[SECURITY RISK] Your NAS could be infected. Please read.

[Toxic17]

Looks like QNAP seem to be good at infections... old news but 2500 QNAPS infected a few years back.

https://www.bleepingcomputer.com/news/s ... as-botnet/

[OneCD]

If anyone's looking to get QNAP a Valentine's Day gift, I've just the thing.

Download the "Mastering Linux Security and Hardening" eBook (worth $23) for free

A comprehensive guide to mastering the art of preventing your Linux system from getting compromised. Claim your complimentary copy (worth $23) for free today, before the offer expires on Feb 19.



What's it about?

This book has extensive coverage of techniques that will help prevent attackers from breaching your system, by building a much more secure Linux environment.

This eBook will help you:

• Use various techniques to prevent intruders from accessing sensitive data
• Prevent intruders from planting malware, and detect whether malware has been planted
• Prevent insiders from accessing data that they aren’t authorized to access
• Do quick checks to see whether a computer is running network services that it doesn’t need to run
• Learn security techniques that are common to all Linux distros, and some that are distro-specific

By the end of this book, you will be confident in delivering a system that will be much harder to compromise.

[ldir-EDB0]

The response I've just received from Qnap via the security contact is that "The vulnerability was patched and related security advisory was released last year: https://www.qnap.com/en/security-advisory/nas-201809-14"

From that advisory:

"Release date: September 14, 2018
Security ID: NAS-201809-14
Severity: Critical
CVE identifier: CVE-2018-0718
Affected products: Music Station 5.1.2 and earlier versions in QTS 4.3.3 and 4.3.4"

It would be good to confirm that those affected were running vulnerable versions of Music Station. If they're not, then another attack vector was/is being used.

Kevin

[Toxic17]

The response I've just received from Qnap via the security contact is that "The vulnerability was patched and related security advisory was released last year: https://www.qnap.com/en/security-advisory/nas-201809-14"

From that advisory:

"Release date: September 14, 2018
Security ID: NAS-201809-14
Severity: Critical
CVE identifier: CVE-2018-0718
Affected products: Music Station 5.1.2 and earlier versions in QTS 4.3.3 and 4.3.4"

It would be good to confirm that those affected were running vulnerable versions of Music Station. If they're not, then another attack vector was/is being used.

Kevin

most are running 4.3.5 or 4.3.6 sounds like HelpDesk is just fobbing people off with blaming this issue on MS. Since the hackers are now probably following all QNAP threads regarding this they can now look at QNAPs so called fix, see what it does and then adjust their code accordingly thus making QNAP play catch-up forever.

QNAP need to fix this once and for all without a script but with a firmware patch or update, and make an announcement ASAP.

[ldir-EDB0]

most are running 4.3.5 or 4.3.6 sounds like HelpDesk is just fobbing people off with blaming this issue on MS. Since the hackers are now probably following all QNAP threads regarding this they can now look at QNAPs so called fix, see what it does and then adjust their code accordingly thus making QNAP play catch-up forever.

QNAP need to fix this once and for all without a script but with a firmware patch or update, and make an announcement ASAP.

Certainly if systems on 4.3.5/4.3.6 have been infected then it suggests a different & new attack vector.

[Toxic17]

I see TheRegister are running with this news too. I wonder how long QNAP can maintain its silence.

https://www.theregister.co.uk/2019/02/1 ... le_issues/

[iam@nas]

I wonder whether current QTS versions got infected or a well-know bug of an older firmware was exploited. It seems that there are quite a few admins who do not update their NAS often enough. QNAP may want to update existing advisories with the information that working exploits are available in the wild.
Thinking about it an automated firmware download and installation like Microsoft it does may be great for those who do not really care about their NAS.

[merlo]

4.3.4 0486, and i don't think i'm affected, /etc/hosts is clean and malware remover, clam av and other apps can be used and updated normally.
music station is not installed and i'm not using cloudlink / myqnapcloud, accessible via https and openvpn.

regarding lazyness with firmware update, i can't update because BUV-748-71998 to a more recent version.

[Toxic17]

regarding lazyness with firmware update, i can't BUV-748-71998update because BUV-748-71998 to a more recent version.

Sorry but my crystal ball is broken. Would you care to enlighten us on what ticket #BUV-748-71998 actually is, rather than posting a code I cannot look up?

Sent from my ONEPLUS A6003 using Tapatalk

[merlo]

memoryleak and nas gets unresponsive when transferring larger amount of data via iscsi, on newer firmware than 486..
not relevant here but, i just want to point out that, i'm not on this version because i'm lazy. :p

[Jaginix]

Thinking about it an automated firmware download and installation like Microsoft it does may be great for those who do not really care about their NAS.

Hrhr. Good joke. After all the firmware chaos of the last time? No way.

[FSC830]

Im all good on multiple devices

Me too .

But I am also not using any stuff connected to Internet, except a Clouddrive Sync at one box. But this one is also clean.
No Webserver, no Plex, no access from external.
If needed, I setup a temporary VPN connection to my router to access some files.

In addition: I do not run the NAS at latest FW versions. Due to the fact that there have been some major bugs in the newer releases I still continue using a working one .
regards

[robincm]

My TS239 Pro II+ is misbehaving. It had some issues getting ClamAV updates but that seemed to be sorted out.

DNS resolutions seem to be working fine and the hosts file is clear. resolv.conf looks ok too

I mounted the config via: mount -t ext4 /dev/sdx6 /tmp/config
(but see https://wiki.qnap.com/wiki/Running_Your ... at_Startup because it's different for different models, that article seems to be old so I used trial and error until I found a mount command that worked).
There's a load of obfuscated stuff in auturun.sh that looks very similar to what's reported here https://isc.sans.edu/diary/Obfuscated+b ... oxes/24348
There's also a dodgy looking .sh file that's about the same size as the autorun.sh (11334b & 11880b respectively) both dated 26th Aug.


I've also got a load of dodgy looking stuff in my crontab.

I can't install or update most packages including Python 2, with errors telling me that the architecture is wrong. MalwareRemover won't run because apparently the Python QPKG is somehow missing. Python is present and I get a python prompt from ssh running /usr/bin/python

This NAS is available via MyQNAPCloud but there are not ports forwarded to it for several months on my firewall since changing ISP. Of course, it might have been like this for a while, but I did a firmware update some time towards the end of last year and updated packages no problem a month or so ago.

Ugh. I've logged a support ticket with QNAP.

On the plus side, the NAS is still doing it's main job of being an SMB server within my home network. I'm just not sure what else it's now also doing!!

And I'd like to know how this malware (and all previous malware) gets onto the QNAP boxes in the first place.

[robincm]

Update:
I downloaded via a web browser then manually installed Python_2.7.3_x86.qpkg via App Center.
Likewise downloaded the qpkg and installed MalwareRemover_3.4.1_20190125_182348.qpkg via App Center.
Malware Remover ran and logged three warnings:
[Malware Remover] Repaired official app list in App Center.
[Malware Remover] Detected high-risk malware. To maintain system security, change all user account passwords immediately.
[Malware Remover] Malware was detected and removed. You must restart the NAS.
Prior to the reboot there are still dodgy looking obfuscated .sh files (referenced in crontab) sitting on the disk.
After the reboot those files are still there.
However the autorun.sh (and the oddly named, similar sized other .sh in the same folder) are now only 11B and 10B big each, only containing #!/bin/sh
Some apps are still missing.
I only have: Photo Station, Music Station, Python 2.7.3, Helpdesk 1.2.2, QNAP Diagnostic Tool, Malware Remover.
Other apps seem to be missing. e.g. CloudLink - if I try and download/install that through App Center it fails with the "wrong architecture" message.
So something is still broken.
I'm just manually updating to 4.2.6 build 20181227 because the GUI wouldn't find that update - told me it was up to date.

[robincm]

In /mnt/HDA_ROOT/.config there are some files all created on the same date as the dodgy ones from crontab:
-rw-r--r-- 1 admin administ 388 Aug 26 08:56 xVdlgrz.B.txdl
-rw-r--r-- 1 admin administ 203 Aug 26 08:56 vnhtXkhv
-rw-r--r-- 1 admin administ 1679 Aug 26 08:56 SOMtbGclrShqqZvCzwi
-rw-r--r-- 1 admin administ 203 Aug 26 08:56 .qsync.conf

I also noticed that most of the dodgy entries from crontab seem to be commented out (prefixed with # - that is what that does, right?). I've removed them all anyway.

The contents of .qsync.conf looks worrying: (bearing in mind I am just going by what seem to be odd filenames!)
Port 51163
StrictModes no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePrivilegeSeparation no
HostKey "/etc/config/SOMtbGclrShqqZvCzwi"
AuthorizedKeysFile "/etc/config/xVdlgrz.B.txdl"

Has something been trying to sync data off my NAS?

I've now renamed all the suspicious looking files and/or folders above and mentioned in crontab. Hopefully none of them are legitimate and I haven't just broken something!

I still get the "wrong architecture" error trying to install or update apps directly in app center, even after the firmware update.
For info: uname -m gives me: i686
As mentioned above, I can install packages if I download the .qpkg file (for x86 where there's a choice). Most of them then say there's an update available but the update fails with the same "wrong architecture" message, and then the app vanishes from app center.