Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
-
- Starting out
- Posts: 12
- Joined: Tue Feb 21, 2017 5:32 am
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
Support has informed me that the Malware in question is stealing passwords of the NAS accounts. Beyond that they do not at this time know much about it's specific behaviors. So obviously change everything.
Personally I'd also suggest you change any passwords stored on the NAS via any means. That would include passwords of say email accounts being used for notifications.
Personally I'd also suggest you change any passwords stored on the NAS via any means. That would include passwords of say email accounts being used for notifications.
TVS-682|i3-6100|48GB|2x1TB Samsung 860 EVO (Raid1 - VMs & Apps)|4x6TB WD Red (Raid 5 - Data, Security Cams, Media)
10 POE IP Cams - 6 ReoLink (RLC-411, RLC-423, RLC-420, E1) - 4 AMCrest (IP2M-814E, IP3M-941)
10 POE IP Cams - 6 ReoLink (RLC-411, RLC-423, RLC-420, E1) - 4 AMCrest (IP2M-814E, IP3M-941)
-
- New here
- Posts: 5
- Joined: Sat Jan 26, 2019 4:23 am
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
I am curious how to I find /etc/hosts? My AV isn't updating despite attempts to do it manually and want to check this out. Thanks.
- OneCD
- Guru
- Posts: 12039
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
Hi and welcome to the forum.
... to view that file.
Please SSH into your NAS as the 'admin' user then use:
Code: Select all
cat /etc/hosts
- Toxic17
- Ask me anything
- Posts: 6469
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
either SSH into the NAS or if using windows use WinSCP
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- New here
- Posts: 5
- Joined: Sat Jan 26, 2019 4:23 am
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
Thanks for the quick reply. That took awhile to figure out since SSH was blocked on the router, but I was able to enable it through the QNAP server, which was pretty cool and scary to be able to do since it is at my wife's office. Anyway, sure enough there are tons of 0.0.0.0 clamav entries in there. This NAS is used exclusively for work files and is backed up on alternating external hard drives, so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing. I do know that there are IP bans every few weeks from random countries trying to get in and a few other computers on the network have been compromised in the past. So, it was only a matter time before someone got in. I guess I will need to study up on QNAP security this weekend.
- OneCD
- Guru
- Posts: 12039
- Joined: Sun Aug 21, 2016 10:48 am
- Location: "... there, behind that sofa!"
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
You could remove those entries from [/etc/hosts] with a single command, but it's quite likely they will be re-added by whatever malware is running on that NAS.
edit: Use this to remove all lines starting with '0.0.0.0':
Code: Select all
sed -i '/^0.0.0.0/d' /etc/hosts
Last edited by OneCD on Sat Jan 26, 2019 6:12 am, edited 1 time in total.
- Don
- Guru
- Posts: 12289
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
Good idea. Leave your NAS infected. You have a big problem if your NAS and other devices in the past have been compromised. You need to fire whoever does the IT security and find someone that knows what they are doing.jnlines wrote: ↑Sat Jan 26, 2019 5:54 am so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing. I do know that there are IP bans every few weeks from random countries trying to get in and a few other computers on the network have been compromised in the past. So, it was only a matter time before someone got in. I guess I will need to study up on QNAP security this weekend.
Use the forum search feature before posting.
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
-
- New here
- Posts: 5
- Joined: Sat Jan 26, 2019 4:23 am
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
Unfortunately, it is a shared office environment, so there is no IT guy. And yes it is a big problem, that was one of the reasons I setup a NAS, we needed all the reliability that one provided as well as online access, I just had naively thought it would be more secure out of the box. Anyway I merely dabble in computers and networking so fixing this is a bit above my pay grade and knowledge at the moment. Thanks again for the recommendations.
-
- Easy as a breeze
- Posts: 495
- Joined: Tue Aug 25, 2015 7:06 pm
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
Folks,
Let's use the collective wisdom here and the details of the people who are having this problem to figure out WHY and HOW they got infected.
That'll help me secure my system
Let's use the collective wisdom here and the details of the people who are having this problem to figure out WHY and HOW they got infected.
