In recently issue mentioned in Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program, QNAP quickly release Malware Remover 2.1.0 to help. Let’s take a look at this program and go detail.
What Can It Help
If your are suffering by CPUMiner reported by esper on disk_manage.cgi hogging CPU usage and rf5000 on QNAP用戶注意! QTS 4.3.3 被植入XMR挖礦木馬,建議先不要升級!, it helps you to remove them completely.
Installation
You may install from [App Center] in your QTS directly or download from here which is a direct link to QNAP then manually install via ssh or [App Center]. Remember to unzip the download file to get QDK_2.2.14.qpkg.
Install from App Center
[App Center] may be launch in [Main Menu] on upper left corner. [Malware Remover] can be found in [Utilities] category or just search for “malware”.
If you decide to upload manually, click on the gear symbol on the upper-right corner in [App Center] to browse and install QDK_2.2.14.qpkg.
Install in Terminal Manually
Enable Allow SSH connection in [Control Panel] → [Network Services] → [Telnet/SSH] tab, ssh login to QTS as admin and find where you upload QDK_2.2.14.qpkg. Run this package and it begins to install.
Here is when you install Malware Remover 2.1.0 first time.
[/share/Public] # ./MalwareRemover_2.1.0.qpkg Install QNAP package on TS-NAS... 12+1 records in 12+1 records out ./ ./qpkg.cfg ./qinstall.sh ./package_routines ./built_info 0+1 records in 0+1 records out 12+0 records in 12+0 records out qinstall.sh: line 354: [: -gt: unary operator expected qinstall.sh: line 356: [: -lt: unary operator expected Firmware check is fine. Link service start/stop script: MalwareRemover.sh Set QPKG information in /etc/config/qpkg.conf [App Center] Malware Remover 2.1.0 has been installed in /share/CACHEDEV1_DATA/.qpkg/MalwareRemover successfully. [App Center] Malware Remover enabled. [/share/Public] #
Here is when you have already install Malware Remover, it will upgrade existing version.
[/share/Public] # ./MalwareRemover_2.1.0.qpkg Install QNAP package on TS-NAS... 12+1 records in 12+1 records out ./ ./qpkg.cfg ./qinstall.sh ./package_routines ./built_info 0+1 records in 0+1 records out 12+0 records in 12+0 records out MalwareRemover 2.1.0 is already installed. Setup will now perform package upgrading. qinstall.sh: line 354: [: -gt: unary operator expected qinstall.sh: line 356: [: -lt: unary operator expected Firmware check is fine. Link service start/stop script: MalwareRemover.sh Set QPKG information in /etc/config/qpkg.conf [App Center] Malware Remover 2.1.0 has been installed in /share/CACHEDEV1_DATA/.qpkg/MalwareRemover successfully. [App Center] Malware Remover enabled. [/share/Public] #
Configuration File
The configuration file is saved in/mnt/HDA_ROOT/.config/qpkg.conf as:
[MalwareRemover] Build = 20170504 Name = MalwareRemover Display_Name = Malware Remover Version = 2.1.0 Author = QNAP Systems, Inc. QPKG_File = MalwareRemover.qpkg Date = 2017-05-04 Shell = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh Install_Path = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover RC_Number = 101 Enable = TRUE
What Have Been Installed
MalwareRemover_2.1.0.qpkg contains everything it installs. To extract qpkg, you have to install QDK (QNAP Development Kit) which may be download from GitHub. But I suggest to follow the [Install QDK] section in QDK Quick Start Guide to manually install in [App Center], get QDK 2.2.14, unzip this file, and upload QDK_2.2.14.qpkg is much easier.
If install successfully, you will see QDK 2.2.14 in [MyApps].
Next, ssh as admin and run qbuild to extract MalwareRemover_2.1.0.qpkg:
[/share/Public] # qbuild --extract MalwareRemover_2.1.0.qpkg ./MalwareRemover ./ ./qpkg.cfg ./qinstall.sh ./package_routines ./built_info
When you open [MallwareRemover], you will see data.tar.gz which is not on above list. We needs to be decompressed to know what it contains.
Because this file has been tar then zip compressed, use following command to unzip then untar. If you are interested, Unpacking or uncompressing gz files under Linux and UNIX systems on nixCraft has detail explain on this type of compressed file.
[/share/Public] # tar -zxvf data.tar.gz ./ ./MalwareRemover.sh ./.qpkg_icon_gray.gif ./.qpkg_icon.gif ./.gitkeep [/share/Public] #
Okay, now we know MalwareRemover_2.1.0.qpkg contains following files:
- qpkg.cfg
- qinstall.sh
- package_routines
- built_info
- MalwareRemover.sh (in data.tar.gz)
- .qpkg_icon_gray.gif (in data.tar.gz)
- .qpkg_icon.gif (in data.tar.gz)
- .gitkeep (in data.tar.gz)
As we may see, qinstall.sh is for installation while MalwareRemover.sh is the real removal shell script. Nothing specific to x86-64 only. If you want to run this script on NAS based on ARM architecture, it is totally possible. But on a different NAS brand, you need to modify environment variables and relative directories.
