Rogue Chia installation??
- Moogle Stiltzkin
- Guru
- Posts: 11445
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: Rogue Chia installation??
this is why i always tell others not to enable upnp on the router. because if an app on a client device e.g. qnap MYQNAPcloud which has upnp enabled, this will AUTO expose you. You may even realize this. This is why upnp is dangerous o-O;
you can double check how exposed you are by using gibsons website for port open test
https://www.grc.com/intro.htm
you can double check how exposed you are by using gibsons website for port open test
https://www.grc.com/intro.htm
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Hello to you all ,
I have spotted a .chia folder in my system by using winscp app ( installed via a tutorial on this forum ) . However, I'm not an advanced user and I need guidance on how to remove this please.
Following advice on this thread, I have disabled upnp in the router ( but is it too late ?) ; I'm wondering if I can just delete the .chia folder.
I started getting worried because on my 2.5 tb qnap TS 453 SPRO , I get warning about the disk getting full , with 1TB in " system / misc".
I have spotted a .chia folder in my system by using winscp app ( installed via a tutorial on this forum ) . However, I'm not an advanced user and I need guidance on how to remove this please.
Following advice on this thread, I have disabled upnp in the router ( but is it too late ?) ; I'm wondering if I can just delete the .chia folder.
I started getting worried because on my 2.5 tb qnap TS 453 SPRO , I get warning about the disk getting full , with 1TB in " system / misc".
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
As you have no idea what happened, kill the NAS (take the drives out and format them) and restore your data from backups
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Hello dolbyman, thanks a lot for your answer. I have a few "newbie" questions about the formatting procedure :
1) Before formatting, can I retrieve a documents folder from the nas ( copy it to an external drive ) or are all folders and files " compromised" ?
2) "take the drives out and format them" : so I format them with another computer, but to re-use them later what format should I use : fat32? ntsf?
3) When I put back the drives in the nas, will the NAS go back to its original state ( I bought it around 2015 ) or will it keep its QTS version ( 4.5.4.1723) ?
4) After 3), will I keep my current admin account ( another username - "admin" is deactivated ) ? If not, I can't remember if there was a default paswword.
Thanks in advance !
1) Before formatting, can I retrieve a documents folder from the nas ( copy it to an external drive ) or are all folders and files " compromised" ?
2) "take the drives out and format them" : so I format them with another computer, but to re-use them later what format should I use : fat32? ntsf?
3) When I put back the drives in the nas, will the NAS go back to its original state ( I bought it around 2015 ) or will it keep its QTS version ( 4.5.4.1723) ?
4) After 3), will I keep my current admin account ( another username - "admin" is deactivated ) ? If not, I can't remember if there was a default paswword.
Thanks in advance !
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
1) you can ..but backups need to be done BEFOREHAND ..if you had caught ransomware, it would be too late for that now
2) does not matter ..just overwrite them .. you can also do a "clean" with diskpart
3) yes..it will start into initial setup
4) it is either "admin" or the first mac of your NICs ..depending on the firmware base
2) does not matter ..just overwrite them .. you can also do a "clean" with diskpart
3) yes..it will start into initial setup
4) it is either "admin" or the first mac of your NICs ..depending on the firmware base
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Thanks a lot for your advice dolbyman !
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Maybe this chia hacking should be reported to QNAP
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
I have reported the hack to qnap service
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Hello Randommen,
thank you for your answer.
I think I have done your first suggestion.
However, regarding the port , are there any ports you might recommend please ? ( newbie question again I'm afraid )
Thanks in advance !
thank you for your answer.
I think I have done your first suggestion.
However, regarding the port , are there any ports you might recommend please ? ( newbie question again I'm afraid )
Thanks in advance !
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
Do not forward any ports from WAN to your QNAP, security by obscurity does not work
-
- Know my way around
- Posts: 247
- Joined: Thu Feb 27, 2020 1:38 am
Re: Rogue Chia installation??
This is 99.9995% likely how you got infected. UPNP is basically leaving the front door open to your house 24/7 while away on vacation.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)
WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)
WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Well noted dolbyman and skwor, thank you.
-
- First post
- Posts: 1
- Joined: Sat Aug 07, 2021 4:43 am
Re: Rogue Chia installation??
Did you ever get a response from QNAP to this issue? I have exactly the same issues. I have reported it too, but nothing back as yet. My SSH skills are non existent and don't feel comfortable editing CRONTAB entries and such like.
As the Chi.sh file seems to be easily identifiable via SSH, I'm surprised the Malware Remover doesn't pick it up
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Rogue Chia installation??
Malware removal is not a "SMART" program it can only identify anything after QNAP has updated it.
It does not update new scan engines several times a day.
wait for QNAP to respond or even better, kill your NAS and restore the data from backups .. after that is done, NEVER ever expose it to WAN again
It does not update new scan engines several times a day.
wait for QNAP to respond or even better, kill your NAS and restore the data from backups .. after that is done, NEVER ever expose it to WAN again
-
- New here
- Posts: 8
- Joined: Sat Apr 10, 2021 4:46 pm
Re: Rogue Chia installation??
Hello,
Qnap France had ssh access to my NAS to investigate, but they told me they had to open an internal ticket so I guess it's complex. It's been a few days now and no response yet.
I am not an advanced user either, I know nothing about cron tables.
I installed winscp to have ftp access , then I searched for files above 1G ( filter : >1G ) and found the chia folder
Qnap France had ssh access to my NAS to investigate, but they told me they had to open an internal ticket so I guess it's complex. It's been a few days now and no response yet.
I am not an advanced user either, I know nothing about cron tables.
I installed winscp to have ftp access , then I searched for files above 1G ( filter : >1G ) and found the chia folder