QSnatch Malware - What to do?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
User avatar
peelos
Been there, done that
Posts: 504
Joined: Sun Jun 26, 2016 9:28 pm

Re: QSnatch Malware - What to do?

Post by peelos » Thu Mar 19, 2020 2:13 pm

Fortunately the community here is strong and quite possibly the largest asset for Qnap.. They should really learn to engage.

Sent from my SM-N975F using Tapatalk

NAS: TVS-1282-i7K-40G / 4 x 500GB SSD 2.5" / 2 x 500GB M.2 SSD / 8 x 4TB WD Red 3.5" / Corsair H5-SF Watercooling / 3 x 80mm PWM Noctua fans / Corsair 600W PSU / Asus Turbo GTX 1060 6GB GPU
Software: Plex Media Server / QTransmission / Sonarr / Radarr / Jackett / QMono / Tautulli / OpenHAB / Resilio Sync / QPython / QJDK 8 / NetData / Qapache / SortMyQPKGs
pfSense Firewall / OpenVPN Server: QOTOM Fanless Mini PC / Core i5 / 8GB RAM / 128GB SSD / 4 Gigabit NICs / AES-NI
Wireless Routers: 2 x Netgear AC1900 R7000 Nighthawk / Advanced Tomato Firmware

User avatar
Moogle Stiltzkin
Ask me anything
Posts: 9217
Joined: Thu Dec 04, 2008 12:21 am
Location: Around the world....
Contact:

Re: QSnatch Malware - What to do?

Post by Moogle Stiltzkin » Thu Mar 19, 2020 2:37 pm

P3R wrote:
Thu Mar 19, 2020 6:59 am
peelos wrote:
Thu Mar 19, 2020 5:45 am
Thanks for sharing
It was Moogle that brought it to this forum so he really deserves that credit more than me. I just added it to some of the Qsnatch-threads.

That Qnap choose another channel for their first response on the subject is in my opinion a both surprising and disappointing decision.
actually i rather forward that honor to vortax. because he actually had a personal meeting with qnap to Q & A about the qsnatch problem.

https://www.reddit.com/r/qnap/comments/ ... 020_march/


i just merely link his efforts :D i'm more of a sidekick robin to his batman 8)
peelos wrote:
Thu Mar 19, 2020 2:13 pm
Fortunately the community here is strong and quite possibly the largest asset for Qnap.. They should really learn to engage.
yeah i think so too :D
NAS
[Main Server] QNAP TS-877 w. 4tb [ 3x HGST Deskstar NAS (HDN724040ALE640) & 1x WD RED NAS ] EXT4 Raid5 & 2 x m.2 SATA Samsung 850 Evo raid1 +16gb ddr4 Crucial+ QWA-AC2600 wireless+QXP PCIE
[Backup] QNAP TS-653A w. 5x 2TB Samsung F3 (HD203WI) EXT4 Raid5
[Backup] QNAP TL-D400S 2x 4TB WD Red Nas (WD40EFRX) single disks.
[^] QNAP TS-659 Pro II
[^] QNAP TS-509 Pro w. 4x 1TB WD RE3 (WD1002FBYS) EXT4 Raid5
[^] QNAP TS-228
[^] QNAP TS-128
[Mobile NAS] TBS-453DX w. 2x Crucial MX500 500gb EXT4 raid1

Network
Asus AC68U Router|100dl/50ul MBPS FTTH Internet | Win10, WC PC-Intel i7 920 Ivy bridge desktop (1x 512gb Samsung 850 Pro SSD + 1x 4tb HGST Ultrastar 7K4000)


Guides & articles
[Review] Moogle's QNAP experience
[Review] Moogle's TS-877 review
https://www.patreon.com/mooglestiltzkin

patzng
Starting out
Posts: 13
Joined: Tue Apr 07, 2020 5:01 pm

Re: QSnatch Malware - What to do?

Post by patzng » Tue Apr 07, 2020 5:12 pm

I received my brand new TS-251D 2GB on the first day and after firmware installing, configuration etc., the newly installed Malware Remover told me QSnatch detected! If, according to QNAP's official announcement, the latest firmware and QTS solves this issue, how could my brand new, latest 2-bay model with latest system and software get infected on the first day???

