[SECURITY RISK] Your NAS could be infected. Please read.
-
- Easy as a breeze
- Posts: 267
- Joined: Wed Jun 15, 2016 2:49 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
As long as your NAS does need access to the internet and you want to keep it connected in your LAN: Block it on your router. NTP, DNS / Proxy, Live Firmware updates will fail. Anyhow no data can be uploaded. One can still upload a new firmware (2nd tab in the UI).
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?
- Petep74093
- Getting the hang of things
- Posts: 57
- Joined: Thu Jul 02, 2015 10:20 pm
- Location: Sandhurst, UK
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I will ask the question as sure there are users like myself, who are not familiar with checking the file mentioned. All of my setup on the NAS is done via the apps etc installed and so I don't go delving into the directories and associated scripts.
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks
Model: TS-453 Pro -- RAM: 8GB
FW: QTS 4.4.1.1117(09/11/2019)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G
Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.
NAS is only a storage facility and not a magical place protected by knights and elves.
Back it up and secure it or lose it - your choice !
FW: QTS 4.4.1.1117(09/11/2019)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G
Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.
NAS is only a storage facility and not a magical place protected by knights and elves.
Back it up and secure it or lose it - your choice !
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Petep74093 wrote: ↑Sun Feb 03, 2019 1:27 am I will ask the question as sure there are users like myself, who are not familiar with checking the file mentioned. All of my setup on the NAS is done via the apps etc installed and so I don't go delving into the directories and associated scripts.
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks
use winscp.
https://winscp.net/eng/download.php
in qnap qts enable ssh > sftp.
in winscp login to the qnap, then on the right side directory panel, go to root. then browse until you go to the directory that was mentioned for where these suspect files are.
you can open the file with notepad++ to view the file
when done checking, logout, and in qts disable the ssh access.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
-
- New here
- Posts: 8
- Joined: Mon Feb 08, 2010 2:47 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
The symptoms I observed where:
- Firmware and Antivirus update check failed
- Unable to install Malware Remover (even manually)
Dereck-be-gone script resolved both. Only weird thing that was still there (and known) werr strange known-host entries.
- Firmware and Antivirus update check failed
- Unable to install Malware Remover (even manually)
Dereck-be-gone script resolved both. Only weird thing that was still there (and known) werr strange known-host entries.
-
- New here
- Posts: 6
- Joined: Sat Feb 28, 2015 4:13 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Yes, that's the curl script I said I ran a couple times. It works for a couple hours, but then the 0.0.0.0 entries come back. Malware Remover 3.4.1 does not take care of it, only running the older version installed via derek-be-gone script seems to work.iam@nas wrote: ↑Sat Feb 02, 2019 6:49 pm As long as your NAS does need access to the internet and you want to keep it connected in your LAN: Block it on your router. NTP, DNS / Proxy, Live Firmware updates will fail. Anyhow no data can be uploaded. One can still upload a new firmware (2nd tab in the UI).
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?
A QNAP tech replied to my ticket and we are going to work on it tomorrow.
-
- New here
- Posts: 6
- Joined: Sat Feb 28, 2015 4:13 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Same, but check your hosts file a few hours later and the 0.0.0.0 entries will probably be back. So, it fixes the problem, but the malware unfixes it.
- Petep74093
- Getting the hang of things
- Posts: 57
- Joined: Thu Jul 02, 2015 10:20 pm
- Location: Sandhurst, UK
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to'Moogle Stiltzkin wrote: ↑Mon Feb 04, 2019 1:21 am
use winscp.
https://winscp.net/eng/download.php
in qnap qts enable ssh > sftp.
in winscp login to the qnap, then on the right side directory panel, go to root. then browse until you go to the directory that was mentioned for where these suspect files are.
you can open the file with notepad++ to view the file
when done checking, logout, and in qts disable the ssh access.
Model: TS-453 Pro -- RAM: 8GB
FW: QTS 4.4.1.1117(09/11/2019)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G
Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.
NAS is only a storage facility and not a magical place protected by knights and elves.
Back it up and secure it or lose it - your choice !
FW: QTS 4.4.1.1117(09/11/2019)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G
Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.
NAS is only a storage facility and not a magical place protected by knights and elves.
Back it up and secure it or lose it - your choice !
- Moogle Stiltzkin
- Guru
- Posts: 11448
- Joined: Thu Dec 04, 2008 12:21 am
- Location: Around the world....
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
np, just a hobby of mine to helpPetep74093 wrote: ↑Mon Feb 04, 2019 3:45 am Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to'
i find that a lot of the help on the forum ASSUMES a certain level of understanding about technical matters. But some users may require more specifics and guidance than others. So i'll get into those nitty gritty details if and when required
but most of the time it's just basic help to generally point in the right direction
Last edited by Moogle Stiltzkin on Tue Feb 05, 2019 7:48 pm, edited 1 time in total.
