Rogue Chia installation??

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Munky
New here
Posts: 2
Joined: Thu Jun 10, 2021 9:01 pm

Rogue Chia installation??

Post by Munky »

Somehow, someone has managed to install Chia mining on my QNAP!

Few days ago I noticed my QNAP was running high on resource. Checked process and found Chia, Chia_full_node and Chia_wallet running. Wasn't installed by me! :evil:

I've tracked down where the processes are running from, killed them, deleted the directory and contents. Within 15 minutes the processes are back again, folder structure is back. It is getting very frustrating and very worrying how this has happened behind a firewall, ports blocked, Malware scanner and AV running daily.

How can I get rid of Chia? The QNAP tutorials show containers, this seems to be running as Python. There must be auto-repair or install script stashed somewhere or a QNAP package update has been compromised?

Any suggestions gratefully received.
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

Probably a new attack...NAS exposed to the web?

There were cryptominer infections before..again ..exposed devices
flea001
New here
Posts: 5
Joined: Mon Dec 14, 2020 8:13 am

Re: Rogue Chia installation??

Post by flea001 »

Same for me.... noticed a new Python 3.9 install and chia running when examining top through Putty today. I'm not sure how it got there as i have all external incoming traffic disabled (due to login attempts).

Have a look at the 'chi.sh' file found in '/share/CACHEDEV1_data/' using VIM. You can see the installation process.

You will need to:
kill the processes associated with chia
rm the .chia folder and files 'chi.sh, and the 'chihld2.lck'
edit your crontab as there's an entry added

Hope this helps. I will monitoring over the next few days to see if it's reoccuring. Already run Malware scans and made sure apps/firware is updated.
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

were you infected by something before ? .. something must have put the crontab entries there

what means "all incoming traffic disabled" ? is upnp off in the router and no manual portforwards are set ?
MrMoosickle
New here
Posts: 2
Joined: Sat Jun 16, 2012 6:36 am

Re: Rogue Chia installation??

Post by MrMoosickle »

Just found this chia on my NAS after noticing the disk was going mental for no reason.
What are QNAP doing about this?
Have the released something to clean this?
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

read my posts above.. QNAP has probably no idea about this yet.. so go ahead and report it via ticket

QNAP does not come here
MrMoosickle
New here
Posts: 2
Joined: Sat Jun 16, 2012 6:36 am

Re: Rogue Chia installation??

Post by MrMoosickle »

thanks dolbyman, its been a while since I had to do anything on the NAS. what's the best way to connect and look for the file?
I tried to SSH on there and it took me to a page I didnt recognise with a menu.
Thanks
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

New FW versions have a console management upon login via SSH, you can disable that via

ControlPanel>GeneralSettings>ConsoleManagement

That will lead you right to shell upon login
Munky
New here
Posts: 2
Joined: Thu Jun 10, 2021 9:01 pm

Re: Rogue Chia installation??

Post by Munky »

flea001 wrote: Fri Jun 11, 2021 1:25 am Same for me.... noticed a new Python 3.9 install and chia running when examining top through Putty today. I'm not sure how it got there as i have all external incoming traffic disabled (due to login attempts).

Have a look at the 'chi.sh' file found in '/share/CACHEDEV1_data/' using VIM. You can see the installation process.

You will need to:
kill the processes associated with chia
rm the .chia folder and files 'chi.sh, and the 'chihld2.lck'
edit your crontab as there's an entry added

Hope this helps. I will monitoring over the next few days to see if it's reoccuring. Already run Malware scans and made sure apps/firware is updated.
That's exactly what I found including the Python install. Uninstalled and it reinstalled itself again! Thanks for the tip on crontab I'll check that.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Rogue Chia installation??

Post by Moogle Stiltzkin »

you're not exactly telling us your qnap setup.

did you expose your nas online? do you update qts and your router regularly?

if you are simply exposing nas online, DON'T do that.

if you NEED remote use a vpn. also update regularly. Or you will definitely get hit.....


now you are just trying to tackle the symptoms of the real issue, which is exposing your nas online inappropriately (which is most likely). Or perhaps you did everything correctly (we don't know cauz you did not explain), but you still somehow got hit.

Either way report the issue to helpdesk for some assistance :X

https://service.qnap.com/



Chia miner will basically
1. use up your electricity (so say hello to next months pricey electricity bill)
2. all your hdds/ssds on the NAS are getting worned out to kingdom come o-O;
3. internet bandwidth used up by these hackers :S
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
flea001
New here
Posts: 5
Joined: Mon Dec 14, 2020 8:13 am

Re: Rogue Chia installation??

Post by flea001 »

dolbyman wrote: Fri Jun 11, 2021 1:31 am were you infected by something before ? .. something must have put the crontab entries there

what means "all incoming traffic disabled" ? is upnp off in the router and no manual portforwards are set ?
To your questions
1) The crontab entry is completed by the chi.sh file (you can see it towards the end of the script)
2) I am not a Systems/Network engineer by any means, but I have only LAN IPs specified (i.e. 192.168.0.3 - 192.168.0.255) under ControlPanel->Security->Allow/Deny List.

Looking at the date/timestamp for the chi.sh file, the landing of that file and installation of Python 3.9.xx occuring during overnight updates.
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

no need to be a network engineer to check if you somehow "defeat" NAT by forwarding ports manually or via upnp
....so is upnp active on the router or ports manually forwarded?
flea001
New here
Posts: 5
Joined: Mon Dec 14, 2020 8:13 am

Re: Rogue Chia installation??

Post by flea001 »

Ok - sorry not trying to be cheeky, just wanted to indicate my level of expertise here ;)

I don't have any ports manually forwarded, just upnp enabled.
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

then your nas probably forwarded ports itself via upnp...

make sure that is off and then kill your nas and start from scratch ...you have been compromised and should not trust the nas anymore
flea001
New here
Posts: 5
Joined: Mon Dec 14, 2020 8:13 am

Re: Rogue Chia installation??

Post by flea001 »

thanks for the advice dolbyman re:upnp.

I have turned off upnp on the router and shutdown myQNAPCloud. I don't use it (all interactions with the NAS are done through the lan).

I did notice a mysterious port (32440) entered in myQNAPCloud on the upnp table (labeled as 'NAS spare port 0).
Post Reply

Return to “Miscellaneous”