That'll help me secure my system
NAS: TS-453Be
RAM:Crucial 8GB Kit (2 x 4GB) DDR3L-1600 SODIMM CT2KIT51264BF160B
QTS: 5.1.4
HDD's: RAID 6: Four 8TB WD Red (WD80EFAX)
USB HDD: One 12 TB WD Elements (WDBWLG0120HBK-NESN)
Switch: Netgear GS108
RAM:Crucial 8GB Kit (2 x 4GB) DDR3L-1600 SODIMM CT2KIT51264BF160B
QTS: 5.1.4
HDD's: RAID 6: Four 8TB WD Red (WD80EFAX)
USB HDD: One 12 TB WD Elements (WDBWLG0120HBK-NESN)
Switch: Netgear GS108
- Don
- Guru
- Posts: 12289
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
That’s easy. There are ports forwarded on the router to the NAS that allowed an attacker in.
Use the forum search feature before posting.
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
- Toxic17
- Ask me anything
- Posts: 6469
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
firstly how are you connecting into your Wife's office (from home???) are you using a VPN? if not a directly connecting, then this is how you got hacked.jnlines wrote: ↑Sat Jan 26, 2019 5:54 am Thanks for the quick reply. That took awhile to figure out since SSH was blocked on the router, but I was able to enable it through the QNAP server, which was pretty cool and scary to be able to do since it is at my wife's office. Anyway, sure enough there are tons of 0.0.0.0 clamav entries in there. This NAS is used exclusively for work files and is backed up on alternating external hard drives, so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing. I do know that there are IP bans every few weeks from random countries trying to get in and a few other computers on the network have been compromised in the past. So, it was only a matter time before someone got in. I guess I will need to study up on QNAP security this weekend.
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- Starting out
- Posts: 32
- Joined: Thu Apr 23, 2015 3:42 am
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
I just bought a new 10TB hard drive and am reinstalling a fresh system on my NAS now. If I was hacked from the outside, my best guess is that I was hacked from qnapcloud. I had that disabled for years, but for some reason reenabled it towards the end of last year. I think I was hacked not long after enabling that. My other points of entry could have been Plex, OpenVPN, PPTP, or through some vulnerability related to the HTTPS web interface. I'm sure they couldn't have guessed my admin or other user names because those are random sequences of more than 20 characters and symbols.
-
- Easy as a breeze
- Posts: 495
- Joined: Tue Aug 25, 2015 7:06 pm
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
What settings/activities on the NAS results in open/forwarded ports?
That's so that we can avoid making those mistakes. Or maybe there are some bugs in QTS that allowed the intrusions
Qnap has an article on good security practices
https://www.qnap.com/en/how-to/faq/arti ... re-secure/
Did the folks here do something different?
Let's learn from others' experience.
We should make a list of such risky activities.
1. Disable UPnP on the router.
2. Avoid network protocol that are not needed for the installation. Example: Telnet, ftp, mediaservers, SMTP.
The problem is that sometimes people do need to access these features from the WAN. As such, port forwarding will be essential for those folks.
How do they secure their systems?
NAS: TS-453Be
RAM:Crucial 8GB Kit (2 x 4GB) DDR3L-1600 SODIMM CT2KIT51264BF160B
QTS: 5.1.4
HDD's: RAID 6: Four 8TB WD Red (WD80EFAX)
USB HDD: One 12 TB WD Elements (WDBWLG0120HBK-NESN)
Switch: Netgear GS108
RAM:Crucial 8GB Kit (2 x 4GB) DDR3L-1600 SODIMM CT2KIT51264BF160B
QTS: 5.1.4
HDD's: RAID 6: Four 8TB WD Red (WD80EFAX)
USB HDD: One 12 TB WD Elements (WDBWLG0120HBK-NESN)
Switch: Netgear GS108
-
- Starting out
- Posts: 32
- Joined: Thu Apr 23, 2015 3:42 am
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
OK. Bad news. I pulled the old hard drives and went through the whole system initialization stuff again. After rebooting, the bogus clamav entries are back in my /etc/hosts file. I had the old hard drives pulled from the system during all of this. I don't want to reinitialize everything with a clean DOM, but may end up doing that. I'll post what happens.
- dolbyman
- Guru
- Posts: 35024
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries
vpn ..everything else is a game with fire..qnap has shown time and time again that the units should not be exposedalokeprasad wrote: ↑Sat Jan 26, 2019 9:56 am
The problem is that sometimes people do need to access these features from the WAN. As such, port forwarding will be essential for those folks.
How do they secure their systems?
I access my NAS from worldwide locations via openvpn (router does the server and also clients) .works just fine