Miner DOVECAT

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
User avatar
onehans
Know my way around
Posts: 180
Joined: Sun Nov 23, 2014 7:51 am

Miner DOVECAT

Post by onehans »

Hi i just noticed that i got DOVECAT running of tmp folder. after deleting it, it comes back.
is there anything suspicious in here? (where else i can look for traces?)
thanks

Code: Select all

[~] # crontab -l
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
0-59/20 3 * * * /sbin/adjust_time
0 1 * * * /etc/init.d/flush_memory.sh >/dev/null 2>&1
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0 2 * * * /sbin/qfstrim
0-59/10 * * * * /etc/init.d/storage_usage.sh
30 3 * * * /sbin/notice_log_tool -v -R
*/10 * * * * /sbin/config_cache_util 0
0 3 * * * /bin/rm -rf /mnt/HDA_ROOT/twonkymedia/twonkymedia.db/cache/*
34 9,21 * * * /sbin/notify_update --nc 1>/dev/null 2>&1
00 03 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan;#_QSC_:MalwareRemover:malware_remover_schedule:None:d::
0 4,16 * * * /sbin/hwclock -s
0 3 * * 0 /sbin/hal_event --pd_self_test dev_id=0x00000002,action=2
12 2 * * * /sbin/hal_event --pd_self_test dev_id=0x00000002,action=1
49 4 * * * /share/CACHEDEV1_DATA/.qpkg/HybridBackup/rr2/scripts/insight/insight.sh -runall >/dev/null 2>&1
00 02 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/Upgrade.sh;#_QSC_:MalwareRemover:malware_remover_upgrade:None:d::
0 0 * * * /share/CACHEDEV1_DATA/.qpkg/Qcenter/qnap-cms/bin/log_retention.sh > /dev/null
0 0 * * * /share/CACHEDEV1_DATA/.qpkg/Qcenter/qnap-cms/bin/nasconfig_retention.sh > /dev/null
* * * * * /var/cache/netmgr/lock_timer.sh
50 7 * * * /sbin/qpkg_cli --check_license 0 > /dev/null 2>/dev/null
0 4 * * * /etc/init.d/wsd.sh restart
0 3 * * * /sbin/vs_refresh
4 3 * * 3 /etc/init.d/backup_conf.sh
0 2 * * 0 /usr/local/medialibrary/bin/mymediadbcmd checkRepairDB  >/dev/null 2>&1
0 12 * * * /mnt/ext/opt/LicenseCenter/bin/qlicense_tool local_check
0 0 * * * /usr/local/sbin/qsh nc.archive >/dev/null 2>&1
40 10 * * * /mnt/ext/opt/QcloudSSLCertificate/bin/ssl_agent_cli
35 7 * * * /sbin/qsyncsrv_util -c  > /dev/null 2>/dev/null
0 0 * * * /sbin/qsyncsrv_tool --fix  > /dev/null 2>/dev/null
* 4 * * * /usr/sbin/logrotate /etc/config/mc_logr.conf
User avatar
jaysona
Been there, done that
Posts: 866
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Miner DOVECAT

Post by jaysona »

RAID is not a Back-up!

H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T x2 (16GB) (media storage)
H/W: TS-219 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB) / TS-509 Pro (died due to old age)
pgh1949
Starting out
Posts: 12
Joined: Thu Feb 04, 2016 5:00 pm

Re: Miner DOVECAT

Post by pgh1949 »

I've had the same problem and reported it to Qnap using the link on the page referred to in the previous post. The reply was basically turn everything unnecessary off, change passwords and keep firmware up to date. With all due respect this is very generic advice which I follow anyway.

After further research it seems this is a Bitcoin miner malware. As well as running the CPU at almost maximum there was a constant upload of approx 3 MB/s. Using SSH I found a dovecat folder and dovecat.b64 in the /tmp folder and deleted them both. I then rebooted the NAS and it seemed to be running normally. However it would be good to have some sort of official response that others could refer to.

After a couple of weeks I just discovered dovecat was installed and running again. It's not been picked up by QNAP Malware remover, Antivirus nor McAffee Antivirus which I bought. So I'm at a loss as to what more I can do to stop it.
User avatar
dolbyman
Guru
Posts: 37324
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Miner DOVECAT

Post by dolbyman »

Kill your NAS and start from scratch ..after that do not expose your NAS to WAN(no upnp or manual port forwards) to avoid getting hacked again

Qnap does not come here..so no official statement will arise from your post
User avatar
jaysona
Been there, done that
Posts: 866
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Miner DOVECAT

Post by jaysona »

pgh1949 wrote: Thu Jan 14, 2021 7:54 pm I've had the same problem and reported it to Qnap using the link on the page referred to in the previous post. The reply was basically turn everything unnecessary off, change passwords and keep firmware up to date. With all due respect this is very generic advice which I follow anyway.

After further research it seems this is a Bitcoin miner malware. As well as running the CPU at almost maximum there was a constant upload of approx 3 MB/s. Using SSH I found a dovecat folder and dovecat.b64 in the /tmp folder and deleted them both. I then rebooted the NAS and it seemed to be running normally. However it would be good to have some sort of official response that others could refer to.

After a couple of weeks I just discovered dovecat was installed and running again. It's not been picked up by QNAP Malware remover, Antivirus nor McAffee Antivirus which I bought. So I'm at a loss as to what more I can do to stop it.
The only sure way to get rid of QNAP malware is to backup the data, destroy the NAS volume(s), perform a firmware recovery of the DOM and then re-initialise the NAS.
RAID is not a Back-up!

H/W: QNAP TVS-872x (i7-8700. 64GB) (Plex server & encoding host) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6706T (32GB) / Asustor AS7010T x2 (16GB) (media storage)
H/W: TS-219 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AX86U - Asuswrt-Merlin - 3004.388.6_2
Router2: Asus RT-AC66U - Asuswrt-Merlin - 386.12_6
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB) / TS-509 Pro (died due to old age)
Post Reply

Return to “Miscellaneous”