Rogue Chia installation??

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
User avatar
Moogle Stiltzkin
Guru
Posts: 11448
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: Rogue Chia installation??

Post by Moogle Stiltzkin »

this is why i always tell others not to enable upnp on the router. because if an app on a client device e.g. qnap MYQNAPcloud which has upnp enabled, this will AUTO expose you. You may even realize this. This is why upnp is dangerous o-O;


you can double check how exposed you are by using gibsons website for port open test
https://www.grc.com/intro.htm
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)


Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Hello to you all ,
I have spotted a .chia folder in my system by using winscp app ( installed via a tutorial on this forum ) . However, I'm not an advanced user and I need guidance on how to remove this please.
Following advice on this thread, I have disabled upnp in the router ( but is it too late ?) ; I'm wondering if I can just delete the .chia folder.
I started getting worried because on my 2.5 tb qnap TS 453 SPRO , I get warning about the disk getting full , with 1TB in " system / misc".
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

As you have no idea what happened, kill the NAS (take the drives out and format them) and restore your data from backups
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Hello dolbyman, thanks a lot for your answer. I have a few "newbie" questions about the formatting procedure :
1) Before formatting, can I retrieve a documents folder from the nas ( copy it to an external drive ) or are all folders and files " compromised" ?
2) "take the drives out and format them" : so I format them with another computer, but to re-use them later what format should I use : fat32? ntsf?
3) When I put back the drives in the nas, will the NAS go back to its original state ( I bought it around 2015 ) or will it keep its QTS version ( 4.5.4.1723) ?
4) After 3), will I keep my current admin account ( another username - "admin" is deactivated ) ? If not, I can't remember if there was a default paswword.

Thanks in advance !
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

1) you can ..but backups need to be done BEFOREHAND ..if you had caught ransomware, it would be too late for that now
2) does not matter ..just overwrite them .. you can also do a "clean" with diskpart
3) yes..it will start into initial setup
4) it is either "admin" or the first mac of your NICs ..depending on the firmware base
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Thanks a lot for your advice dolbyman !
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Maybe this chia hacking should be reported to QNAP
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

I have reported the hack to qnap service
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Hello Randommen,
thank you for your answer.
I think I have done your first suggestion.
However, regarding the port , are there any ports you might recommend please ? ( newbie question again I'm afraid )
Thanks in advance !
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

Do not forward any ports from WAN to your QNAP, security by obscurity does not work
Skwor
Know my way around
Posts: 247
Joined: Thu Feb 27, 2020 1:38 am

Re: Rogue Chia installation??

Post by Skwor »

flea001 wrote: Fri Jun 11, 2021 10:08 pm Ok - sorry not trying to be cheeky, just wanted to indicate my level of expertise here ;)

I don't have any ports manually forwarded, just upnp enabled.
This is 99.9995% likely how you got infected. UPNP is basically leaving the front door open to your house 24/7 while away on vacation.
NAS:
TS-453Be
2-4 Gig QNAP ram sticks
1x12 TB Seagate Iron Wolf and 3x12 TB Seagate Exos
Mainly used as a Plex Server and Photo manager (QuMagie is actually pretty good)

WD 12 TB Elements for each hard drive - External HD BU to the NAS movie database and Photos
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Well noted dolbyman and skwor, thank you.
g3act
First post
Posts: 1
Joined: Sat Aug 07, 2021 4:43 am

Re: Rogue Chia installation??

Post by g3act »

therickman wrote: Sun Jul 25, 2021 9:24 pm I have reported the hack to qnap service
Did you ever get a response from QNAP to this issue? I have exactly the same issues. I have reported it too, but nothing back as yet. My SSH skills are non existent and don't feel comfortable editing CRONTAB entries and such like.

As the Chi.sh file seems to be easily identifiable via SSH, I'm surprised the Malware Remover doesn't pick it up
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Rogue Chia installation??

Post by dolbyman »

Malware removal is not a "SMART" program it can only identify anything after QNAP has updated it.

It does not update new scan engines several times a day.

wait for QNAP to respond or even better, kill your NAS and restore the data from backups .. after that is done, NEVER ever expose it to WAN again
therickman
New here
Posts: 8
Joined: Sat Apr 10, 2021 4:46 pm

Re: Rogue Chia installation??

Post by therickman »

Hello,
Qnap France had ssh access to my NAS to investigate, but they told me they had to open an internal ticket so I guess it's complex. It's been a few days now and no response yet.
I am not an advanced user either, I know nothing about cron tables.
I installed winscp to have ftp access , then I searched for files above 1G ( filter : >1G ) and found the chia folder
Post Reply

Return to “Miscellaneous”