QSnatch Malware - What to do?

Don't miss a thing. Post your questions and discussion about other uncategorized NAS features here.
User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Mon Sep 07, 2020 2:53 am

AlastairStevenson wrote:
Fri Aug 28, 2020 4:43 pm
While that is true, Alastair was responding specifically to someone, someone that included specifics about their network environment. The mention of UPnP in Alastair's response was completely useless and not applicable in that context, it also demonstrated a lack of knowledge about the environment for which he was responding.

It is far more helpful for people to not respond to things they are unsure of vs just spewing out the typical check-list stuff of things to look at, even when a particular check-list item in not applicable.
Who rattled your cage?
Sure, I hadn't linked the lack of UPnP in OpenWRT, but that's no reason to slag off a response which has applied to so many people who are unaware of the risks of UPnP being enabled by default.

Just chill, OK.
Loolz! It seems like you're the one with the rattled cage. :lol:

There is always room for technically accurate information. You responded to a very specific issue, and provided technically inaccurate information (analogous to telling a person to check the spark plugs when someone says their diesel engine won't start) when specifics were given and got called out for it.

Take the learning experience and move on. :idea:
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Mon Sep 07, 2020 3:02 am

maffle wrote:
Fri Sep 04, 2020 3:56 am
That is total nonsense, for several (simple to understand) reasons :-) My question I asked was clear. Someone can answer please, what is the right way to do what I want? Reset my hda and then afterwards re-add my raid. And what you also said is totally WRONG. In this case, did you even read what I said, QOS is on hda, which is not part of the pure data raid. system partition is on HDA (the SSD), not over all disks. I always found the system over all disks way total garbage, that is why I used a single disk just for system, and thats also why I have 1+2 setup. As I said clearly in my post, my NAS was set up with just slot1 the ssd, so system is just on that one, and then later add slot2+3 as pure data raid, which is also encrypted and just mounted manually when I need it.
cat /proc/mdstat will show you all the disks that are being used and how they are being used.

I have two different volumes on one of my 8-bay nas units. 2x1TB for the system and 6x4TB for pure data, yet QTS spreads some partitions across all eight drives.

Code: Select all

Personalities : [linear] [raid0] [raid1] [raid10] [raid6] [raid5] [raid4] [multipath] 
md2 : active raid5 sdc3[0] sdf3[5] sdg3[4] sdh3[3] sda3[2] sdb3[1]
      19485317120 blocks super 1.0 level 5, 512k chunk, algorithm 2 [6/6] [UUUUUU]
      
md1 : active raid1 sdd3[0] sde3[1]
      966807616 blocks super 1.0 [2/2] [UU]
      
md322 : active raid1 sde5[7](S) sdf5[6](S) sdg5[5](S) sdh5[4](S) sda5[3](S) sdb5[2](S) sdc5[1] sdd5[0]
      7235136 blocks super 1.0 [2/2] [UU]
      bitmap: 0/1 pages [0KB], 65536KB chunk

md256 : active raid1 sde2[7](S) sdf2[6](S) sdg2[5](S) sdh2[4](S) sda2[3](S) sdb2[2](S) sdc2[1] sdd2[0]
      530112 blocks super 1.0 [2/2] [UU]
      bitmap: 0/1 pages [0KB], 65536KB chunk

md13 : active raid1 sdd4[0] sdg4[69] sdh4[68] sda4[67] sdb4[66] sdc4[65] sdf4[64] sde4[1]
      458880 blocks super 1.0 [64/8] [UUUUUUUU________________________________________________________]
      bitmap: 1/1 pages [4KB], 65536KB chunk

md9 : active raid1 sdd1[0] sdg1[69] sdh1[68] sda1[67] sdb1[66] sdc1[65] sdf1[64] sde1[1]
      530048 blocks super 1.0 [64/8] [UUUUUUUU________________________________________________________]
      bitmap: 1/1 pages [4KB], 65536KB chunk
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Pencil3
New here
Posts: 2
Joined: Wed Sep 09, 2020 2:43 pm

Re: QSnatch Malware - What to do?

Post by Pencil3 » Wed Sep 09, 2020 2:52 pm

Yesterday my QNAP was not stating up anymore. The two drives either. Connecting them via an usb adapter to a windows-pc showed that the hdd-motors did not even start turning. So everything is as dead as dead can be. I will not buy such a product anymore.

User avatar
dolbyman
Guru
Posts: 20458
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Wed Sep 09, 2020 8:24 pm

what does that have to do with qsnatch?

qsnatch is clearly reaponsible for covid19 and the forrest fires in the us though

Pencil3
New here
Posts: 2
Joined: Wed Sep 09, 2020 2:43 pm

Re: QSnatch Malware - What to do?

