Unknown Thread kthreaddnai

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Unknown Thread kthreaddnai

Post by kameha » Tue Nov 13, 2018 2:13 am

Hello,

I recently discovered that i have an unknown thread eating up my CPU (see kthreaddnai.jpg)

It is associated with this executable file in /tmp (see pionai.jpg attached)
I also found weird files in /tmp having the same rights and user (see god.jpg and mxpma.jpg)

Does anyone have the same issue and knows what they're doing ??

Thnx,
You do not have the required permissions to view the files attached to this post.

User avatar
OneCD
Ask me anything
Posts: 6021
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Unknown Thread kthreaddnai

Post by OneCD » Tue Nov 13, 2018 2:25 am

Hi and welcome to the forum.

That all looks rather suspect to me. :S

Have you installed and run the Malware Remover QPKG yet? It’s available in the QTS App Center.

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190322

one.cd.only@gmail.com

Image Image Image Image

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Tue Nov 13, 2018 2:56 am

Hello,

Thnx... I've installed Malware Remover and it's been running daily for weeks without finding anything suspect...
I also have a daily Full Virus scan and nothing suspect comes up either...

dolbyman
Guru
Posts: 12905
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Unknown Thread kthreaddnai

Post by dolbyman » Tue Nov 13, 2018 2:58 am

virus scan only scans your files ..not your nas

possibly a new infection .. contact qnap for assitance

what services were you exposing to the web?

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Tue Nov 13, 2018 3:04 am

I expose nextcloud and gitea throught ContainerStation on https

salexes
New here
Posts: 6
Joined: Sat Mar 31, 2018 9:45 pm

Re: Unknown Thread kthreaddnai

Post by salexes » Tue Nov 13, 2018 3:57 am

Its malware: https://www.virustotal.com/#/file/61c6b ... /detection

It appeared on my qnap aswell

User avatar
Toxic17
Experience counts
Posts: 4659
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Unknown Thread kthreaddnai

Post by Toxic17 » Tue Nov 13, 2018 3:59 am

kameha wrote:
Tue Nov 13, 2018 3:04 am
I expose nextcloud and gitea throught ContainerStation on https
https://helpdesk.qnap.com/
Regards Simon

QNAP 4.3.x/4.2.x Manuals

QNAP Club Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


MeteoBridge NanoSD • ODROID N2 • FlightAware ProStick Plus
NAS: TVS-463/QM2-2P 4.3.6.0923 • TS-453BT3 4.3.6.0895 • TS-121 4.3.3.0923 • APC Back-UPS ES 700G
QPKG's: TwonkyServer 8.51 • Apache & PHP 7.3.5 • QSonarr 3.0.1.474 • QNBZGet 21.0-r2304 • phpMyAdmin 4.8.5 • Qmono 5.18.0.240 • Lychee 3.2.14
Network: VM Hub 3.0 <500/35> • UniFi USG Pro 4 • UniFi USW-16-150W • UniFi USW-8-60W • UniFi CloudKey • UAP AC Pro • UAP AC Lite • TL-SG1016DE • SLM2008 • Dell 7050 MFF

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Tue Nov 13, 2018 4:10 am

salexes wrote:
Tue Nov 13, 2018 3:57 am
Its malware: https://www.virustotal.com/#/file/61c6b ... /detection

It appeared on my qnap aswell
How did u get rid of it !?

salexes
New here
Posts: 6
Joined: Sat Mar 31, 2018 9:45 pm

Re: Unknown Thread kthreaddnai

Post by salexes » Tue Nov 13, 2018 4:30 am

@kameha

which apps do you have installed. Please post a list/screenshot here


also what is your current firmware version ?

