Virus on my QNAP?

lawryyxd · Post by **lawryyxd** » Wed Sep 27, 2017 11:03 pm

Hi there! I'm a new user to QNAP, and recently I noticed that after updating to the latest QTS 4.3.3, my MalwareRemover has begun to remove some settings files which I do not seem to be able to see under the normal File Manager.

Does anyone know if I should be concerned about this and how do I go about resolving this if it is an issue?

Thank you!!

Type Date Time Users Source IP Computer name Content
Information 2017/09/27 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/27 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/27 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/27 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/27 00:49:17 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/26 03:00:08 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/26 03:00:07 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/26 00:49:21 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.
Information 2017/09/25 03:00:10 System 127.0.0.1 localhost [MalwareRemover] Scan completed and malware deleted.
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsitargetsetting.cgi
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//net/extdriverequest.cgi
Information 2017/09/25 03:00:09 System 127.0.0.1 localhost [MalwareRemover] Malware removed: /home/httpd/cgi-bin//iscsi_lun_settings.cgi
Information 2017/09/25 00:49:19 System 127.0.0.1 localhost [Antivirus] Virus definitions updated.

jezz · Post by **jezz** » Thu Sep 28, 2017 12:16 am

To my opinion you should be concerned.

I suggest you close all ports to the outside world.
Change all passwords (especially admin)
Remove any additional users which you don't know (at my system an admin user was added)
The cgi files contain a shell script (I still have to investigate, but I assume it calls home .. to my knowledge someone in Russia, looking to the ip address)
Remove an additional entry from your crontab (it will probably start a script/executabel every hour at 10 minutes past). It can be recognised by a directory in the MD0_Data starting with a dot and having a 'random' name.
Remove the directory which was referred to in the added entry in crontab (it will probably contain two executables, one disguised as shell script)

I leave my system in quarantine until I am sure I have removed it all.
I hope this helps all people having the same issue. If someone knows how to decipher the shell script in the cgi files, I would appreciate if they reply what the malware wants to achieve.

kuroiryu · Post by **kuroiryu** » Wed Oct 11, 2017 2:17 am

I have this on my TS-451+ now where you able to successfully remove it?
Has anyone figured out what it is up to?

dolbyman · Post by **dolbyman** » Wed Oct 11, 2017 2:33 am

all this seems to be in the webserver realm of the NAS

are you running an outdated wordpress,drupal, or other cms on it ?

maybe it's attacking the web components of your NAS(apache ,etc), ever thought about moving to a VM or container for webhosting ?

kuroiryu · Post by **kuroiryu** » Fri Oct 13, 2017 12:19 am

I had redis running on a vm at some point.
I have plex running but I usually keep that up to date.
I did have some plugins on plex and HD station that were old and seemingly not functional.
At this point though i have removed or disabled a lot of things.
Including removing and installing plex. (had more to do with https://forums.plex.tv/discussion/28790 ... s-with-pms )

I have found and removed some entries from crontab.
Malware remover, removes files from cgi-bin.

When i restart there are
ix 2 [ ACC ] STREAM LISTENING 45869 9930/alice /tmp/.@alice.xxx
unix 2 [ ACC ] STREAM LISTENING 55021 12908/qDmcd /tmp/.@qdmc.ipc.xxx
unix 2 [ ACC ] STREAM LISTENING 53711 12909/qRPlayerCente /tmp/.@qRPlayerCenter.xxx

udp 0 0 0.0.0.0:1900 0.0.0.0:* 12908/qDmcd
udp 0 0 localhost:60705 0.0.0.0:* 12908/qDmcd
udp 0 0 0.0.0.0:37208 0.0.0.0:* 12908/qDmcd
tcp 0 0 beecloud:49152 0.0.0.0:* LISTEN 12908/qDmcd

tcp 0 0 0.0.0.0:9813 0.0.0.0:* LISTEN 9930/alice

Stuck as how to track this down.