--------------------Malware Remover Log-----------------------

2020/04/03 22:24:28 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed the detected malware: MR1905 (QSnatch malware).

2020/04/03 22:24:28 System 127.0.0.1 Malware Remover General [Malware Remover] Removed malware. You must restart the NAS.

2020/04/03 22:24:28 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed high-risk malware. Immediately update QTS and all applications to their latest versions and use stronger account passwords. Weak passwords make the system vulnerable to exploits and malware.

2020/04/03 22:23:36 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed high-risk malware. Restart NAS and update all apps in "App Center" > "My Apps" > "Install Updates".

2020/04/03 22:23:36 System 127.0.0.1 Malware Remover Malware Removal [Malware Remover] Removed high-risk malware. Update passwords for email account and QNAP ID.

P3R
Guru
Posts: 12338
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Tue Apr 07, 2020 5:19 pm

patzng wrote:
Tue Apr 07, 2020 5:12 pm
If, according to QNAP's official announcement, the latest firmware and QTS solves this issue, how could my brand new, latest 2-bay model with latest system and software get infected on the first day???
That's an excellent question...to ask Qnap. Please tell us their answer here.

Did you by any chance enable myQNAPcloud when you installed your NAS and have you changed the default admin password?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

patzng
Starting out
Posts: 13
Joined: Tue Apr 07, 2020 5:01 pm

Re: QSnatch Malware - What to do?

Post by patzng » Tue Apr 07, 2020 8:10 pm

P3R wrote:
Tue Apr 07, 2020 5:19 pm
patzng wrote:
Tue Apr 07, 2020 5:12 pm
If, according to QNAP's official announcement, the latest firmware and QTS solves this issue, how could my brand new, latest 2-bay model with latest system and software get infected on the first day???
That's an excellent question...to ask Qnap. Please tell us their answer here.

Did you by any chance enable myQNAPcloud when you installed your NAS and have you changed the default admin password?
When I first got it, I didn't know there is QSnatch issue. So I configured the myqnapcloud (disabling all public servies, setting it as private, just want its DDNS), enable ports only for http/https remote login (and I changed the default port number as well). After setting all thing up, I started installing APPs including the Malware remover and did a scan. Then I was so shocked to see it was infected with Malware without putting anything into it. Then I got to know there "was" QSnatch outbreak....

I already raised a ticket to the QNAP support and will update how they respond.

P3R
Guru
Posts: 12338
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Tue Apr 07, 2020 11:00 pm

patzng wrote:
Tue Apr 07, 2020 8:10 pm
When I first got it, I didn't know there is QSnatch issue.
Qsnatch is just the latest in a long line of malware campaigns against internet exposed Qnaps and it won't be the last.
...enable ports only for http/https remote login (and I changed the default port number as well).
So you have it exposed. Then be prepared for more infections...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

patzng
Starting out
Posts: 13
Joined: Tue Apr 07, 2020 5:01 pm

Re: QSnatch Malware - What to do?

Post by patzng » Wed Apr 08, 2020 10:04 pm

The technical support requires system log for further information. However I found the system information personal and I reinitialized my NAS after the infection, so can't expect too much from them....

fluschino
New here
Posts: 2
Joined: Wed Apr 22, 2020 7:47 pm

Re: QSnatch Malware - What to do?

Post by fluschino » Wed Apr 22, 2020 7:50 pm

IT WORKED FOR ME TOO
convergent wrote:
Sun Oct 27, 2019 11:46 pm

Schlabschi wrote:
Sat Nov 02, 2019 12:27 am
I spent the whole day today to get rid of the malware and this is what finally helped:
  1. Navigate to "Control Panel -> Hardware" and uncheck the checkbox at "run user defined processes during startup"
  2. Connect to your QNAP via ssh: https://www.qnap.com/en-uk/how-to/knowl ... nas-by-ssh
  3. Execute the following command at the command line:

