Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

[ianch99]

Since recent firmware updates, the ClamAV Antivirus fails to update due to 700+ clamav.net entries in /etc/hosts, all set to 0.0.0.0 e.g.

0.0.0.0 bugs.clamav.net
0.0.0.0 current.cvd.clamav.net
0.0.0.0 database.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 update.nai.com
0.0.0.0 db.ac.clamav.net
0.0.0.0 db.ac.ipv6.clamav.net
0.0.0.0 db.ac.big.clamav.net
<snip>

As they are all set to 0.0.0.0, the ClamAV update fails. If you remove these entries, the update runs fine but they return on after rebooting.

Has anyone seen this or have any clues?

I have logged a ticket with QNAP and they asked me to set DNS to the Google servers and to do a 3 second reset via the pinhole. This I did but no change in behaviour .. the problem remains

Very strange ..

[Don]

Do you run the malware remover? Is your NAS accessible from the internet? If so you might have been hacked.

[ianch99]

Malware Remover 3.3.1 is running daily and is reporting clean. As for internet access, the only access is indirect via apps such as Plex, Serviio and Cloudlink. These are all protected by (different) strong passwords.

On a qnap, what code is run when booting that may populate the /etc/hosts file? Something, somewhere is adding these entries ... autorun.sh is reported as empty in Control Panel --> Hardware --> General

[Don]

No idea what might be setting that. You could try uninstalling and reinstalling clamav.

[ianch99]

No idea what might be setting that. You could try uninstalling and reinstalling clamav.

ClamAV seems a built in app so I guess I would need to reset the NAS i.e. a 10 second reset?

[Don]

Not in front of my NAS but thought it was an add in app. I could be wrong.

[Toxic17]

clamav is built in as the default av application on most QTS's. I think some of the older versions it may have been a QPKG.

the worrying factor is entries in the /etc/host file.

I have no clamav entries at all in 3 of my QNAPs /etc/host file

I suggest you remove these, and I am guessing something has added them. more likely a trojan or virus/malware.

did you tell QNAP of your 700+ entries of clamav in your host file?

[ianch99]

clamav is built in as the default av application on most QTS's. I think some of the older versions it may have been a QPKG.

the worrying factor is entries in the /etc/host file.

I have no clamav entries at all in 3 of my QNAPs /etc/host file

I suggest you remove these, and I am guessing something has added them. more likely a trojan or virus/malware.

did you tell QNAP of your 700+ entries of clamav in your host file?

I have told QNAP of this issue i.e. the hosts file "bonus" entries that reappear on reboot. No response yet as such, just the usual boilerplate response i.e. please reset this & that.

This is the crucial question, and it is one for you all to ponder on: if this is "malware" and not some weird QNAP o/s behaviour then why does ClamAV and the Malware Remover not comment on the presence of said malware "signature" in /etc/hosts? After all, it is plain sight in /etc in an unencrypted text file. I mean, even I can write a virus checker to look for this!

Very concerning ... if this cannot be "discovered" in plain sight then what hope for detecting a sophisticated piece of malware?

[Toxic17]

av and malware are only good if they know the type of attack. if this is a new type of attack, then maybe clamav or malware app do not know about it. the fact host file has 0.0.0.0 for all clamav URLS suggest you will never get an update so it stops any av dat file finding the issue in the first place.

these entries have been added to stop clamav from updating. who would do this? a hacker. no one else.
I suggest you remove the av entries, try an AV update.

BTW ClamAV does not by default scan the QNAP OS. only the shared file area.

do you allow your NAS to have internet access or use any cloudbased app on the QNAP? something like myQNAPcloud?? thats usually how it gets infected.

even if the av now works you have an infected OS. really the only thing to do with that is wipe the QNAP and start again, restore your shared data from a backup that you should be doing. else it will probably happen again. if you use myqnapcloud, then your gonna have to change passwords and possibly get a new account. Personally I dont use myqnapcloud, plenty have been hacked this way.

[jhand00]

I appear to have been hacked the same way. My system wasn't updating the system firmware either and I had all of those clamav.net entries in /etc/hosts.

[jhand00]

I did have qnapcloud enabled. My guess is that it was through that, but other possibilities are that I had https access available from the Internet, along with port forwarding to a Plex server on the QNAP server.

[ianch99]

I did have qnapcloud enabled. My guess is that it was through that, but other possibilities are that I had https access available from the Internet, along with port forwarding to a Plex server on the QNAP server.

Glad to know I am not going mad! Don't bother with the 3 and 10 second resets, they do not fix the problem.

