Rogue Chia installation??
-
- New here
- Posts: 2
- Joined: Thu Jun 10, 2021 9:01 pm
Rogue Chia installation??
Somehow, someone has managed to install Chia mining on my QNAP!
Few days ago I noticed my QNAP was running high on resource. Checked process and found Chia, Chia_full_node and Chia_wallet running. Wasn't installed by me!
I've tracked down where the processes are running from, killed them, deleted the directory and contents. Within 15 minutes the processes are back again, folder structure is back. It is getting very frustrating and very worrying how this has happened behind a firewall, ports blocked, Malware scanner and AV running daily.
How can I get rid of Chia? The QNAP tutorials show containers, this seems to be running as Python. There must be auto-repair or install script stashed somewhere or a QNAP package update has been compromised?
Any suggestions gratefully received.
Few days ago I noticed my QNAP was running high on resource. Checked process and found Chia, Chia_full_node and Chia_wallet running. Wasn't installed by me!
I've tracked down where the processes are running from, killed them, deleted the directory and contents. Within 15 minutes the processes are back again, folder structure is back. It is getting very frustrating and very worrying how this has happened behind a firewall, ports blocked, Malware scanner and AV running daily.
How can I get rid of Chia? The QNAP tutorials show containers, this seems to be running as Python. There must be auto-repair or install script stashed somewhere or a QNAP package update has been compromised?
Any suggestions gratefully received.
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
Probably a new attack...NAS exposed to the web?
There were cryptominer infections before..again ..exposed devices
There were cryptominer infections before..again ..exposed devices
-
- New here
- Posts: 5
- Joined: Mon Dec 14, 2020 8:13 am
Re: Rogue Chia installation??
Same for me.... noticed a new Python 3.9 install and chia running when examining top through Putty today. I'm not sure how it got there as i have all external incoming traffic disabled (due to login attempts).
Have a look at the 'chi.sh' file found in '/share/CACHEDEV1_data/' using VIM. You can see the installation process.
You will need to:
kill the processes associated with chia
rm the .chia folder and files 'chi.sh, and the 'chihld2.lck'
edit your crontab as there's an entry added
Hope this helps. I will monitoring over the next few days to see if it's reoccuring. Already run Malware scans and made sure apps/firware is updated.
Have a look at the 'chi.sh' file found in '/share/CACHEDEV1_data/' using VIM. You can see the installation process.
You will need to:
kill the processes associated with chia
rm the .chia folder and files 'chi.sh, and the 'chihld2.lck'
edit your crontab as there's an entry added
Hope this helps. I will monitoring over the next few days to see if it's reoccuring. Already run Malware scans and made sure apps/firware is updated.
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
were you infected by something before ? .. something must have put the crontab entries there
what means "all incoming traffic disabled" ? is upnp off in the router and no manual portforwards are set ?
what means "all incoming traffic disabled" ? is upnp off in the router and no manual portforwards are set ?
-
- New here
- Posts: 2
- Joined: Sat Jun 16, 2012 6:36 am
Re: Rogue Chia installation??
Just found this chia on my NAS after noticing the disk was going mental for no reason.
What are QNAP doing about this?
Have the released something to clean this?
What are QNAP doing about this?
Have the released something to clean this?
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
read my posts above.. QNAP has probably no idea about this yet.. so go ahead and report it via ticket
QNAP does not come here
QNAP does not come here
-
- New here
- Posts: 2
- Joined: Sat Jun 16, 2012 6:36 am
Re: Rogue Chia installation??
thanks dolbyman, its been a while since I had to do anything on the NAS. what's the best way to connect and look for the file?
I tried to SSH on there and it took me to a page I didnt recognise with a menu.
Thanks
I tried to SSH on there and it took me to a page I didnt recognise with a menu.
Thanks
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
New FW versions have a console management upon login via SSH, you can disable that via
ControlPanel>GeneralSettings>ConsoleManagement
That will lead you right to shell upon login
ControlPanel>GeneralSettings>ConsoleManagement
That will lead you right to shell upon login
-
- New here
- Posts: 2
- Joined: Thu Jun 10, 2021 9:01 pm
Re: Rogue Chia installation??