    Code: Select all

    curl https://download.qnap.com/Storage/tsd/utility/cleanme.sh | sh
    This downloads and executes a removal script from QNAP support that can be used for various infections. It successfully cleaned my infection. It especially helped to get rid of the corrupted autorun.sh file that kept the malware coming back after reboots.
  4. Reboot your QNAP and (re-)install the latest firmware: qnap.com/en/how-to/tutorial/article/how ... s-firmware
  5. Navigate to the App Center and make sure you update everything to the newest version (remove all apps that you didn't install and that seem suspicious)
  6. Reboot again and run the latest version of the app "Malware Remover"
  7. If it didn't find anything, go ahead and change all passwords of your local users (the malware is sending user names and passwords to a remote server)
Hope this helps.

sunnygilluk
New here
Posts: 2
Joined: Tue Jun 09, 2020 8:40 pm

Re: QSnatch Malware - What to do?

Post by sunnygilluk » Tue Jun 09, 2020 8:44 pm

Hi all, the cleanme.sh script appears to have dissapeared? Has it been replaced by something else? I managed to find the code for it, but the link within the script is failing too.

User avatar
dolbyman
Guru
Posts: 20010
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Tue Jun 09, 2020 9:17 pm

has been removed by qnap for unknown reasons

sunnygilluk
New here
Posts: 2
Joined: Tue Jun 09, 2020 8:40 pm

Re: QSnatch Malware - What to do?

Post by sunnygilluk » Tue Jun 09, 2020 9:44 pm

dolbyman wrote:
Tue Jun 09, 2020 9:17 pm
has been removed by qnap for unknown reasons
What do we do in the mean time to deal with an infection and re-enable the ability to install anti malware?

User avatar
dolbyman
Guru
Posts: 20010
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Tue Jun 09, 2020 9:46 pm

open a ticket with qnap..maybe they have integrated the code in malware remover

crypticc
Starting out
Posts: 20
Joined: Sat May 20, 2017 7:31 am

Re: QSnatch Malware - What to do?

Post by crypticc » Sun Jul 19, 2020 7:08 pm

Hi

I upgraded my FW on my TS-453B and suddenly Malware Remover reported the message which I now understand is usual on this thread about removing high risk applications, and something in the Malware/log about QSnatch.
However, here's where it then looks different to other people's issues on this thread...
1) I've never had issues running Malware remover.
2) I was able to remove and reinstall Malware remover without issue.
3) I've not noticed my NAS pummelling the internet.

Could this have been a false-positive?

Here's copy of my crontab -l at the moment (since the update and Malware remover doing whatever it did)

Code: Select all

[~] # crontab -l
# m h dom m dow cmd
0 2 * * * /sbin/qfstrim
10 15 * * * /usr/bin/power_clean -c 2>/dev/null
0 4 * * * /sbin/hwclock -s
0 3 * * * /sbin/vs_refresh
0 3 * * * /sbin/clean_reset_pwd
0-59/15 * * * * /etc/init.d/nss2_dusg.sh
30 7 * * * /sbin/clean_upload_file
0-59/10 * * * * /etc/init.d/storage_usage.sh
30 3 * * * /sbin/notice_log_tool -v -R
*/10 * * * * /sbin/config_cache_util 0
0 0 * * 0 /sbin/storage_util --data_scrubbing raid_id=-1 >/dev/null 2>&1
0 3 * * 0 /etc/init.d/idmap.sh dump
0-59/20 3 * * * /sbin/adjust_time
58 9,21 * * * /sbin/notify_update --nc 1>/dev/null 2>&1
0 1 * * * /etc/init.d/flush_memory.sh >/dev/null 2>&1
0 23 */1 * * /sbin/qpkg_cli -U 1>/dev/null 2>/dev/null
*/10 * * * * bash /usr/local/sbin/sa_notice_checker.sh;#_SA_SecurityCounselor_SA_cloud_schedule_task_SA_
25 3 * * * /bin/sh /etc/init.d/disk_data_collection.sh
10 00 * * 1 sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh scan;#_QSC_:MalwareRemover:malware_remover_schedule:None:w::
00 02 * * * sh /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/Upgrade.sh;#_QSC_:MalwareRemover:malware_remover_upgrade:None:d::
2 1 * * * /share/CACHEDEV1_DATA/.qpkg/HybridBackup/rr2/scripts/insight/insight.sh -runall >/dev/null 2>&1
0 3 * * 6 /etc/init.d/poweroff
30 7 * * 6 /etc/init.d/startup
* * * * * /var/cache/netmgr/lock_timer.sh
0 2 * * 0 /usr/local/medialibrary/bin/mymediadbcmd checkRepairDB  >/dev/null 2>&1
30 7 * * 6 /usr/local/bin/python /share/CACHEDEV1_DATA/.qpkg/SecurityCounselor/bin/security_advisor --check_all;#_SA_SecurityCounselor_SA_security_counselor_schedule_task_SA_
0 8 * * 1,0,3,2,5,4,6 bash /usr/local/sbin/sc_scan_interval_checker.sh;#_SA_SecurityCounselor_SA_scan_interval_checking_schedule_task_SA_
3 * * * * /sbin/qddns_check 2>/dev/null
0 4 * * * /etc/init.d/wsd.sh restart
* 4 * * * /usr/sbin/logrotate /etc/config/mariadb_mc.logr
4 3 * * 3 /etc/init.d/backup_conf.sh
0 0 * * * /usr/local/sbin/qsh nc.archive >/dev/null 2>&1
0 12 * * * /mnt/ext/opt/LicenseCenter/bin/qlicense_tool local_check
17 11 * * * /mnt/ext/opt/QcloudSSLCertificate/bin/ssl_agent_cli
17 0 * * * /share/CACHEDEV1_DATA/.qpkg/HappyGet2/HappyGet2.sh update_youtube_dl

