Unknown Thread kthreaddnai

[kameha]

I had the 'pionai' process running and raised a helpdesk ticket.

I've posted the fix I was given here: viewtopic.php?f=182&t=144954&p=694152#p694152

It worked for me

Hello,

Thnx for your post. I've tried the solution proposed with no luck (i've already had Malware Remover installed without having him detecting anything...)
Still waiting for answer from QNAP...

[Elbows]

I also had up-to-date Malware Remover installed and running every day. Only when I installed the version from the link did the 'pionai' process disappear permanently.
FYI Malware Remover ran automatically after the install but didn't report any problems. The NAS was just fixed silently (with no mention of malware in the system log).

Good luck with getting your NAS fixed.

[Cerberus]

hello

The malware keeps coming back. It takes a maximum of 3 hours to get it back.
I have adapted the script a little and run it all as a cron.
I have already created a ticket - but it is currently not being edited.

I have done everything mentioned here:
- Changed password to phpMyAdmin
- Maleware-Remover 3.3.1 installed
- Reboot the NAS
It does not help anything - after max. 3h the part is back.
Unfortunately the developers were so clever and switched off all kernel parameters or suppressed their output. So I can't get any information about it.
Let's see if it can be controlled that way.

Code: Select all

#!/bin/sh



NOW=$(date '+%Y%m%d%H%M%S')

LOG_FILE=/share/CACHEDEV1_DATA/homes/admin/clean.log



if [ ! -f ${LOG_FILE} ]; then

    touch ${LOG_FILE}

fi



echo "Running at ${NOW}" >> ${LOG_FILE}



ps | grep '/tmp/compma' | grep -v grep | awk '{print $1}' | xargs -r kill -9

ps | grep 'pionai' | grep -v grep | awk '{print $1}' | xargs -r kill -9

ps | grep 'kthreaddnai' | grep -v grep | awk '{print $1}' | xargs -r kill -9



find /tmp -type f -user httpdusr -perm 0750 -exec rm -f {} \;

find /tmp -type f -user httpdusr -perm 0700 -exec rm -f {} \;

find /tmp -type f -user httpdusr -perm 0640 -exec rm -f {} \;

[dolbyman]

operating a NAS that had it's firmware modified .. bad idea .. kill it and start from scratch

[Cerberus]

The firmware is original!
I would never use a modified version!

[dolbyman]

it was modified by the malware

[Cerberus]

Then how am I supposed to proceed exactly?
I recently installed the latest version.

[dolbyman]

format all drives and clean the dom (firmware recovery)

[Cerberus]

What?!!!
That's impossible!!
It is NOT the solution to proceed in this way.
The BUG must be found!
I first downloaded the firmware and installed it again.
I have checked beforehand, that there is not any of the stuff left.

But that -- is not possible at all!

[OneCD]

It’s not?

Why?

[Cerberus]

I just recently rebuilt the whole system - because the HDDs were not fully usable.
It took me about 1 week of work to fix everything up again ...
From the fact to sham -- that I currently have no HDD space to backup the TB to data

[KV17uwe]

Answer from Support:

Good day,

Sorry for the late feedback.

pionai is malware

Please install and run the Malware Remover

Then change the password at phpMyadmin

now connect SSH to the NAS (eg Putty)

# cd / share / Web
# ll

you probably now see with an asterisk * ending or ending with .1, .2, .3 etc - delete with rm
also please clear the numbers / letter combination.php A493B87C .... php

and restart the NAS.

Yours sincerely

I own all the files in the directory WEB on the USER "httpdusr". There were between 6-10 files that also partially had no endings.

[Cerberus]

I have already found out and implemented this myself in places. I observe now whether a Reinstall of the FW has solved the problem now.

[dolbyman]

I just recently rebuilt the whole system - because the HDDs were not fully usable.
It took me about 1 week of work to fix everything up again ...
From the fact to sham -- that I currently have no HDD space to backup the TB to data

So with an infected system and no way to backup your data, I hope that there is no ransomware sideloaded

Always make sure you have means to externally backup your data (ext. drive,cloud,2nd NAS)

[Trexx]

I have already found out and implemented this myself in places. I observe now whether a Reinstall of the FW has solved the problem now.

If you have the NAS externally exposed to the internet in any way, it could be a scenario where you are perpetually getting re-infected so Malware cleaner is just dealing with the issue after the fact.