Out of interest, I downgraded to 4.3.4.0675 firmware and the hosts file did not have the 700+ entries. I then upgraded to 4.3.4.0695 and they came back . I am thinking it is related to the config settings that persist on the /share/CACHEDEV1_DATA device. There is a new Malware Remover version 3.4.0 that came out yesterday so QNAP know that they have an issue here. I ran this and it says it "Malware was detected and removed. You must restart the NAS". You do this and then it runs on restart and says the same thing --> endless loop.

I am checking my backups and will reset the entire machine inc. raid array using latest firmware to get out of this. Total waste of my time.

Last thoughts:

I bought the QNAP based on its reputation and I feel personally let down. All software has problems but it seems that QNAP is reluctant to be honest with its customers. In order to detect malware, you are usually responding to an exploit that has a designation and documented behaviour. Most if not all, anti-malware software will inform the user that it has detected a known signature. None that I know of just says "I have found malware" except QNAP's application. If I knew what malware was found, I could mitigate any risks that it may have introduced with my system and my data. With QNAP, we are flying blind and have no idea what has been compromised.

Some users have commented that they never use any of the internet facing features due to security concerns. If so, what are you saying about QNAP and also why buy something when you "shouldn't use" many of the features you bought the unit for in the first place.

[Thisisnotmyname]

Some users have commented that they never use any of the internet facing features due to security concerns. If so, what are you saying about QNAP and also why buy something when you "shouldn't use" many of the features you bought the unit for in the first place.

I'm sure you're frustrated right now but that's hyperbole to say not exposing your unit directly to open internet equates to not using many futures of the unit. Your laptop likely has a web server you could install (like IIS) but you'd never think of exposing it out to the open internet and running a web site from it, does that mean you can't use many features of your laptop? of course not. Many people will though run an intranet web site from their QNAP NAS, that's not exposed to the public internet but utilizing a technology of the device. Others may expose their QNAP's features across the internet but shield that access behind a VPN (either QNAP's own or a hardware VPN) so their not allowing the entire world to attempt to exploit their device (other than attacking the VPN which is less vulnerable than say a web server or an admin tool like phpmyadmin).

[ianch99]

Some users have commented that they never use any of the internet facing features due to security concerns. If so, what are you saying about QNAP and also why buy something when you "shouldn't use" many of the features you bought the unit for in the first place.

I'm sure you're frustrated right now but that's hyperbole to say not exposing your unit directly to open internet equates to not using many futures of the unit. Your laptop likely has a web server you could install (like IIS) but you'd never think of exposing it out to the open internet and running a web site from it, does that mean you can't use many features of your laptop? of course not. Many people will though run an intranet web site from their QNAP NAS, that's not exposed to the public internet but utilizing a technology of the device. Others may expose their QNAP's features across the internet but shield that access behind a VPN (either QNAP's own or a hardware VPN) so their not allowing the entire world to attempt to exploit their device (other than attacking the VPN which is less vulnerable than say a web server or an admin tool like phpmyadmin).

I have to disagree. If the product is advertised with features that link the unit with internet (myQNAPCloud, QSync, etc.) it not unreasonable to expect to use they as documented. You say that "Others may expose their QNAP's features across the internet but shield that access behind a VPN (either QNAP's own or a hardware VPN)". I agree this is more secure but it is more difficult and here's the rub, QNAP do not warn people (from what I can see) to only use these internet-facing services behind a VPN. Moreover, the product pages encourage direct access e.g.

https://support.myqnapcloud.com/feature ... =cloudlink

CloudLink is the best remote access service provided by myQNAPcloud that allows you to connect to your device via the Internet using the myQNAPcloud website (www.myqnapcloud.com). No complicated port forwarding settings on the router are required: just install CloudLink App on device App Center and sign in myQNAPcloud ID (QID) on your device. Then you can access files from the myQNAPcloud website. CloudLink will select the best connection for you according to your network environment. In addition to the web-based connection, CloudLink also allows you to connect to your QNAP device with QNAP Mobile Apps Qfile, Qmanager and the PC utility Qsync. CloudLink makes remote connectivity so easy.

I see no disclaimer to only use these services via a VPN unless I have missed this ..

[dolbyman]

QNAP promised lots of things on their product pages, that does not mean they work well (4k playback,karaoke,etc) or are hardened enough to not get you hacked (personal cloud,photo/video sharing,etc)

That is how marketing (sadly) works

pretty sure the *terms and conditions* you have to accept also makes you wave all liability for data loss or theft