Only disk_data_collection.sh seems odd as within that .sh there's a command which call a python script which is unreadable.
I attach both here
Download.7z

But any ideas what "wsd.sh" "qsh" and "qpkg_cli" is all about? I can see they're in other crontab's posted and so I am assuming isn't an issue.


I've changed all my passwords by the way, and aside from pulling these files don't have SSH open or published. I've also since changed my ports, which is annoying because it means happyget doesn't work anymore (even if I manually type in the new ports) so I've had to uninstall that -

My qnapcloud was also already private.

Thanks for any help or tips you can give.

Chris
You do not have the required permissions to view the files attached to this post.

crypticc
Starting out
Posts: 20
Joined: Sat May 20, 2017 7:31 am

Re: QSnatch Malware - What to do?

Post by crypticc » Sun Jul 19, 2020 9:01 pm

p.s.

Security counsellor warned of some non-QNAP apps installed without valid digital signature. Most I recognise as having installed but I've now deleted.
NZBGet, Entware, and Kodi Leia. However, one I didn't recognise "Photo Station Extension"

I found the app in the "MultiMedia Add-ons" page of the app store.
A quick google suggests this is a QNAP app. Why is QNAP own software not recognised?

https://appcenter.qnap.com/eng/qpkg/overview/PhotoExt

I've now deleted it but TBH I don't remember installing Facial recognition though I do remember it being announced so it's possible. Anyhow. Deleted now.

User avatar
OneCD
Ask me anything
Posts: 7946
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QSnatch Malware - What to do?

Post by OneCD » Mon Jul 20, 2020 3:37 am

crypticc wrote:
Sun Jul 19, 2020 7:08 pm
Here's copy of my crontab -l at the moment (since the update and Malware remover doing whatever it did)
Looks fine. :geek:
crypticc wrote:
Sun Jul 19, 2020 7:08 pm
Only disk_data_collection.sh seems odd as within that .sh there's a command which call a python script which is unreadable.
QNAP decided a while back to ship their Python code in compiled format. A rather lame attempt to prevent users snooping.

Here's the decompiled .pyc file:
da_util_decompiled.7z
It appears legit and seems to be part of QNAP's disk analyser. There are a few calls to 'notify', which you're unlikely to see in malware.
crypticc wrote:
Sun Jul 19, 2020 7:08 pm
But any ideas what "wsd.sh" "qsh" and "qpkg_cli" is all about? I can see they're in other crontab's posted and so I am assuming isn't an issue.
Don't recall off the top of my head. But I've seen them many times before - they're also legit entries.

From what I can see, your system looks OK. :D
You do not have the required permissions to view the files attached to this post.

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

Post Reply

Return to “Miscellaneous”