One-Time-Only Shell Script
QNAP actually rely on only MalwareRemover.sh to remove malware process, related files, and report to [System Logs]. But it’s apply for this case only, it’s not modern antivirus to separate scan and virus database. I suggest you download MalwareRemover_2.1.0.qpkg and keep it in a safe place.
According to Link service start/stop script section in qinstall.sh, it will be executed every restart or turn on automatically by a symbolic link /etc/init.d/MalwareRemover.sh which links to /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh*.
Update: 2.1.1 Adds Regular Scan at 3:00AM Everyday
QNAP release a new minor version update within 15 hours. I notice more message in system log and will execute at 3:00AM in the morning everyday.
More Message With Schedule Scan
After comparing the two MalwareRemover.sh, I notice 2.1.1 has an extra variable $ISCLEAN and more message to log – “[MalwareRemover] Scan completed.” and “[MalwareRemover] Scan completed and malware deleted.”.
These extra should be related to the new schedule scan task.
Schedule Scan Everyday
In package_routines, extra scripts have been added to cron. It will scan every 3:00AM in the morning everyday. You will see a new schedule task as below:
0 3 * * * /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh start
You may learn more about customize cron in Admin’s Choice’s “Crontab – Quick Reference”.
What If my NAS is not Turn-On at the Given Time Period
Don’t worry, MalwareRemover.sh will be executed when you turn-on next time because there is a symbolic link to it in /etc/init.d.
Update: 2.1.2 Removes another Malware
QNAP release a new minor version update after 8 days. It remove more malware this time. I notice a lot of new scripts has been found in MalwareRemover.sh.
Identify Models
I notice it needs to identify models and assign a DEV_NAS_CONFIG value. Here is an example for TS-269H:
if [ x`/sbin/getcfg system model -f /etc/default_config/uLinux.conf` = xTS-269H ]; then DEV_NAS_CONFIG=/dev/mmcblk0p6 fi
Remove Another Malware
It also removes following files when Malware being detected:
- $QPKG_DIR/.myQNAPcloud
- $DEF_VOLMP/.log/.cgi_log
- /home/httpd/cgi-bin/authLogin.cgi
- /home/httpd/cgi-bin/syncTime.cgi
Rename a file:
- Change /home/httpd/cgi-bin/QauthLogin.cgi into /home/httpd/cgi-bin/authLogin.cgi
And kill some process
pid=`lsof | grep qcloud_ag | tr -s " " | cut -d' ' -f2 | uniq` for p in $pid; do ISCLEAN="N" kill -9 $p > /dev/null 2>&1 /sbin/write_log "[MalwareRemover] Malwares process killed: qcloud_ag ($p)" 4 done
Update: 2.1.3 is a Fix for TS-269H Only
In [求救] QNAP 中咗malware on HKEPC , TS-269H users reports high CPU utilization after installing/upgrading to the latest Malware Remover 2.1.2. Because of this, everything becomes extremely slow.
The solutions is to roll back to 2.1.1. tcbyxx shared his experience in #63 of this post as below:
Malware Removal 2.1.3 has been released to TS-269H users on 2017/5/16 quickly to fix this issue. Other models cannot see this new update.
I notice just a few difference in MalwareRemover.sh.
Difference
On 2.1.2, following code has been replaced:
/sbin/ldd /home/httpd/cgi-bin/authLogin.cgi >/dev/null 2>&1
It has been replace in 2.1.3 by:
LDD=`which ldd` $LDD /home/httpd/cgi-bin/authLogin.cgi >/dev/null 2>&1
ldd prints shared object dependencies. which will identify executable path. Seems there is a path issue in 2.1.2 which I cannot confirmed.
Reference
- Admin’s Choice: Crontab – Quick Reference
- Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program
- GitBook: QDK – QPKG Development Kit
- GitBook: QDK Quick Start Guide
- GitHub: QDK
- HKEPC: [求救] QNAP 中咗malware
- Mobile01: QNAP用戶注意! QTS 4.3.3 被植入XMR挖礦木馬,建議先不要升級!
- nixCraft: Unpacking or uncompressing gz files under Linux and UNIX systems
- QNAP Forum: disk_manage.cgi hogging CPU usage
- QNAP: Malware Removal 2.1.0
- QNAP: Malware Removal 2.1.3
- QNAP: QDK 2.2.14
- QNAP: QTS
- QNAP: TS-269H
- Wiki: ARM architecture
- Wiki: Cron
- Wiki: ldd (Unix)
- Wiki: Secure Shell
- Wiki: Shell script
- Wiki: vi
- Wiki: which (Unix)
- Wiki: x86-64
Amigo's Technical Notes 
where are logs stored? system info that malware was found is not any info, does not tell you where it is which is annoying when you get same message after every reboot
LikeLiked by 1 person
Same here. and also terrible slow and not adequate support by Qnap.
And messages of found malware are coming up every start and restart, program false??
LikeLiked by 1 person
If it detects every start and restart, I think it hooks something and restores every time after being removed or the Remover script fails to remove it. If I were you, I will format and reinstall QTS, keep it out of public network. When your public IP is on the target list, hacker will easily use the same leaks to access your computer. Another case is an infected computer in your network, it automatically found any “clean” NAS and infect it.
LikeLike