Trexx · Post by **Trexx** » Fri Oct 13, 2017 12:41 am

Easiest answer: Open a helpdesk ticket with QNAP. If it is a NEW malware version that Malware Remover isn't getting, they will update the tool for it.

dolbyman · Post by **dolbyman** » Fri Oct 13, 2017 12:50 am

check your autostart.sh there might be some infection in there too

I think you had some part of you NAS exposed to the web (photostation, web login, etc) and that got you hacked, happened (and apparently still happens) a lot

kuroiryu · Post by **kuroiryu** » Mon Oct 16, 2017 11:10 pm

I have a help desk ticket open.

I don't know where autostart.sh is. I have seen https://wiki.qnap.com/wiki/Running_Your ... at_Startup
but I have never set up one, is there a system defualt one?

Services I do access from outside, Plex, download station, file station, which I guess includes the main web interface(8080).

dolbyman · Post by **dolbyman** » Mon Oct 16, 2017 11:14 pm

there is always an autostart.sh ..no need to create it

consider settings up a vpn ...presenting all those stations to the world,is asking for trouble

makreuro · Post by **makreuro** » Thu Oct 26, 2017 12:04 am

This month I got well known message from Malware Remover Scan completed - malware removed. After the upgrade of MalwareRemover when we could finaly see what is the reason, I find out that the problem could be in the:
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/QPKG_RSS.cgi
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi

I tried to change password every day and receive the same notification all the time (log file never lists any login to the system).

Frustrated I did backup of my data to the external disk, reset QNAP, reformat the disk. After this procedure, that took most of the weekend, MalwareRemover did not find anything wrong. Setting new admin password and allowing access from only my IP addresses .. and .. around 10 hours of copying files back to the NAS. Checking again with Malwareremover (clean). Recreating users with different account privileges and disabling all services except minimum I need. MalwareRemover (still clean)

[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # grep '\[\|Shell' /etc/config/qpkg.conf
[helpdesk]
Shell = /mnt/HDA_ROOT/update_pkg/helpdesk/helpdesk.sh
[ResourceMonitor]
Alt_Shell = /mnt/ext/opt/ResourceMonitor/qpkg_res.sh
[QcloudSSLCertificate]
Alt_Shell = /mnt/ext/opt/QcloudSSLCertificate/QcloudSSLCertificate.sh
[Python3]
Shell = /share/CACHEDEV1_DATA/.qpkg/Python3/Python3.sh
[MalwareRemover]
Shell = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh
[QsyncServer]
Shell = /share/CACHEDEV1_DATA/.qpkg/QsyncServer/qsyncsrv.sh
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] #

---------------
The life seems bright again ... for a week.
---------------

but ...

Today the electricity failed and UPS safely shutdown NAS. After restart the system logs lists
...
[Malware Remover] Scan failed, error = 1
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/QPKG_RSS.cgi
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi

HOW!!!!

I make drastic measure and delete all corrupted .cgi files and later find out that ...

[Malware Remover] Scan completed and malware deleted.
[MalwareRemover] Malware removed: /share/CACHEDEV1_DATA/.BmuVyk/IOcBij
[MalwareRemover] Malware process killed: /share/CACHEDEV1_DATA/.BmuVyk/IOcBij(12956)
[MalwareRemover] Malware removed: /home/httpd//cgi-bin/iscsi_lun_settings.cgi
[Malware Remover] Start scanning.

I remove the .BmyVyk folder and files and MalwareRemover notified me with the satisfying message

[Malware Remover] Scan completed.
[Malware Remover] Start scanning.

