QSnatch Malware - What to do?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
maffle
Starting out
Posts: 16
Joined: Thu Aug 31, 2017 9:30 pm

Re: QSnatch Malware - What to do?

Post by maffle » Fri Aug 28, 2020 6:24 pm

Of course I bought it new. I opened a ticket at QNAP, and they wanted to send them a complete log dump, which I already felt bad about, because I have no idea, what critical information it contains about my NAS, by data ect.... I just did though with a bad feeling and, now they want me to open a remote control via HelpDesk.............. should I allow it? Totally fell horrible about that. Who knows what they will do on my NAS? They mostly also get complete access via that to my LAN and all my PCs on my LAN.
Last edited by maffle on Fri Aug 28, 2020 8:01 pm, edited 1 time in total.

P3R
Guru
Posts: 12380
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Fri Aug 28, 2020 7:14 pm

maffle wrote:
Fri Aug 28, 2020 6:24 pm
Of course I bought it new.
There is no "of course" at all with that. Many buy used units.

You may hate your Qnap but don't take that out on other community members! Otherwise you may end up on many foe-lists and get no responses at all.
I opened a ticket at QNAP, and they wanted to send them a complete log dumb, which I already felt bad about, because I have no idea, what critical information it contains about my NAS, by data ect.... I just did though with a bad feeling and, now they want me to open a remote control via HelpDesk.............. should I allow it? Totally fell horrible about that.
I definitely understand your feelings but only you can decide.
They mostly also get complete access via that to my LAN and all my PCs on my LAN.
At least I wouldn't worry at all about that. They're professional, enter other peoples NASes all day long and don't have time to do something like that. That said I wouldn't feel totally comfortable with having them inside my NAS either.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

ha77man
Getting the hang of things
Posts: 82
Joined: Wed Sep 05, 2018 4:05 am

Re: QSnatch Malware - What to do?

Post by ha77man » Sat Aug 29, 2020 7:18 am

My nas is not finding new firmware updates. Is this something to be concerned about? I’ve manually updated it to the latest version. I believe my Nas is secure and I’m using PFsense and have some good knowledge of firewalls and networks. My nas was purchased in June 2020 - TVS-872XT.
Last edited by ha77man on Sat Aug 29, 2020 7:20 am, edited 1 time in total.

User avatar
dolbyman
Guru
Posts: 20459
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Sat Aug 29, 2020 7:20 am

well... is your NAS web exposed ?

ha77man
Getting the hang of things
Posts: 82
Joined: Wed Sep 05, 2018 4:05 am

Re: QSnatch Malware - What to do?

Post by ha77man » Sat Aug 29, 2020 7:26 am

dolbyman wrote:
Sat Aug 29, 2020 7:20 am
well... is your NAS web exposed ?
What exactly do you mean?

User avatar
dolbyman
Guru
Posts: 20459
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Sat Aug 29, 2020 7:35 am

Can you reach your NAS through your NAT (router) from WAN ? (port forwarding)

ha77man
Getting the hang of things
Posts: 82
Joined: Wed Sep 05, 2018 4:05 am

Re: QSnatch Malware - What to do?

Post by ha77man » Sat Aug 29, 2020 7:49 am

dolbyman wrote:
Sat Aug 29, 2020 7:35 am
Can you reach your NAS through your NAT (router) from WAN ? (port forwarding)
I don't have any port forwarding set up on my router to the NAS. I do however have my NAS in the DMZ on my router using pfsense on a VM within virtualization station protecting the NAS. I only have OpenVPN enabled on pfsense to access the from NAS outside which has the strongest encryption.

I just find it strange that my NAS doesn’t want me to update to newer firmware when I log in or when I click check for updates. Qnap support have actually been remotely connected and suggested it is related to DNS out of date but I did some testing and found this not to be the issue. They want to take another look remotely next week.

maffle
Starting out
Posts: 16
Joined: Thu Aug 31, 2017 9:30 pm

Re: QSnatch Malware - What to do?

Post by maffle » Tue Sep 01, 2020 8:18 pm

After I sent the logs to QNAP and opened a remote control for them they just told me today in this short answer:

"our Security Team did not found any virus/malware on your NAS. Its a false alarm."

.... ...... lol?

The """log""" said: https://imgur.com/ezscuqj

- MR1905 found and removed
- removed high risk malware multiple times

So if it was false alarm as QNAP now claims, what was wrongly deleted then? How could it be false alarm? This is just awesome. So it might mean, the malware scanner deleted some of my own files maybe? And I cant find out, which ones and QNAP wont tell me.

maffle
Starting out
Posts: 16
Joined: Thu Aug 31, 2017 9:30 pm

Re: QSnatch Malware - What to do?

Post by maffle » Fri Sep 04, 2020 12:01 am

QNAP told me in another message:

"Malware remover use message 'Removed the detected malware...' when it detects some malware. It does not mean it really delete or remove any files. Go to /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/.backup and you will see all the files that got deleted or modified by Malware remover (Malware remover copy original files to this folder before it delete/modify) From here you can see that no user files are deleted. Some other info: Malware remover report malware when it sees certain pattern in a file. Besides it also reports malware when it sees some 'symptoms'. (e.x. if some scripts in /etc/qpkg.conf is missing) This is probably not a good method and we will change this in future release."

I totally dont trust this. I think the best is just, to factory my NAS and then re-add my RAID1 (2xHDD), which I have unplugged since I got the malware report. My configuration is:

Slot1: 64GB SSD containing system
Slot2: 2TB HDD
Slot3: 2TB HDD

And slot2+3 have encrypted Raid1: https://i.imgur.com/Wh4ozAA.png (error because I have unplugged them right now)

What would be the best procedure to reset my NAS and then re-add my RAID, so it wont get formatted or any data lost?

