[SECURITY RISK] Your NAS could be infected. Please read.

[dolbyman]

if the notice comes up every night then you still have an active infection..time to wipe it all

if your nas is your backup..then you still have the original files..so no problem

if you don't have the original files..then your nas is not a backup but your primary storage

[ncnmra]

Just getting back to this. What is the best way to do a full wipe, including DOM?

[dolbyman]

google
"qnap firmware recovery"

[zeltpsi]

One of my NAS is an older TS809(8-bay). It was infected with the QSNATCH. The Malware prevented any firmware updates, but I was able to manually download the latest firmware to a local drive then install it. This appears to have solved part one. Changed passwords and rebooted. Updated all apps.
Worried that the machine was still not fixed, I found the quoted steps below. Using PUTTY I could SSH to the NAS and run the cleanme.sh. This script found several apps that were infected, and claimed to have fixed them. It then cleaned and installed the "Malware Removal" tool. However, the tool would not run and would hang on "Loading...". I re-ran cleanme.sh, and re-installed the Malware Removal Tool (MRT). No malware was discovered but still the MRT would not run. I tried manual download of the MRT, but still no joy. I started a back up of my data so that I could do wipe-clean of the disks and re-install. But while I was waiting for files to copy, I believe I tried the MRT remove-and-re-install about four more times, and finally it worked. I believe what was happening, was the Malware was re-infecting the machine very rapidly after each clean sequence. On my fourth try, I likely just happened to get the MRT installed and it auto-runs itself (on the fourth try) faster than the malware re-infection. This appears to have removed all traces (fingers crossed).
Changed passwords and rebooted.

I hope this helps someone else !
...Brian

1) Refer the link below and access your NAS by SSH.

https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh

2) Execute the command lines over SSH.

# curl https://download.qnap.com/Storage/tsd/u ... cleanme.sh | sh

3) Restart the NAS and re-update the latest firmware manually.

https://www.qnap.com/en/how-to/tutorial ... s-firmware

The latest firmware can be downloaded from https://www.qnap.com/en-uk/download

4) After the latest firmware is re-updated, please change the all users password

5) Restart the NAS and check if all the apps can be updated or not.

[ncnmra]

zeltpsi,

Please see the thread below. There is a bunch of us fighting with the QSnatch issue:

viewtopic.php?f=50&t=151402&e=1&view=unread#unread

Despite me following the exact same steps as you, my device is repeatedly reinfected. I have since blocked all its access to the internet in hopes that my ISP will not ban me again.

[pilaQ]

While this may not help infected, may help them later to never again repeat the problem on any device.

Automatic and constant software updates are the worst security related move you can make. I know most will keep doing it. They may patch one problem, but will introduce 2 new. That is guaranteeed. I understand that most will see this as a heresy.

I have 4 separate networks, 24/7 online, with several QNAPs, well over 60 computers - never had an infection in any devices in decades. Networks are connected 24/7 to each other using OpenVPN. We are very heavy user, lives literary depend on us working. Never had any anti-virus or similar software installed anywhere.

Anyone can do it with some minimal learning.

1) Never update anything unles YOU have a problem and can find in docs that new fw/sw fixes that particular problem. If you can work around the problem, you may forgo the update. I use Word 2000 and am happy with it. And write professionally. I could provide many more examples.

2) Every interactively used computer (in the hands of users) must have its own whitelist outgoing firewall! Meaning: only selected apps which are explicitly allowed to go out can go out. All remaining apps are bared from the Internet. Particulary on bad OS's like Android. No updates of anything unless absolutelly needed, as rule 1) states.

3) Never allow any device to be connected to the Internet unless it really needs to be connected. It will still work perffectly within your LAN. Not a single one QNAP on my networks can go to the Internet. Problem solved. Not any of my SmartHome computers can go to the Internet. And many more. They can not be infected and even if they could, they can not do anything wrong (send any data anywhere). Use the router firewall. Make NTP servers available locally within your LAN and route all devices there. If not, allow devices to make only outhoing NTP connections if you must.

4) Never port forward anything or allow any external access. The only excpetion is an e-mail server. Use only OpenVPN server, preferably on your router. Than you have access to all your computers from anywhere using OpenVPN client. I repeat: all devices in any of my networks are perfectly accesible from any location in the world uisng OpenVPN and from any of my LANs.

