Miner DOVECAT

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
Post Reply
User avatar
onehans
Know my way around
Posts: 177
Joined: Sun Nov 23, 2014 7:51 am

Miner DOVECAT

Post by onehans » Fri Dec 04, 2020 6:08 am

Hi i just noticed that i got DOVECAT running of tmp folder. after deleting it, it comes back.
is there anything suspicious in here? (where else i can look for traces?)
thanks

Code: Select all

[~] # crontab -l
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
0-59/20 3 * * * /sbin/adjust_time
0 1 * * * /etc/init.d/flush_memory.sh >/dev/null 2>&1
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0 2 * * * /sbin/qfstrim
0-59/10 * * * * /etc/init.d/storage_usage.sh
30 3 * * * /sbin/notice_log_tool -v -R
*/10 * * * * /sbin/config_cache_util 0
0 3 * * * /bin/rm -rf /mnt/HDA_ROOT/twonkymedia/twonkymedia.db/cache/*
34 9,21 * * * /sbin/notify_update --nc 1>/dev/null 2>&1
00 03 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan;#_QSC_:MalwareRemover:malware_remover_schedule:None:d::
0 4,16 * * * /sbin/hwclock -s
0 3 * * 0 /sbin/hal_event --pd_self_test dev_id=0x00000002,action=2
12 2 * * * /sbin/hal_event --pd_self_test dev_id=0x00000002,action=1
49 4 * * * /share/CACHEDEV1_DATA/.qpkg/HybridBackup/rr2/scripts/insight/insight.sh -runall >/dev/null 2>&1
00 02 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/Upgrade.sh;#_QSC_:MalwareRemover:malware_remover_upgrade:None:d::
0 0 * * * /share/CACHEDEV1_DATA/.qpkg/Qcenter/qnap-cms/bin/log_retention.sh > /dev/null
0 0 * * * /share/CACHEDEV1_DATA/.qpkg/Qcenter/qnap-cms/bin/nasconfig_retention.sh > /dev/null
* * * * * /var/cache/netmgr/lock_timer.sh
50 7 * * * /sbin/qpkg_cli --check_license 0 > /dev/null 2>/dev/null
0 4 * * * /etc/init.d/wsd.sh restart
0 3 * * * /sbin/vs_refresh
4 3 * * 3 /etc/init.d/backup_conf.sh
0 2 * * 0 /usr/local/medialibrary/bin/mymediadbcmd checkRepairDB  >/dev/null 2>&1
0 12 * * * /mnt/ext/opt/LicenseCenter/bin/qlicense_tool local_check
0 0 * * * /usr/local/sbin/qsh nc.archive >/dev/null 2>&1
40 10 * * * /mnt/ext/opt/QcloudSSLCertificate/bin/ssl_agent_cli
35 7 * * * /sbin/qsyncsrv_util -c  > /dev/null 2>/dev/null
0 0 * * * /sbin/qsyncsrv_tool --fix  > /dev/null 2>/dev/null
* 4 * * * /usr/sbin/logrotate /etc/config/mc_logr.conf

User avatar
jaysona
Been there, done that
Posts: 508
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Miner DOVECAT

Post by jaysona » Fri Dec 04, 2020 7:18 am

H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

pgh1949
Starting out
Posts: 12
Joined: Thu Feb 04, 2016 5:00 pm

Re: Miner DOVECAT

Post by pgh1949 » Thu Jan 14, 2021 7:54 pm

I've had the same problem and reported it to Qnap using the link on the page referred to in the previous post. The reply was basically turn everything unnecessary off, change passwords and keep firmware up to date. With all due respect this is very generic advice which I follow anyway.

After further research it seems this is a Bitcoin miner malware. As well as running the CPU at almost maximum there was a constant upload of approx 3 MB/s. Using SSH I found a dovecat folder and dovecat.b64 in the /tmp folder and deleted them both. I then rebooted the NAS and it seemed to be running normally. However it would be good to have some sort of official response that others could refer to.

After a couple of weeks I just discovered dovecat was installed and running again. It's not been picked up by QNAP Malware remover, Antivirus nor McAffee Antivirus which I bought. So I'm at a loss as to what more I can do to stop it.

User avatar
dolbyman
Guru
Posts: 21780
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: Miner DOVECAT

Post by dolbyman » Thu Jan 14, 2021 10:36 pm

Kill your NAS and start from scratch ..after that do not expose your NAS to WAN(no upnp or manual port forwards) to avoid getting hacked again

Qnap does not come here..so no official statement will arise from your post

User avatar
jaysona
Been there, done that
Posts: 508
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: Miner DOVECAT

Post by jaysona » Fri Jan 22, 2021 8:32 pm

pgh1949 wrote:
Thu Jan 14, 2021 7:54 pm
I've had the same problem and reported it to Qnap using the link on the page referred to in the previous post. The reply was basically turn everything unnecessary off, change passwords and keep firmware up to date. With all due respect this is very generic advice which I follow anyway.

After further research it seems this is a Bitcoin miner malware. As well as running the CPU at almost maximum there was a constant upload of approx 3 MB/s. Using SSH I found a dovecat folder and dovecat.b64 in the /tmp folder and deleted them both. I then rebooted the NAS and it seemed to be running normally. However it would be good to have some sort of official response that others could refer to.

After a couple of weeks I just discovered dovecat was installed and running again. It's not been picked up by QNAP Malware remover, Antivirus nor McAffee Antivirus which I bought. So I'm at a loss as to what more I can do to stop it.
The only sure way to get rid of QNAP malware is to backup the data, destroy the NAS volume(s), perform a firmware recovery of the DOM and then re-initialise the NAS.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Post Reply

Return to “Miscellaneous”