Some new info:
I was able to install manually first Malware Remover by SSH and run (nothing found) and then I've install all not updated apps.
(After download the .qpkg I've copied into Public folder of nas, give permission (chmod x+ /share/Public/nameofapp.qpkg) then launched the qpkg and reinstall (or upgrade)...
Seems to be something wrong on firmware aupdate I guess... every app I reinstall or upgrade it report: /share/CACHEDEV1_DATA/.system/.qinstaller.sh: No such file or directory
Antivirus Scan reports nothing... I don't know if is a malware or firmware issue at this point...
Ciao, J
UPDATE:
After a reboot, malware remover scheduled scan worked but manual not. Surveillance Station and PhpMyAdmin stop working too...
I hope that with a new firmware all these problems will solved...
Ciao, J
Hi!
In short: when i stop all services and restart them, the system seems to work properly.
/etc/init.d/services.sh stop
/etc/init.d/services.sh start
Maybe it helps ...
Best regards!
In my case I opened a ticket with Qnap and they give me a link to downlaod a script (clean.sh). After run this and rebooted I've changed my users' passwords (two) and everything seems to works fine again.
I hope to help someone copying and paste here the support answer to my issue:
I have not used the part below because not necessary.
If apps icons are grey, the solution is to reinstall the disabled app packages from the official App Center website:
- Go to https://www.qnap.com/en/app_center/?qts=4.3.5
- Select the NAS model, find the app to reinstall, and download the .zip package
- Unzip the .zip package, you will have a .qpkg file
- Login to QTS and open the App Center
- Click the button icon in the top-right of the App Center (please refer to the picture attached)
- Select the .qpkg file from step 3, and click Install.
Excellent research. I wasn't able to load MalwareRemover via SSH and then launch it. It loaded ok but wouldn't run. Note that that the file names referenced here viewtopic.php?f=25&t=144837&start=60#p705760 were slightly different for me. Regardless, I've now regained full functionality using the cleanme.sh script.
I remain interested to understand the vulnerability mechanism as my TS251 was affected but my TS453 was not.
finally the Malware seems to have gone.
My Support-ticket wasn´t successful. Thank you to @jfk105 for sharing your response from QNAP-Support. It solved my problems too. My system is now online and malware-free.
jfk105 wrote: ↑Sun Apr 28, 2019 5:07 am
In my case I opened a ticket with Qnap and they give me a link to downlaod a script (clean.sh). After run this and rebooted I've changed my users' passwords (two) and everything seems to works fine again.
I hope to help someone copying and paste here the support answer to my issue:
I have not used the part below because not necessary.
If apps icons are grey, the solution is to reinstall the disabled app packages from the official App Center website:
- Go to https://www.qnap.com/en/app_center/?qts=4.3.5
- Select the NAS model, find the app to reinstall, and download the .zip package
- Unzip the .zip package, you will have a .qpkg file
- Login to QTS and open the App Center
- Click the button icon in the top-right of the App Center (please refer to the picture attached)
- Select the .qpkg file from step 3, and click Install.
Ciao, J
Thanks jfk105! ...solved by seemingly reoccurring issue
jfk105 wrote: ↑Sun Apr 28, 2019 5:07 am
In my case I opened a ticket with Qnap and they give me a link to downlaod a script (clean.sh). After run this and rebooted I've changed my users' passwords (two) and everything seems to works fine again.
I hope to help someone copying and paste here the support answer to my issue:
I have not used the part below because not necessary.
If apps icons are grey, the solution is to reinstall the disabled app packages from the official App Center website:
- Go to https://www.qnap.com/en/app_center/?qts=4.3.5
- Select the NAS model, find the app to reinstall, and download the .zip package
- Unzip the .zip package, you will have a .qpkg file
- Login to QTS and open the App Center
- Click the button icon in the top-right of the App Center (please refer to the picture attached)
- Select the .qpkg file from step 3, and click Install.
Ciao, J
Thank you! This is the solution, (for now)! I was losing my mind, Derek Be Gone had worked initially, but then seemed to crawl back. Noticed when my SSL app kept trying to 'downgrade'
Seems fine for now.
Hope there's more official released for peace of mind.
Kinda nervy wondering what was vulnerable while 'infected'.
I cannot get rid of them. Even after deleting entries from crontab, they get back after restarting services or system.
Therefore I think, that malware is still present in the system though it seemed to get back to normal state.
All the incriminated files (including this one above) are somehow neutralized (empty shell scripts or missing files or, in the case of this one, it has a .-- additional extension), but I've noticed the same: after rebooting the three crontab entries are recreated.
The files, on the other hand, are not there anymore (I manually removed the randomly named directory mentioned above, that contained an "empty" shell script named PyqEN.Aljo.sh, but the entry has been recreated with the very same name, despite the directory isn't there anymore).
I seem to have the same issue, I was unable to login to my TS-453A for quite some time, checked here and saw this thread.
I was on an old firmware at the time, I managed to get in via the webpage while the system was booting up as per advice here. I then managed to manually update the FW to 4.3.6.0923 and updated the apps. At this point I couldn't see the Malware Removal Tool in the store so I updated manually via the webpage and run the tool.
It told me it had found infected files, and high risk malware etc. and that I needed to change all passwords and restart the nas, which I did.
Upon reboot I ran the tool again and was told that the remover had "Repaired infected file or folder: Name: /tmp/cofig/autorun.sh" along with the change passwords advice and to reboot the nas again.
I did this once again, and now seem to be in this loop. Every time I reboot and run the Malware program it tells me the same thing, am I doing something wrong?
Not sure, had a Synology Nas for about 8 years and never had an issue like this before. Buying external backup disks aren't something I need or can afford at the moment.
yes you need external backup disks (as we have just established in your bleak situation) ..affordability is indeed something only you can judge
disabling upnp in your router and removing all manual port forwards should be enough to not expose your nas to the internet anymore
removing the default gateway on the nas or blocking internet access (depending on your router capabilities) should disable the infected nas from "phoning hone"
as it unknown what the infection does, I would still not be comfortable with the nas in my network with other devices though