Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Locked
chokai
Starting out
Posts: 12
Joined: Tue Feb 21, 2017 5:32 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by chokai »

Support has informed me that the Malware in question is stealing passwords of the NAS accounts. Beyond that they do not at this time know much about it's specific behaviors. So obviously change everything.

Personally I'd also suggest you change any passwords stored on the NAS via any means. That would include passwords of say email accounts being used for notifications.
TVS-682|i3-6100|48GB|2x1TB Samsung 860 EVO (Raid1 - VMs & Apps)|4x6TB WD Red (Raid 5 - Data, Security Cams, Media)
10 POE IP Cams - 6 ReoLink (RLC-411, RLC-423, RLC-420, E1) - 4 AMCrest (IP2M-814E, IP3M-941)
jnlines
New here
Posts: 5
Joined: Sat Jan 26, 2019 4:23 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jnlines »

I am curious how to I find /etc/hosts? My AV isn't updating despite attempts to do it manually and want to check this out. Thanks.
User avatar
OneCD
Guru
Posts: 12039
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by OneCD »

Hi and welcome to the forum. :)
jnlines wrote: Sat Jan 26, 2019 4:25 am I am curious how to I find /etc/hosts?
Please SSH into your NAS as the 'admin' user then use:

Code: Select all

cat /etc/hosts
... to view that file.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Toxic17 »

either SSH into the NAS or if using windows use WinSCP
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
jnlines
New here
Posts: 5
Joined: Sat Jan 26, 2019 4:23 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jnlines »

Thanks for the quick reply. That took awhile to figure out since SSH was blocked on the router, but I was able to enable it through the QNAP server, which was pretty cool and scary to be able to do since it is at my wife's office. Anyway, sure enough there are tons of 0.0.0.0 clamav entries in there. This NAS is used exclusively for work files and is backed up on alternating external hard drives, so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing. I do know that there are IP bans every few weeks from random countries trying to get in and a few other computers on the network have been compromised in the past. So, it was only a matter time before someone got in. I guess I will need to study up on QNAP security this weekend.
User avatar
OneCD
Guru
Posts: 12039
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by OneCD »

jnlines wrote: Sat Jan 26, 2019 5:54 am ... so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing.
You could remove those entries from [/etc/hosts] with a single command, but it's quite likely they will be re-added by whatever malware is running on that NAS. :S

edit: Use this to remove all lines starting with '0.0.0.0':

Code: Select all

sed -i '/^0.0.0.0/d' /etc/hosts
Last edited by OneCD on Sat Jan 26, 2019 6:12 am, edited 1 time in total.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Don »

jnlines wrote: Sat Jan 26, 2019 5:54 am so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing. I do know that there are IP bans every few weeks from random countries trying to get in and a few other computers on the network have been compromised in the past. So, it was only a matter time before someone got in. I guess I will need to study up on QNAP security this weekend.
Good idea. Leave your NAS infected. You have a big problem if your NAS and other devices in the past have been compromised. You need to fire whoever does the IT security and find someone that knows what they are doing.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
jnlines
New here
Posts: 5
Joined: Sat Jan 26, 2019 4:23 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jnlines »

Unfortunately, it is a shared office environment, so there is no IT guy. And yes it is a big problem, that was one of the reasons I setup a NAS, we needed all the reliability that one provided as well as online access, I just had naively thought it would be more secure out of the box. Anyway I merely dabble in computers and networking so fixing this is a bit above my pay grade and knowledge at the moment. Thanks again for the recommendations.
alokeprasad
Easy as a breeze
Posts: 495
Joined: Tue Aug 25, 2015 7:06 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by alokeprasad »

Folks,
Let's use the collective wisdom here and the details of the people who are having this problem to figure out WHY and HOW they got infected.
That'll help me secure my system :-)
NAS: TS-453Be
RAM:Crucial 8GB Kit (2 x 4GB) DDR3L-1600 SODIMM CT2KIT51264BF160B
QTS: 5.1.4
HDD's: RAID 6: Four 8TB WD Red (WD80EFAX)
USB HDD: One 12 TB WD Elements (WDBWLG0120HBK-NESN)
Switch: Netgear GS108
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Don »