0. do I need to backup/export something to import my slot2+3 raid1 later again?
1. keep slot2+3 unplugged
2. which of these 3 options do I chose and why: https://i.imgur.com/x6VLWMJ.png ?
3. go through the init setup of the NAS
4. power of down
5. plug in slot2+3 again and turn NAS on
6. add a new RAID1 ?

Here at point 6 I am not sure. How do I add a pre-existing encrypted RAID1? I am worried I maybe chose the wrong step, and the NAS will just reformat my HDDs and all data is lost. How do I add the pre-existing RAID1 and will it just work with the encryption? I read something about QNAP NAS will auto format new disks, which I find a bit scared. Will this also happen here?

7. manually add all share folders, which were configured on the RAID
8. manually config all settings I want
9. reinstall entware-ng

I actually noticed, since I gave QNAP a remote control, there seems to be a folder /root/.BitTornado collecting all kinds of data. Is this normal? Does QNAP use a Torrent client for this? Seems really fishy to me. There are so many secret services running on the NAS... really not transparent at all.

scycscyc
New here
Posts: 2
Joined: Tue Aug 04, 2020 12:48 pm

Re: QSnatch Malware - What to do?

Post by scycscyc » Fri Sep 04, 2020 2:12 am

How does one run the malware remover when it keeps saying that its already running in the background or starting up?

User avatar
dolbyman
Guru
Posts: 20459
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Fri Sep 04, 2020 2:14 am

maffle wrote:
Fri Sep 04, 2020 12:01 am

What would be the best procedure to reset my NAS and then re-add my RAID, so it wont get formatted or any data lost?
As the NAS is not a simple disk enclosure, all drives have multiple partitions with the QTS OS on them, so all drives would need to be deleted if you have an infection.

Kill it all and restore from external Backups

maffle
Starting out
Posts: 16
Joined: Thu Aug 31, 2017 9:30 pm

Re: QSnatch Malware - What to do?

Post by maffle » Fri Sep 04, 2020 3:56 am

dolbyman wrote:
Fri Sep 04, 2020 2:14 am
maffle wrote:
Fri Sep 04, 2020 12:01 am

What would be the best procedure to reset my NAS and then re-add my RAID, so it wont get formatted or any data lost?
As the NAS is not a simple disk enclosure, all drives have multiple partitions with the QTS OS on them, so all drives would need to be deleted if you have an infection.

Kill it all and restore from external Backups
That is total nonsense, for several (simple to understand) reasons :-) My question I asked was clear. Someone can answer please, what is the right way to do what I want? Reset my hda and then afterwards re-add my raid. And what you also said is totally WRONG. In this case, did you even read what I said, QOS is on hda, which is not part of the pure data raid. system partition is on HDA (the SSD), not over all disks. I always found the system over all disks way total garbage, that is why I used a single disk just for system, and thats also why I have 1+2 setup. As I said clearly in my post, my NAS was set up with just slot1 the ssd, so system is just on that one, and then later add slot2+3 as pure data raid, which is also encrypted and just mounted manually when I need it.

User avatar
OneCD
Ask me anything
Posts: 8088
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: QSnatch Malware - What to do?

Post by OneCD » Fri Sep 04, 2020 4:11 am

maffle wrote:
Fri Sep 04, 2020 3:56 am
dolbyman wrote:
Fri Sep 04, 2020 2:14 am
maffle wrote:
Fri Sep 04, 2020 12:01 am

What would be the best procedure to reset my NAS and then re-add my RAID, so it wont get formatted or any data lost?
As the NAS is not a simple disk enclosure, all drives have multiple partitions with the QTS OS on them, so all drives would need to be deleted if you have an infection.

Kill it all and restore from external Backups
That is total nonsense, for several (simple to understand) reasons :-) My question I asked was clear. Someone can answer please, what is the right way to do what I want? Reset my hda and then afterwards re-add my raid. And what you also said is totally WRONG. In this case, did you even read what I said, QOS is on hda, which is not part of the pure data raid. system partition is on HDA (the SSD), not over all disks. I always found the system over all disks way total garbage, that is why I used a single disk just for system, and thats also why I have 1+2 setup.
Thank you @dolbyman, you've helped identify yet another person I will be ignoring future questions from by adding them to my 'foes' list. :D

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

P3R
Guru
Posts: 12380
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: QSnatch Malware - What to do?

Post by P3R » Fri Sep 04, 2020 4:15 am

maffle wrote:
Fri Sep 04, 2020 3:56 am
And what you also said is totally WRONG.
No it isn't.

Part of the QTS OS is stored in a DOM on the motherboard and the rest of it is in a system partition that is in RAID 1 across ALL your installed disks, regardless of what RAID (if any) you happen to use on the partitions that hold user data.
...system partition is on HDA (the SSD), not over all disks.
I bet you talk about the System volume and not the system partition that is hidden from the user. The System volume hold some apps that can't be moved to other volumes but that's by far not the QTS OS.
Last edited by P3R on Fri Sep 04, 2020 7:18 am, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!

User avatar
dolbyman
Guru
Posts: 20459
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Fri Sep 04, 2020 4:17 am

maffle wrote:
Fri Sep 04, 2020 3:56 am
That is total nonsense, for several (simple to understand) reasons :-) [*blub*]
Check with mdadm if you don't believe me

Post Reply

Return to “Miscellaneous”