That's exactly what I found including the Python install. Uninstalled and it reinstalled itself again! Thanks for the tip on crontab I'll check that.flea001 wrote: ↑Fri Jun 11, 2021 1:25 am Same for me.... noticed a new Python 3.9 install and chia running when examining top through Putty today. I'm not sure how it got there as i have all external incoming traffic disabled (due to login attempts).
Have a look at the 'chi.sh' file found in '/share/CACHEDEV1_data/' using VIM. You can see the installation process.
You will need to:
kill the processes associated with chia
rm the .chia folder and files 'chi.sh, and the 'chihld2.lck'
edit your crontab as there's an entry added
Hope this helps. I will monitoring over the next few days to see if it's reoccuring. Already run Malware scans and made sure apps/firware is updated.
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Rogue Chia installation??
you're not exactly telling us your qnap setup.
did you expose your nas online? do you update qts and your router regularly?
if you are simply exposing nas online, DON'T do that.
if you NEED remote use a vpn. also update regularly. Or you will definitely get hit.....
now you are just trying to tackle the symptoms of the real issue, which is exposing your nas online inappropriately (which is most likely). Or perhaps you did everything correctly (we don't know cauz you did not explain), but you still somehow got hit.
Either way report the issue to helpdesk for some assistance :X
https://service.qnap.com/
Chia miner will basically
1. use up your electricity (so say hello to next months pricey electricity bill)
2. all your hdds/ssds on the NAS are getting worned out to kingdom come o-O;
3. internet bandwidth used up by these hackers
did you expose your nas online? do you update qts and your router regularly?
if you are simply exposing nas online, DON'T do that.
if you NEED remote use a vpn. also update regularly. Or you will definitely get hit.....
now you are just trying to tackle the symptoms of the real issue, which is exposing your nas online inappropriately (which is most likely). Or perhaps you did everything correctly (we don't know cauz you did not explain), but you still somehow got hit.
Either way report the issue to helpdesk for some assistance :X
https://service.qnap.com/
Chia miner will basically
1. use up your electricity (so say hello to next months pricey electricity bill)
2. all your hdds/ssds on the NAS are getting worned out to kingdom come o-O;
3. internet bandwidth used up by these hackers
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- New here
- Posts: 5
- Joined: Mon Dec 14, 2020 8:13 am
Re: Rogue Chia installation??
To your questions
1) The crontab entry is completed by the chi.sh file (you can see it towards the end of the script)
2) I am not a Systems/Network engineer by any means, but I have only LAN IPs specified (i.e. 192.168.0.3 - 192.168.0.255) under ControlPanel->Security->Allow/Deny List.
Looking at the date/timestamp for the chi.sh file, the landing of that file and installation of Python 3.9.xx occuring during overnight updates.
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
no need to be a network engineer to check if you somehow "defeat" NAT by forwarding ports manually or via upnp
....so is upnp active on the router or ports manually forwarded?
....so is upnp active on the router or ports manually forwarded?
-
- New here
- Posts: 5
- Joined: Mon Dec 14, 2020 8:13 am
Re: Rogue Chia installation??
Ok - sorry not trying to be cheeky, just wanted to indicate my level of expertise here
I don't have any ports manually forwarded, just upnp enabled.
I don't have any ports manually forwarded, just upnp enabled.
- dolbyman
- Guru
- Posts: 35248
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
then your nas probably forwarded ports itself via upnp...
make sure that is off and then kill your nas and start from scratch ...you have been compromised and should not trust the nas anymore
make sure that is off and then kill your nas and start from scratch ...you have been compromised and should not trust the nas anymore
-
- New here
- Posts: 5
- Joined: Mon Dec 14, 2020 8:13 am
Re: Rogue Chia installation??
thanks for the advice dolbyman re:upnp.
I have turned off upnp on the router and shutdown myQNAPCloud. I don't use it (all interactions with the NAS are done through the lan).
I did notice a mysterious port (32440) entered in myQNAPCloud on the upnp table (labeled as 'NAS spare port 0).
I have turned off upnp on the router and shutdown myQNAPCloud. I don't use it (all interactions with the NAS are done through the lan).
I did notice a mysterious port (32440) entered in myQNAPCloud on the upnp table (labeled as 'NAS spare port 0).