5) In Web browsers, always use Java Script blocking.

And no worries for you are likely Ever.

This is not limiting users in any way. Just to be clear: I have several VPNservers, on my QNAPs there are several Virtual Machines running 24/7, including crucial business apps. They are all accesible 24/7 but only from the corresponding VPN. My business VPN is not allowed to access anything but its dedicated VM and apps, and apps from QNAP print the data through the same VPN back in the office printer. But, my QNAPs can never access the Internet.

[Moogle Stiltzkin]

While this may not help infected, may help them later to never again repeat the problem on any device.

Automatic and constant software updates are the worst security related move you can make. I know most will keep doing it. They may patch one problem, but will introduce 2 new. That is guaranteeed. I understand that most will see this as a heresy.

I have 4 separate networks, 24/7 online, with several QNAPs, well over 60 computers - never had an infection in any devices in decades. Networks are connected 24/7 to each other using OpenVPN. We are very heavy user, lives literary depend on us working. Never had any anti-virus or similar software installed anywhere.

Anyone can do it with some minimal learning.

1) Never update anything unles YOU have a problem and can find in docs that new fw/sw fixes that particular problem. If you can work around the problem, you may forgo the update. I use Word 2000 and am happy with it. And write professionally. I could provide many more examples.

2) Every interactively used computer (in the hands of users) must have its own whitelist outgoing firewall! Meaning: only selected apps which are explicitly allowed to go out can go out. All remaining apps are bared from the Internet. Particulary on bad OS's like Android. No updates of anything unless absolutelly needed, as rule 1) states.

3) Never allow any device to be connected to the Internet unless it really needs to be connected. It will still work perfectly within your LAN. Not a single one QNAP on my networks can go to the Internet. Problem solved. Not any of my SmartHome computers can go to the Internet. And many more. They can not be infected and even if they could, they can not do anything wrong (send any data anywhere). Use the router firewall. Make NTP servers available locally within your LAN and route all devices there. If not, allow devices to make only outhoing NTP connections if you must.

4) Never port forward anything or allow any external access. The only excpetion is an e-mail server. Use only OpenVPN server, preferably on your router. Than you have access to all your computers from anywhere using OpenVPN client. I repeat: all devices in any of my networks are perfectly accesible from any location in the world uisng OpenVPN and from any of my LANs.

5) In Web browsers, always use Java Script blocking.

And no worries for you are likely Ever.

This is not limiting users in any way. Just to be clear: I have several VPNservers, on my QNAPs there are several Virtual Machines running 24/7, including crucial business apps. They are all accesible 24/7 but only from the corresponding VPN. My business VPN is not allowed to access anything but its dedicated VM and apps, and apps from QNAP print the data through the same VPN back in the office printer. But, my QNAPs can never access the Internet.

i see that you do some things right.

while i do agree that updating day zero may not necessarily be the best thing. i don't agree that going cold turkey is a good solution either. a lot of nasty things got found and patched eventually.

Just take winxp for example. This is why updating is important
https://www.wired.com/story/microsoft-w ... -bad-sign/


i take a middle approach as in deferring updates to give sufficient time to know whether a qts update is fine or not, usually a week or a couple even. always check the forum for other user comments in regards to the latest qts builds.


in regards to reinfection, i'm not sure that most users get this. okay so if they do manage to remove the infection, were lessons learned to improve on their security practises so they don't get hit again? or are they going to continue to live dangerously until their ISP notify them that their ip got blocked due to botnet activity from their NAS device on their network. I hope they realize that a compromised NAS could mean hackers have access to their data and possibly their network, and potentially do all sorts of nasty

it's not a simple matter of oo my ISP is mad so i can't use my internet kinda deal only (it's amazing how only the symptoms get some concern but not the whole house burning down so to speak.....). No, it's a far more extensive issue than just that

well it's their data, but i hope they understand the stakes at play here.

[P3R]

While this may not help infected, may help them later to never again repeat the problem on any device.

In these malware threads probably 90-95% are relatively inexperienced home users that are unable/unwilling to do your advice 2-5 and without that, not keeping firmware updated and not using antivirus will only worsen their situation.