Unknown Thread kthreaddnai

[kameha]

Hello,

I recently discovered that i have an unknown thread eating up my CPU (see kthreaddnai.jpg)

It is associated with this executable file in /tmp (see pionai.jpg attached)
I also found weird files in /tmp having the same rights and user (see god.jpg and mxpma.jpg)

Does anyone have the same issue and knows what they're doing ??

Thnx,

[OneCD]

Hi and welcome to the forum.

That all looks rather suspect to me.

Have you installed and run the Malware Remover QPKG yet? It’s available in the QTS App Center.

[kameha]

Hello,

Thnx... I've installed Malware Remover and it's been running daily for weeks without finding anything suspect...
I also have a daily Full Virus scan and nothing suspect comes up either...

[dolbyman]

virus scan only scans your files ..not your nas

possibly a new infection .. contact qnap for assitance

what services were you exposing to the web?

[kameha]

I expose nextcloud and gitea throught ContainerStation on https

[salexes]

Its malware: https://www.virustotal.com/#/file/61c6b ... /detection

It appeared on my qnap aswell

[Toxic17]

I expose nextcloud and gitea throught ContainerStation on https

https://helpdesk.qnap.com/

[kameha]

Its malware: https://www.virustotal.com/#/file/61c6b ... /detection

It appeared on my qnap aswell

How did u get rid of it !?

[salexes]

@kameha

which apps do you have installed. Please post a list/screenshot here


also what is your current firmware version ?

[kameha]

I've installed:

QNAP:
RainLoop
QVPN Service
Malware Remover
Container Station (Gitea, Nexcloud)
Photo Station
phpMyAdmin
Text Editor
CodexPack
Qboost
Qsync Central

Community:
Deluge
Entware-std (nano, sslh)
QGit
QJDK 1.8

Firmware: 4.3.5.0728

[salexes]

If an app would be the reason the only overlapping apps we have are

QVPN Service
Malware Remover
Container Station
phpMyAdmin
Qboost
Entware-std

Same firmware I got: Firmware: 4.3.5.0728

[KV17uwe]

Hello,

I have the same problem. I also have this process. When I finish it, it opens again after a short time. What can I do? I have already opened a ticket at QNAP.



Prozessname: pionai
User: httpdusr

thx Uwe

[kameha]

Hello !

For now (until i have another solution) i am using this script to automatically (every 2 mins) kill the processes and remove the files

Code: Select all

#!/bin/sh



NOW=$(date '+%Y%m%d%H%M%S')

LOG_FILE=/share/kameha/clean.log



if [ ! -f ${LOG_FILE} ]; then

        touch ${LOG_FILE}

fi



echo "Running at ${NOW}" >> ${LOG_FILE}



ps -ef | grep '/tmp/compma' | grep -v grep | awk '{print $2}' | xargs -r kill -9

ps -ef | grep 'pionai' | grep -v grep | awk '{print $2}' | xargs -r kill -9

ps -ef | grep 'kthreaddnai' | grep -v grep | awk '{print $2}' | xargs -r kill -9



find /tmp -type f -user httpdusr -perm 0750 -exec rm -f {} \;

find /tmp -type f -user httpdusr -perm 0700 -exec rm -f {} \;

find /tmp -type f -user httpdusr -perm 0640 -exec rm -f {} \;

I also used those commands

Code: Select all

find / -type f -user httpdusr -group administrators -perm 0700

find / -type f -user httpdusr -group administrators -perm 0750

find / -type f -user httpdusr -group administrators -perm 0640

to find (and remove) suspect files (cgod, dog.1, dog, eth1, inet0,..) on all the NAS and found files in /var/lock, /var/run/, /dev/shm

[Trexx]

You might try upgrading to new 4.3.5.0756 QTS release as there were several security holes patched in it.

[dolbyman]

I expose nextcloud and gitea throught ContainerStation on https

both apps in container or only gitea ? if nextcloud was natively installed it could be a vulnerability in the webserver or that particular app