NAS
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
[Main Server] QNAP TS-877 (QTS) w. 4tb [ 3x HGST Deskstar NAS & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A (Truenas Core) w. 4x 2TB Samsung F3 (HD203WI) RaidZ1 ZFS + 8gb ddr3 Crucial
[^] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) 2x 4TB Seagate Ironwolf, Raid5
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-253D (Truenas Scale)
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1
Network
Qotom Pfsense|100mbps FTTH | Win11, Ryzen 5600X Desktop (1x2tb Crucial P50 Plus M.2 SSD, 1x 8tb seagate Ironwolf,1x 4tb HGST Ultrastar 7K4000)
Resources
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin
- Petep74093
- Getting the hang of things
- Posts: 57
- Joined: Thu Jul 02, 2015 10:20 pm
- Location: Sandhurst, UK
Re: [SECURITY RISK] Your NAS could be infected. Please read.
Anyone not sure how to check then use the pointers given by Moogle- spot on and easy to do. Glad to say mine all looks clear and long may it stay that wayMoogle Stiltzkin wrote: ↑Mon Feb 04, 2019 3:48 amnp, just a hobby of mine to helpPetep74093 wrote: ↑Mon Feb 04, 2019 3:45 am Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to'
Model: TS-453 Pro -- RAM: 8GB
FW: QTS 4.4.1.1117(09/11/2019)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G
Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.
NAS is only a storage facility and not a magical place protected by knights and elves.
Back it up and secure it or lose it - your choice !
FW: QTS 4.4.1.1117(09/11/2019)
WDC WD30EFRX-68EUZN0 x4 Red HDDs - RAID 5
UPS: APC BG700G
Backups and maintenance routines are essential and shouldn't be overlooked. If you can't replace the data then any loss is firmly on your shoulders.
NAS is only a storage facility and not a magical place protected by knights and elves.
Back it up and secure it or lose it - your choice !
-
- Starting out
- Posts: 21
- Joined: Tue Mar 20, 2018 1:47 am
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I personally got into this malware affaire with my QNAP TS-253A and QNAP support sent me the derek-be-gone.sh script telling me to change all user passwords. They didn't mention about possibile DOM corruption.
Before launching the script I found something strange in my crontab (a couple of unknown scripts, one with the typical random unreadable name, the other was backup_config.sh, but not the legitimate one usually found in etc/init.d/), now it seems clean.
Anyway I reinitialized system and disk (actually I switched to a brand new disk), and hosts file is clean. Truth is I'm not sure everything is REALLY clean.
Before launching the script I found something strange in my crontab (a couple of unknown scripts, one with the typical random unreadable name, the other was backup_config.sh, but not the legitimate one usually found in etc/init.d/), now it seems clean.
Anyway I reinitialized system and disk (actually I switched to a brand new disk), and hosts file is clean. Truth is I'm not sure everything is REALLY clean.
- Toxic17
- Ask me anything
- Posts: 6477
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
the derek-be-gone.sh script is now at v1.2.
Code: Select all
curl https://download.qnap.com/Storage/tsd/utility/derek-be-gone.sh | sh
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- Been there, done that
- Posts: 530
- Joined: Wed Apr 28, 2010 9:22 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff
1x TS251, 1x TS251D, 1x TS253
- Toxic17
- Ask me anything
- Posts: 6477
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I take it you have reported this to QNAP?
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- Been there, done that
- Posts: 530
- Joined: Wed Apr 28, 2010 9:22 pm
Re: [SECURITY RISK] Your NAS could be infected. Please read.
I haven't and I won't. This is not a bug, but lazy QNAP if that script is revised and the Malware Remover as well to take care of this infection but still not downloading that revised Malware remover from their own server.
1x TS251, 1x TS251D, 1x TS253
-
- Guru
- Posts: 13192
- Joined: Sat Dec 29, 2007 1:39 am
- Location: Stockholm, Sweden (UTC+01:00)
Re: [SECURITY RISK] Your NAS could be infected. Please read.
There will always be new and slightly different infections in the future and it will always take a while for Qnap to understand the infection and properly implement the antidote for it. Putting out an official warning for every new infection separately before they've properly fixed the issue will only make users even more numb to future warnings.
Before Qnap have implemented the fix in malware remover these infections are in my opinion best dealt with like in this thread, the user community share their experiences and the really motivated users can read about it.
Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!
The real problems that I see with Qnap are:
Before Qnap have implemented the fix in malware remover these infections are in my opinion best dealt with like in this thread, the user community share their experiences and the really motivated users can read about it.
Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!
The real problems that I see with Qnap are:
- The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn't understand the risks and the last part is a lie.
- Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.
All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!