That’s easy. There are ports forwarded on the router to the NAS that allowed an attacker in.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
User avatar
Toxic17
Ask me anything
Posts: 6469
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by Toxic17 »

jnlines wrote: Sat Jan 26, 2019 5:54 am Thanks for the quick reply. That took awhile to figure out since SSH was blocked on the router, but I was able to enable it through the QNAP server, which was pretty cool and scary to be able to do since it is at my wife's office. Anyway, sure enough there are tons of 0.0.0.0 clamav entries in there. This NAS is used exclusively for work files and is backed up on alternating external hard drives, so I think I will wait a bit and hope QNAP can fix it before trying to wipe the whole thing. I do know that there are IP bans every few weeks from random countries trying to get in and a few other computers on the network have been compromised in the past. So, it was only a matter time before someone got in. I guess I will need to study up on QNAP security this weekend.
firstly how are you connecting into your Wife's office (from home???) are you using a VPN? if not a directly connecting, then this is how you got hacked.
Regards Simon

Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following


NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
jhand00
Starting out
Posts: 32
Joined: Thu Apr 23, 2015 3:42 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jhand00 »

I just bought a new 10TB hard drive and am reinstalling a fresh system on my NAS now. If I was hacked from the outside, my best guess is that I was hacked from qnapcloud. I had that disabled for years, but for some reason reenabled it towards the end of last year. I think I was hacked not long after enabling that. My other points of entry could have been Plex, OpenVPN, PPTP, or through some vulnerability related to the HTTPS web interface. I'm sure they couldn't have guessed my admin or other user names because those are random sequences of more than 20 characters and symbols.
alokeprasad
Easy as a breeze
Posts: 495
Joined: Tue Aug 25, 2015 7:06 pm

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by alokeprasad »

Don wrote: Sat Jan 26, 2019 8:09 am That’s easy. There are ports forwarded on the router to the NAS that allowed an attacker in.
What settings/activities on the NAS results in open/forwarded ports?
That's so that we can avoid making those mistakes. Or maybe there are some bugs in QTS that allowed the intrusions

Qnap has an article on good security practices

https://www.qnap.com/en/how-to/faq/arti ... re-secure/

Did the folks here do something different?
Let's learn from others' experience.

We should make a list of such risky activities.

1. Disable UPnP on the router.
2. Avoid network protocol that are not needed for the installation. Example: Telnet, ftp, mediaservers, SMTP.

The problem is that sometimes people do need to access these features from the WAN. As such, port forwarding will be essential for those folks.

How do they secure their systems?
NAS: TS-453Be
RAM:Crucial 8GB Kit (2 x 4GB) DDR3L-1600 SODIMM CT2KIT51264BF160B
QTS: 5.1.4
HDD's: RAID 6: Four 8TB WD Red (WD80EFAX)
USB HDD: One 12 TB WD Elements (WDBWLG0120HBK-NESN)
Switch: Netgear GS108
jhand00
Starting out
Posts: 32
Joined: Thu Apr 23, 2015 3:42 am

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by jhand00 »

OK. Bad news. I pulled the old hard drives and went through the whole system initialization stuff again. After rebooting, the bogus clamav entries are back in my /etc/hosts file. I had the old hard drives pulled from the system during all of this. I don't want to reinitialize everything with a clean DOM, but may end up doing that. I'll post what happens.
User avatar
dolbyman
Guru
Posts: 35024
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Antivirus fails to update due to 0.0.0.0 clamav.net host file entries

Post by dolbyman »

alokeprasad wrote: Sat Jan 26, 2019 9:56 am
The problem is that sometimes people do need to access these features from the WAN. As such, port forwarding will be essential for those folks.

How do they secure their systems?
vpn ..everything else is a game with fire..qnap has shown time and time again that the units should not be exposed

I access my NAS from worldwide locations via openvpn (router does the server and also clients) .works just fine
Locked

Return to “Miscellaneous”