Post by Pencil3 » Thu Sep 17, 2020 1:31 am

I do not now if it has do with that. But another explanation seems not realistic. The chance that pc and two drives just breakdown and don't start up while the disk were for a few weeks ago in good condition and software was up to date, seems almost impossible without some malicious software issue.
I find such a nas dangerous and worthless.

User avatar
dolbyman
Guru
Posts: 20458
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Thu Sep 17, 2020 1:38 am

A piece of software will not kill your NAS and drives .. look into a power surge as the possible culprit (got a UPS and surge protector?)

User avatar
jaysona
Easy as a breeze
Posts: 354
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: QSnatch Malware - What to do?

Post by jaysona » Thu Sep 17, 2020 2:52 am

Pencil3 wrote:
Thu Sep 17, 2020 1:31 am
I do not now if it has do with that. But another explanation seems not realistic. The chance that pc and two drives just breakdown and don't start up while the disk were for a few weeks ago in good condition and software was up to date, seems almost impossible without some malicious software issue.
I find such a nas dangerous and worthless.
You seem to have a misunderstanding of how software and electronics work.

If you have an issue with the PC, NAS issue and hard drives not powering up, you most likely had an issue with the electricity supply from the power utility. Typical malware (especially qsnatch, etc) will not do what you have described.
H/W: TS-219 Pro / TS-269 Pro / TS-253 Pro (8Gig) / TS-509 Pro x2 / TS-569 Pro
H/W: TS-670 Pro (i7-3770S 16Gig) x2 / TS-853 Pro (8Gig) / TVS-871 Pro (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 384.19
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2020.7
Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)

Bimrin
Starting out
Posts: 17
Joined: Wed May 01, 2019 2:49 pm

Re: QSnatch Malware - What to do?

Post by Bimrin » Fri Sep 18, 2020 7:28 am

Is the best option to deal with Qsnatch at this point to factory reset and restore from backup? I am a little late to this party, I was able to manually update firmware but still can't access malware remover and I have been reading through this thread and others that it won't necessarily deal with it. I also see that the cleanme.sh script is no longer available. I have everything backed up so I can do the full reset but just checking before I do that.

User avatar
dolbyman
Guru
Posts: 20458
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Fri Sep 18, 2020 9:44 pm

externally format all disks

do a diskles firmware update (via qfinder)

setup the nas from scratch

restore from backups

Bimrin
Starting out
Posts: 17
Joined: Wed May 01, 2019 2:49 pm

Re: QSnatch Malware - What to do?

Post by Bimrin » Sat Sep 19, 2020 3:44 pm

dolbyman wrote:
Fri Sep 18, 2020 9:44 pm
externally format all disks

do a diskles firmware update (via qfinder)

setup the nas from scratch

restore from backups
Dolbyman - what do you mean exactly by externally format? Are you recommending pulling the drives and formatting in a different system?

User avatar
dolbyman
Guru
Posts: 20458
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Sat Sep 19, 2020 7:09 pm

that is correct

either direct connect or via a usb dock

Bimrin
Starting out
Posts: 17
Joined: Wed May 01, 2019 2:49 pm

Re: QSnatch Malware - What to do?

Post by Bimrin » Sun Sep 20, 2020 2:34 am

@dolbyman - sorry one more question. How likely is qsnatch to infect an attached usb backup drive. Concern being that my backup is an attached 6tb external drive that is synced weekly. It has been attached most of the time the nas was running. Is there a concern that the malware has infected that drive?

User avatar
dolbyman
Guru
Posts: 20458
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Sun Sep 20, 2020 6:47 am

infected?.probbaly not ..as the drive contains no system volumes

encrypted..maybe

Bimrin
Starting out
Posts: 17
Joined: Wed May 01, 2019 2:49 pm

Re: QSnatch Malware - What to do?

Post by Bimrin » Tue Sep 22, 2020 8:08 am

Dolby - Any recommendation on just formatting or should I do a full erase? Currently running them through Linux with Erase on and we are at a 14 hour estimate. I did DBAN at first and that was like 35 hours and figured that was a bit of overkill

User avatar
dolbyman
Guru
Posts: 20458
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: QSnatch Malware - What to do?

Post by dolbyman » Tue Sep 22, 2020 8:35 am

no need for a full earase..just clear the partitions off and a quick format

on windows I would use diskpart with "clean" command

Post Reply

Return to “Miscellaneous”