Anything is possible at this point.
I was exposed to the internet and had a few services running:
Admin Login
QFILE
Photo Station
Music Station
Surveillance Station
Download Station
MyQNAPCloud
L2TP / IPSEC VPN
So I am assuming the attack vector is one of these services and therefore have blocked everything at this point in the "hopes" that QNAP will disclose the attack vector. It would be GREAT if you could specify the port EACH service could operate on (MusicStation:8091, PhotoStation:9645, etc.) this would make it easier to hide the Admin Login page but just forwarding the EXACT services I wanted. I suppose with a Enterprise class FW I could based on destination URL but this is just my house....
It COULD be something in the qpkg as after I was hit and cleaned and then updated all apps MR hit again on the Media Streaming Add-on App. Thing is, before this I had not updated an App in sometime so the initial infection had to come in thru one of the services listed. Also, my crontab was a mess and I had not cleaned it up prior to these logs so I heavily suspect that whatever was running as part of the Malware just infected the Media Streaming Add-on app on net new installation.
Anyway, See here: