Anyone seen this? Not sure what I should do. I have two QNAP NAS boxes, one backing up the other. I don't even know which one is supposedly infected. Nothing is open on my network, in fact I have double routers... the AT&T box and then a Netgear Orbi and I never setup the AT&T as passthrough. I'm only using the QNAP boxes as file sharing so nothing on there that anyone should have been able to get into.
https://www.kyberturvallisuuskeskus.fi/ ... as-devices
This thread seems to be heating up, so I'll try to pull some info to the top to save people from having to read the whole thread.
Both of my QNAP boxes showed that they were infected, but exhibited very different symptoms and took slightly different steps to eradicate the malware. I also note, (since its been asked numerous times in this thread) both are behind two routers (double NAT), which my understanding is that its near impossible to get a port opened with this setup. I have never opened ports or used the QNAP cloud VPN access. I use them only on my internal network as a file share, so also don't use any of the apps other than the backup apps to backup one to the other, and one of them backs up to Amazon. So its highly unlikely someone hacked into it from outside.
QNAP's warning post about Qsnatch - https://www.qnap.com/en/security-adviso ... 8umkRQYkC4
QNAP's updated service advisory about Qsnatch - https://www.qnap.com/th-th/security-adv ... -201911-01
(I've followed these steps on one of my QNAP boxes TS-659, and it is clean and then several hours later it is reinfected. On my other QNAP TS-231, the cleanme.sh steps below are what seems to have cleaned it.)
This post by Schlabschi worked for me. On my TS-231, I went through this and was good to go (so far) after updating everything. On my TS-659 (older), which also had a failing drive that slowed things down, it was a slower process to get there. I ran this and it didn't look like it fixed anything, but I was then able to run an update to the firmware. I then took several tries to get the Malware Remover installed, and finally that found a lot of things. I have rebooted a couple of times and so far it hasn't come back. No more emails from AT&T yet either.
Crontab & If you are getting reinjectedSchlabschi wrote: ↑Sat Nov 02, 2019 12:27 amI spent the whole day today to get rid of the malware and this is what finally helped:
Hope this helps.
- Navigate to "Control Panel -> Hardware" and uncheck the checkbox at "run user defined processes during startup"
- Connect to your QNAP via ssh: https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh
- Execute the following command at the command line:This downloads and executes a removal script from QNAP support that can be used for various infections. It successfully cleaned my infection. It especially helped to get rid of the corrupted autorun.sh file that kept the malware coming back after reboots.
Code: Select all
curl https://download.qnap.com/Storage/tsd/utility/cleanme.sh | sh
- Reboot your QNAP and (re-)install the latest firmware: qnap.com/en/how-to/tutorial/article/how ... s-firmware
- Navigate to the App Center and make sure you update everything to the newest version (remove all apps that you didn't install and that seem suspicious)
- Reboot again and run the latest version of the app "Malware Remover"
- If it didn't find anything, go ahead and change all passwords of your local users (the malware is sending user names and passwords to a remote server)
On my older QNAP box, after successfully getting rid of the malware, it kept reinjecting several times a day. I discovered that the following line in the Crontab which looks legit, is what is causing it to reinject, and others have confirmed this.
Code: Select all
#59 23,7,15 * * * /mnt/HDA_ROOT/.qpkg/.log/qpkg_util -z rotate
Also, if you have other lines in your Crontab that have jibberish looking names, then they are almost certainly related and also should be deleted. They would look similar to this one, but with different jibberish...
Code: Select all
10 * * * * /share/MD0_DATA/.FpuHGn/xnZwxwIjwvhqty.sh >/dev/null 2>&1
Malware Remover Versions
Current versions that were updated for Qsnatch are here is now a 220.127.116.11 and 18.104.22.168, depending on your firmware version. https://www.qnap.com/en/app_releasenote ... areRemover
On one of my boxes I was able to update from App Center. On the other I had to remove it and then install manually, downloading from https://www.qnap.com/en-us/app_center/