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Tue Nov 13, 2018 5:37 am

I've installed:

QNAP:
RainLoop
QVPN Service
Malware Remover
Container Station (Gitea, Nexcloud)
Photo Station
phpMyAdmin
Text Editor
CodexPack
Qboost
Qsync Central

Community:
Deluge
Entware-std (nano, sslh)
QGit
QJDK 1.8

Firmware: 4.3.5.0728

salexes
New here
Posts: 6
Joined: Sat Mar 31, 2018 9:45 pm

Re: Unknown Thread kthreaddnai

Post by salexes » Tue Nov 13, 2018 5:47 am

If an app would be the reason the only overlapping apps we have are

QVPN Service
Malware Remover
Container Station
phpMyAdmin
Qboost
Entware-std

Same firmware I got: Firmware: 4.3.5.0728

KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe » Wed Nov 14, 2018 12:06 am

Hello,

I have the same problem. I also have this process. When I finish it, it opens again after a short time. What can I do? I have already opened a ticket at QNAP.

Image

Prozessname: pionai
User: httpdusr

thx Uwe

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Wed Nov 14, 2018 2:06 am

Hello !

For now (until i have another solution) i am using this script to automatically (every 2 mins) kill the processes and remove the files

Code: Select all


#!/bin/sh

NOW=$(date '+%Y%m%d%H%M%S')
LOG_FILE=/share/kameha/clean.log

if [ ! -f ${LOG_FILE} ]; then
touch ${LOG_FILE}
fi

echo "Running at ${NOW}" >> ${LOG_FILE}

ps -ef | grep '/tmp/compma' | grep -v grep | awk '{print $2}' | xargs -r kill -9
ps -ef | grep 'pionai' | grep -v grep | awk '{print $2}' | xargs -r kill -9
ps -ef | grep 'kthreaddnai' | grep -v grep | awk '{print $2}' | xargs -r kill -9

find /tmp -type f -user httpdusr -perm 0750 -exec rm -f {} \;
find /tmp -type f -user httpdusr -perm 0700 -exec rm -f {} \;
find /tmp -type f -user httpdusr -perm 0640 -exec rm -f {} \;
I also used those commands

Code: Select all


find / -type f -user httpdusr -group administrators -perm 0700
find / -type f -user httpdusr -group administrators -perm 0750
find / -type f -user httpdusr -group administrators -perm 0640
to find (and remove) suspect files (cgod, dog.1, dog, eth1, inet0,..) on all the NAS and found files in /var/lock, /var/run/, /dev/shm

User avatar
Trexx
Experience counts
Posts: 4699
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota
Contact:

Re: Unknown Thread kthreaddnai

Post by Trexx » Wed Nov 14, 2018 3:35 am

You might try upgrading to new 4.3.5.0756 QTS release as there were several security holes patched in it.
Paul

Model: TS-877-1600 FW: 4.3.6.x
QTier (HDD): [RAID-5] 6 x 3TB HGST DeskStar NAS QTier (SSD): [RAID-1] 2 x 525GB Crucial MX300 m.2's
(SSD): [RAID-1] 2 x 500GB Evo 860
RAM: Kingston HyperX Fury 32GB Kit DDR4-2666
GPU: EVGA GTX 1060, ACX 2.0(1 Fan), 6GB
UPS: CyberPower AVR1350 Ext. Backup: USB 3.0 Seagate 5TB
Media Boxes: Nvidia ShieldTV Pro, AppleTV 4, Roku Stick

Model: TVS-673 32GB FW: 4.3.6.x Test/Backup Box
-----------------------------------------------------------------------------------------------------------------------------------------
NAS RAID Rebuild Times | Live QTS Videos | | QNAP NAS Guide | Information needed when you ask for HELP | QNAP Links, Tutorials, etc.
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq

dolbyman
Guru
Posts: 12905
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Unknown Thread kthreaddnai

Post by dolbyman » Wed Nov 14, 2018 4:03 am

kameha wrote:
Tue Nov 13, 2018 3:04 am
I expose nextcloud and gitea throught ContainerStation on https
both apps in container or only gitea ? if nextcloud was natively installed it could be a vulnerability in the webserver or that particular app

Post Reply

Return to “Miscellaneous”