25 16:38:12,727 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź __call__
2017-10-25 16:38:12,728 gagdet.py:46 [qgagdet] CRITICAL fileďź modules/gagdet.py
2017-10-25 16:38:12,729 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,730 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,730 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e710>
2017-10-25 16:38:12,731 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź execute
2017-10-25 16:38:12,732 gagdet.py:46 [qgagdet] CRITICAL fileďź modules/gagdet.py
2017-10-25 16:38:12,733 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,734 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,734 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e788>
2017-10-25 16:38:12,735 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź __init__
2017-10-25 16:38:12,736 gagdet.py:46 [qgagdet] CRITICAL fileďź /share/CACHEDEV1_DATA/.qpkg/Python3/python3/lib/python3.5/subprocess.py
2017-10-25 16:38:12,737 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,738 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,738 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e738>
2017-10-25 16:38:12,739 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź _execute_child
2017-10-25 16:38:12,740 gagdet.py:46 [qgagdet] CRITICAL fileďź /share/CACHEDEV1_DATA/.qpkg/Python3/python3/lib/python3.5/subprocess.py
2017-10-25 16:38:12,741 gagdet.py:48 [qgagdet] CRITICAL Except Done
Is it possible to secure QNAP? This becomes annoyingly frustrating.
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Virus on my QNAP?
secure QNAP by not allowing external connections (no port forwarding on router)
possible infection in autostart.sh (that one is not on the drives so even exchanging all disks and starting from scratch could get you reinfected)
Best to contact qnap for investigation
possible infection in autostart.sh (that one is not on the drives so even exchanging all disks and starting from scratch could get you reinfected)
Best to contact qnap for investigation
- Trexx
- Ask me anything
- Posts: 5393
- Joined: Sat Oct 01, 2011 7:50 am
- Location: Minnesota
Re: Virus on my QNAP?
Also potential infection routes: Video Station/Photo Station/Music Station (etc.) if exposed via myQNAPCloud (check if they are set to public/private). Also check if Automatic router config is enabled (which is uPnP).
Paul
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Today I noticed my NAS was again infected (or should I say still infected).
Detected all qpkg package running (or where running recently), the shell scripts all where altered. After '/bin/sh' there was unreadable code (at least for me) added before the remainder of the script.
Have removed these sections from all script files. Stopped all (expect one to test) packages and restarted the system. Seems to be okay for now...
In previous replies the file autorun.sh is referred to. Can anyone bring more clarity where this file is located? I can find it on my system.
Furthermore i noticed a file called init.sh is present in the directory /etc/config. This file seems to be no normal script file and contains no readable content (seems to be an executable). Is this file normally readable? and is it a normally used file on a QNAP? It would be great if someone can give me more information on this before I delete it and prevent my QNAP from rebooting...
Detected all qpkg package running (or where running recently), the shell scripts all where altered. After '/bin/sh' there was unreadable code (at least for me) added before the remainder of the script.
Have removed these sections from all script files. Stopped all (expect one to test) packages and restarted the system. Seems to be okay for now...
In previous replies the file autorun.sh is referred to. Can anyone bring more clarity where this file is located? I can find it on my system.
Furthermore i noticed a file called init.sh is present in the directory /etc/config. This file seems to be no normal script file and contains no readable content (seems to be an executable). Is this file normally readable? and is it a normally used file on a QNAP? It would be great if someone can give me more information on this before I delete it and prevent my QNAP from rebooting...
- dolbyman
- Guru
- Posts: 35253
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
-
- Starting out
- Posts: 13
- Joined: Tue Apr 20, 2010 12:16 am
Re: Virus on my QNAP?
Thanks @dolbyman! An autorun.sh files was present and contained non normal readable text. Deleted the file. There were also two other files which where obviously no normal files. Viewed the 'malware .sh' file and saw sequences of characters which I have also seen in changed .sh files in de .qpkg directory.
My only worry (for now) is the init.sh file in /etc/config. If someone knows if this can be deleted as it contains no normal script commands....
My only worry (for now) is the init.sh file in /etc/config. If someone knows if this can be deleted as it contains no normal script commands....