Unknown Thread kthreaddnai

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Thisisnotmyname
Easy as a breeze
Posts: 353
Joined: Mon Nov 19, 2018 1:21 am

Re: Unknown Thread kthreaddnai

Post by Thisisnotmyname » Thu Nov 29, 2018 3:29 am

Cerberus wrote:
Wed Nov 28, 2018 2:27 pm
What?!!!
That's impossible!!
It is NOT the solution to proceed in this way.
The BUG must be found!
I first downloaded the firmware and installed it again.
I have checked beforehand, that there is not any of the stuff left.

But that -- is not possible at all!
Unfortunate as it is, that's solid advice. If QNAP can't provide a reliable method of removing the malware and you're unable to clean it yourself (and even if you thought you could would you really trust that it was fully gone?) then a clean reinstall is a valid solution. No one wants to be in that situation but if the latest feedback from QNAP doesn't resolve your issue you do need to consider it. Just a matter of how long you're willing to wait for a better solution while knowing your system is compromised.

Benna80
Know my way around
Posts: 225
Joined: Tue May 19, 2015 4:43 pm

Re: Unknown Thread kthreaddnai

Post by Benna80 » Thu Nov 29, 2018 7:39 am

Here i am with pionai problem, i've followed the guide, let's see if i've fixed.

Cerberus
New here
Posts: 8
Joined: Thu Nov 03, 2011 11:23 pm

Re: Unknown Thread kthreaddnai

Post by Cerberus » Thu Nov 29, 2018 4:21 pm

I have taken the following steps:
- Clean up TMP directory (customized script)
- WEB directory cleanup (delete all foreign PHP scripts and unknown files)
- make index.php (from QNAP) inactive (not required and includes several security bugs)
- NAS reboot
- flash last firmware (again)
- NAS reboot

Now I've been without any particular anomalies for two days.

Benna80
Know my way around
Posts: 225
Joined: Tue May 19, 2015 4:43 pm

Re: Unknown Thread kthreaddnai

Post by Benna80 » Thu Nov 29, 2018 4:32 pm

Cerberus wrote:
Thu Nov 29, 2018 4:21 pm
I have taken the following steps:
- Clean up TMP directory (customized script)
Can you share this script please?

Cerberus
New here
Posts: 8
Joined: Thu Nov 03, 2011 11:23 pm

Re: Unknown Thread kthreaddnai

Post by Cerberus » Fri Nov 30, 2018 12:05 am


Wodahs
New here
Posts: 4
Joined: Fri Nov 30, 2018 1:55 am

Re: Unknown Thread kthreaddnai

Post by Wodahs » Fri Nov 30, 2018 2:04 am

Has anyone figured out what the attacker was/is doing?

Wodahs
New here
Posts: 4
Joined: Fri Nov 30, 2018 1:55 am

Re: Unknown Thread kthreaddnai

Post by Wodahs » Fri Nov 30, 2018 2:13 am

I've turned off all the myQNapCloud stuff. Rebooting seems to flush the TMP folder. I changed the phpMyAdmin password and quarantined the infected files on the website.

I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.

Does anyone have a walkthrough on that?

I'm also concerned about preventing reinfection while updating since I think the default configuration may not be secure.

Thisisnotmyname
Easy as a breeze
Posts: 353
Joined: Mon Nov 19, 2018 1:21 am

Re: Unknown Thread kthreaddnai

Post by Thisisnotmyname » Fri Nov 30, 2018 2:18 am

Wodahs wrote:
Fri Nov 30, 2018 2:04 am
Has anyone figured out what the attacker was/is doing?
I think someone in one of these threads said there was a bitcoin mining application running as at least part of the payload. Who knows what else (if anything) was going on.

dolbyman
Guru
Posts: 12218
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Unknown Thread kthreaddnai

Post by dolbyman » Fri Nov 30, 2018 2:19 am

Wodahs wrote:
Fri Nov 30, 2018 2:04 am
Has anyone figured out what the attacker was/is doing?
with a CPU usage that high .. probably cryptominig, and maybe a botnet to infect more devices but it could be many things (and many things can probably be sideloaded at any time)

Thisisnotmyname
Easy as a breeze
Posts: 353
Joined: Mon Nov 19, 2018 1:21 am

Re: Unknown Thread kthreaddnai

Post by Thisisnotmyname » Fri Nov 30, 2018 2:22 am

Wodahs wrote:
Fri Nov 30, 2018 2:13 am

I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.
That won't accomplish much other than burn a lot of your time. If by "copy the data back" you were going to rebuild the array from the second drive you'll bring back any infected files with it. If by "copy the data back" you were intending to copy specific files manually then you might as well just back up the specific files (that you know or reasonably expect are clean) and then not mess around with splitting the array, just blow the whole thing away and then restore your backed up files from cloud/external backup.

