[SECURITY RISK] Your NAS could be infected. Please read.

[iam@nas]

As long as your NAS does need access to the internet and you want to keep it connected in your LAN: Block it on your router. NTP, DNS / Proxy, Live Firmware updates will fail. Anyhow no data can be uploaded. One can still upload a new firmware (2nd tab in the UI).
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?

[Petep74093]

I will ask the question as sure there are users like myself, who are not familiar with checking the file mentioned. All of my setup on the NAS is done via the apps etc installed and so I don't go delving into the directories and associated scripts.
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks

[Moogle Stiltzkin]

I will ask the question as sure there are users like myself, who are not familiar with checking the file mentioned. All of my setup on the NAS is done via the apps etc installed and so I don't go delving into the directories and associated scripts.
So could someone give me a pointer of where to look and see if I have the issue raised up? I don't acess the NAS remotely so hopefully all will be well but would like to check and see to be sure
Thanks

use winscp.
https://winscp.net/eng/download.php

in qnap qts enable ssh > sftp.

in winscp login to the qnap, then on the right side directory panel, go to root. then browse until you go to the directory that was mentioned for where these suspect files are.

you can open the file with notepad++ to view the file

when done checking, logout, and in qts disable the ssh access.

[peb]

The symptoms I observed where:
- Firmware and Antivirus update check failed
- Unable to install Malware Remover (even manually)

Dereck-be-gone script resolved both. Only weird thing that was still there (and known) werr strange known-host entries.

[hillaj1]

As long as your NAS does need access to the internet and you want to keep it connected in your LAN: Block it on your router. NTP, DNS / Proxy, Live Firmware updates will fail. Anyhow no data can be uploaded. One can still upload a new firmware (2nd tab in the UI).
Did you use the "derek-be-gone.sh" script mentioned in viewtopic.php?f=50&t=146352&start=45#p703735 ?

Yes, that's the curl script I said I ran a couple times. It works for a couple hours, but then the 0.0.0.0 entries come back. Malware Remover 3.4.1 does not take care of it, only running the older version installed via derek-be-gone script seems to work.

A QNAP tech replied to my ticket and we are going to work on it tomorrow.

[hillaj1]

The symptoms I observed where:
- Firmware and Antivirus update check failed
- Unable to install Malware Remover (even manually)

Dereck-be-gone script resolved both. Only weird thing that was still there (and known) werr strange known-host entries.

Same, but check your hosts file a few hours later and the 0.0.0.0 entries will probably be back. So, it fixes the problem, but the malware unfixes it.

[Petep74093]

use winscp.
https://winscp.net/eng/download.php

in qnap qts enable ssh > sftp.

in winscp login to the qnap, then on the right side directory panel, go to root. then browse until you go to the directory that was mentioned for where these suspect files are.

you can open the file with notepad++ to view the file

when done checking, logout, and in qts disable the ssh access.

Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to'

[Moogle Stiltzkin]

Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to'

np, just a hobby of mine to help

i find that a lot of the help on the forum ASSUMES a certain level of understanding about technical matters. But some users may require more specifics and guidance than others. So i'll get into those nitty gritty details if and when required

but most of the time it's just basic help to generally point in the right direction

[Petep74093]

Thank you for that, I'll check that out - much obliged for you taking the time to post up that 'how to'

np, just a hobby of mine to help

Anyone not sure how to check then use the pointers given by Moogle- spot on and easy to do. Glad to say mine all looks clear and long may it stay that way

[benny.evangelisat]

I personally got into this malware affaire with my QNAP TS-253A and QNAP support sent me the derek-be-gone.sh script telling me to change all user passwords. They didn't mention about possibile DOM corruption.

Before launching the script I found something strange in my crontab (a couple of unknown scripts, one with the typical random unreadable name, the other was backup_config.sh, but not the legitimate one usually found in etc/init.d/), now it seems clean.

Anyway I reinitialized system and disk (actually I switched to a brand new disk), and hosts file is clean. Truth is I'm not sure everything is REALLY clean.

[Toxic17]

the derek-be-gone.sh script is now at v1.2.

Code: Select all

curl https://download.qnap.com/Storage/tsd/utility/derek-be-gone.sh | sh

[Ron1963]

The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff

[Toxic17]

The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff

I take it you have reported this to QNAP?

[Ron1963]

The revised script keeps reporting the 3.4.1 Remover version is fake and replaces it by 3.4.0. And then the App Center informs you there is an update for it. Pfff

I take it you have reported this to QNAP?

I haven't and I won't. This is not a bug, but lazy QNAP if that script is revised and the Malware Remover as well to take care of this infection but still not downloading that revised Malware remover from their own server.

[P3R]

There will always be new and slightly different infections in the future and it will always take a while for Qnap to understand the infection and properly implement the antidote for it. Putting out an official warning for every new infection separately before they've properly fixed the issue will only make users even more numb to future warnings.

Before Qnap have implemented the fix in malware remover these infections are in my opinion best dealt with like in this thread, the user community share their experiences and the really motivated users can read about it.

Exposing your NAS on the internet (allowing remote access) is always a high risk thing to do (at least without a properly deployed remote access VPN and/or 2FA on all existing user accounts)!

The real problems that I see with Qnap are:

• The marketing is pushing the private cloud message and tell users that the Qnap solution is a secure way to deploy it. Unfortunately the first part is very attractive to users that doesn't understand the risks and the last part is a lie.
• Qnap have many dangerous things enabled by default and/or without sufficient warnings about the risks.

Those are the two things that I would rather like to see change with how Qnap deal with that the ship is slowly sinking.