qone1one wrote: ↑Fri May 10, 2019 11:35 pm
kellic wrote: ↑Fri May 10, 2019 10:58 pm
qone1one wrote: ↑Fri May 10, 2019 8:28 pm
"We have enhanced the built-in security mechanism in the QTS versions listed below. This enhancement allows QTS to disable the malware"
This is the bit I don't get, I noticed that when upgrading to the latest firmware and yet I was still able to download the Malware Removal tool manually, run it, have it remove the malware only to have it tell that it has removed the malware and that I need to change my passwords every time I boot the NAS. So something is still there and I'm no closer to understanding the problem.
Question. Do the entries in the host file come back after the scan and reboot?
Just wanted to get clarification. It is verbatim saying you need to change your password on _EVERY_ reboot? I can understand the thinking of requiring a change of password on _A_ reboot as this malware may have compromised your admin password. But there is no reason on EVERY reboot.
Host files, how would I check that?
Yes, password change advice comes up every time I run the Malware Remover (which I'm not even sure I need as my FW is at 4.3.6.0923 and "This enhancement allows QTS to disable the malware" makes me think its included in the package now). However, each time I reboot and run the tool again I'm told that the remover has "Repaired infected file or folder: Name: /tmp/config/autorun.sh" along with the change passwords advice and to reboot the NAS again. So stuck in a loop. :s
Also I have seen the advisory from QNAP "Warning: If your NAS device is already infected, updating QTS and all NAS applications may not completely remove the malware. QNAP is currently working on a removal solution and will update this advisory once it is publicly available." - does this mean that the current Malware Removal Tool is no good and we are to wait for another one? Its not clear to me.
Sounds like standard cover your *coughs* assets, response from QNAP, or any large company actually. If the scan doesn't come back with anything and the host file isn't altered with hundreds of entries you should be fine.
Disclaimer I'm still in the research / observation phase of purchasing a QNAP. But its based on Linux so it should be the same as any *nix distro. You will want to "cat" the hostfile. The host file is like a little black book that converts names into phone numbers, or in this case IP addresses. If the White pages are for the world. (DNS) the host file is what is looked at first before going to the white pages phone book.
You will need to SSH/Putty into your NAS. (I'm unaware if there is a local app that lets you access the shell from the Web GUI. Best I can tell there is not.)
Prerequisite:
Download Putty to your system:
https://www.chiark.greenend.org.uk/~sgt ... atest.html
Enable SSH access if you haven't already: You will need to enable access before you can access it with: A basic SSH server is already installed and configured in your NAS, but you'll need to check that it's enabled. Login to your NAS QTS desktop and navigate to Control Panel -> Network Services -> Telnet / SSH...Only enable SSH. Telnet is NOT secure.
TIP: YOU SHOULD ALWAYS DISABLE THIS ONCE DONE UNLESS YOU ARE CERTAIN THAT THIS IS NOT PRESENTED TO THE INTERNET. JUST REVERSE THE ABOVE PROCESS.
The use the following to get into an SSH session.
[HOWTO] use the Linux command line
viewtopic.php?t=128704
Short of it in the putty session from the same network as your QNAP is on: type the IP address, connection type: SSH, and click open. type your credentials and hit enter.
Again I don't have a QNAP yet but I'm going to assume that this has the hostfile in the same place as all *nix systems.
From the command line run
cat /etc/hosts
If the thing scrolls a lot you can do the following to inspect run
cat /etc/hosts | more
hit enter to proceed line by line.
ctrl-c to end the scrolling.
Easier you can do grep 0.0.0.0 /etc/hosts
If you still have entries like this
0.0.0.0 bugs.clamav.net
0.0.0.0 current.cvd.clamav.net
0.0.0.0 database.clamav.net
0.0.0.0 db.local.clamav.net
0.0.0.0 update.nai.com
0.0.0.0 db.ac.clamav.net
0.0.0.0 db.ac.ipv6.clamav.net
0.0.0.0 db.ac.big.clamav.net
You are either still at risk or the malware removal software didn't clean up the mess, but may have at least removed the offending malware. If that is the case I'd open a support ticket with QNAP.
Frankly they should get spammed into the ground with this as this SHOULD be a paint point for them. Microsoft took security lightly until security problems bit them in the *** with Windows XP. Service Pack 2 was the beginning, but JUST the beginning of them taking it serious as they were swamped with support cases, and companies and business's calling out that BS. Today Windows is FAR more secure than it use to be at it is all due to pressure to get their **** fixed.