But I still think that I'm not entirely clear

[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # ./MalwareRemover.sh status
/share/CACHEDEV1_DATA/.qpkg/MalwareRemover/modules/02_autoupgrade.pyc is running
[/share/CACHEDEV1_DATA/.qpkg/MalwareRemover] # 2017-10-25 16:38:12,721 gagdet.py:32 [qgagdet] CRITICAL Except Start
2017-10-25 16:38:12,722 gagdet.py:36 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,723 gagdet.py:37 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,724 gagdet.py:38 [qgagdet] CRITICAL <traceback object at 0x2b34e6e8>
2017-10-25 16:38:12,725 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,726 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,726 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e6e8>
2017-10-25 16:38:12,727 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź __call__
2017-10-25 16:38:12,728 gagdet.py:46 [qgagdet] CRITICAL fileďź modules/gagdet.py
2017-10-25 16:38:12,729 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,730 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,730 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e710>
2017-10-25 16:38:12,731 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź execute
2017-10-25 16:38:12,732 gagdet.py:46 [qgagdet] CRITICAL fileďź modules/gagdet.py
2017-10-25 16:38:12,733 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,734 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,734 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e788>
2017-10-25 16:38:12,735 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź __init__
2017-10-25 16:38:12,736 gagdet.py:46 [qgagdet] CRITICAL fileďź /share/CACHEDEV1_DATA/.qpkg/Python3/python3/lib/python3.5/subprocess.py
2017-10-25 16:38:12,737 gagdet.py:42 [qgagdet] CRITICAL <class 'FileNotFoundError'>
2017-10-25 16:38:12,738 gagdet.py:43 [qgagdet] CRITICAL [Errno 2] No such file or directory: 'docker'
2017-10-25 16:38:12,738 gagdet.py:44 [qgagdet] CRITICAL <traceback object at 0x2b34e738>
2017-10-25 16:38:12,739 gagdet.py:45 [qgagdet] CRITICAL function or moduleďź _execute_child
2017-10-25 16:38:12,740 gagdet.py:46 [qgagdet] CRITICAL fileďź /share/CACHEDEV1_DATA/.qpkg/Python3/python3/lib/python3.5/subprocess.py
2017-10-25 16:38:12,741 gagdet.py:48 [qgagdet] CRITICAL Except Done

Is it possible to secure QNAP? This becomes annoyingly frustrating.

dolbyman · Post by **dolbyman** » Thu Oct 26, 2017 12:39 am

secure QNAP by not allowing external connections (no port forwarding on router)

possible infection in autostart.sh (that one is not on the drives so even exchanging all disks and starting from scratch could get you reinfected)

Best to contact qnap for investigation

Trexx · Post by **Trexx** » Thu Oct 26, 2017 1:11 am

Also potential infection routes: Video Station/Photo Station/Music Station (etc.) if exposed via myQNAPCloud (check if they are set to public/private). Also check if Automatic router config is enabled (which is uPnP).

jezz · Post by **jezz** » Thu Oct 26, 2017 1:40 am

Today I noticed my NAS was again infected (or should I say still infected).
Detected all qpkg package running (or where running recently), the shell scripts all where altered. After '/bin/sh' there was unreadable code (at least for me) added before the remainder of the script.
Have removed these sections from all script files. Stopped all (expect one to test) packages and restarted the system. Seems to be okay for now...

In previous replies the file autorun.sh is referred to. Can anyone bring more clarity where this file is located? I can find it on my system.

Furthermore i noticed a file called init.sh is present in the directory /etc/config. This file seems to be no normal script file and contains no readable content (seems to be an executable). Is this file normally readable? and is it a normally used file on a QNAP? It would be great if someone can give me more information on this before I delete it and prevent my QNAP from rebooting...

dolbyman · Post by **dolbyman** » Thu Oct 26, 2017 1:54 am

check here

https://wiki.qnap.com/wiki/Running_Your ... autorun.sh

jezz · Post by **jezz** » Thu Oct 26, 2017 2:04 am

Thanks @dolbyman! An autorun.sh files was present and contained non normal readable text. Deleted the file. There were also two other files which where obviously no normal files. Viewed the 'malware .sh' file and saw sequences of characters which I have also seen in changed .sh files in de .qpkg directory.

My only worry (for now) is the init.sh file in /etc/config. If someone knows if this can be deleted as it contains no normal script commands....

QNAP NAS Community Forum

Virus on my QNAP?

Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?

Re: Virus on my QNAP?