Wodahs
New here
Posts: 4
Joined: Fri Nov 30, 2018 1:55 am

Re: Unknown Thread kthreaddnai

Post by Wodahs » Fri Nov 30, 2018 2:56 am

Thisisnotmyname wrote:
Fri Nov 30, 2018 2:22 am
Wodahs wrote:
Fri Nov 30, 2018 2:13 am

I have mirrored drives so I assume I can pull one of the drives, reformat the other update it, then copy the data from the one drive back to the other.
That won't accomplish much other than burn a lot of your time. If by "copy the data back" you were going to rebuild the array from the second drive you'll bring back any infected files with it. If by "copy the data back" you were intending to copy specific files manually then you might as well just back up the specific files (that you know or reasonably expect are clean) and then not mess around with splitting the array, just blow the whole thing away and then restore your backed up files from cloud/external backup.
I was only going to copy back the data from the shared folders, (I do reasonably expect those are clean.) Not rebuild the array from the second drive, that would totally defeat the purpose of doing this.

How would you recommend reformating/reloading the NAS without getting reinfected while getting it locked down?

Benna80
Know my way around
Posts: 225
Joined: Tue May 19, 2015 4:43 pm

Re: Unknown Thread kthreaddnai

Post by Benna80 » Fri Nov 30, 2018 3:21 am

By the way,after following the instructions and re-enabled the Web server i have a very low cpu usage and no trace of pionai proces.
so i think i've deleted at least the process, low cpu usage and no network activity, i'm very happy with this.

kameha
Starting out
Posts: 10
Joined: Wed Mar 28, 2018 8:45 am

Re: Unknown Thread kthreaddnai

Post by kameha » Fri Nov 30, 2018 4:12 pm

Hello all !

I've been running my NAS with no sign of "pionai" for a week now.
Here are the steps i did:
- Run custom script to kill malware process and remove infected files (see last version below)
- Change phpMyAdmin Password
- Close port 80 on my Router (all traffic goes throught https)
- Installed Malware Remover manually as recommanded by QNAP (but didn't found anything)

Code: Select all

#!/bin/sh

NOW=$(date '+%Y%m%d%H%M%S')
LOG_FILE=/share/kameha/clean.log

if [ ! -f ${LOG_FILE} ]; then
        touch ${LOG_FILE}
fi

echo "Running at ${NOW}" >> ${LOG_FILE}

ps -ef | grep '/tmp/compma' | grep -v grep | awk '{print $1}' | xargs -r kill -9
ps -ef | grep 'pionai' | grep -v grep | awk '{print $1}' | xargs -r kill -9
ps -ef | grep 'kthreaddnai' | grep -v grep | awk '{print $1}' | xargs -r kill -9


SAVEIFS=$IFS
IFS=$(echo -en "\n\b")

files=( $(find / -type f -user httpdusr -group administrators -perm 0750) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0700) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0640) )
files+=( $(find / -type f -user httpdusr -group administrators -perm 0755) )

for file in ${files[*]}; do

    echo "Removing $file" >> ${LOG_FILE}
    rm -f $file

done

IFS=$SAVEIFS

echo "End of Run" >> ${LOG_FILE}

User avatar
OneCD
Ask me anything
Posts: 5839
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Unknown Thread kthreaddnai

Post by OneCD » Fri Nov 30, 2018 4:25 pm

You guys should create a Community Malware Remover QPKG. ;)

production NAS: TS-569 Pro with Debian 9.8 'Stretch' (power on/off times are < 1 minute).
backup NAS: TS-559 Pro+ with QTS 4.2.6 #20181227

one.cd.only@gmail.com

Image Image Image Image

Wodahs
New here
Posts: 4
Joined: Fri Nov 30, 2018 1:55 am

Re: Unknown Thread kthreaddnai

Post by Wodahs » Sat Dec 01, 2018 3:02 am

dolbyman wrote:
Wed Nov 28, 2018 7:58 am
operating a NAS that had it's firmware modified .. bad idea .. kill it and start from scratch
Which of these options would that be:

1. Restore Factory Defaults & Format All Volumes
2. Reset Settings
3. Reinitialize NAS

I assume it's 1 or 3?

Post Reply

Return to “Miscellaneous”