In recently issue mentioned in Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program, QNAP quickly release Malware Remover 2.1.0 to help. Let’s take a look at this program and go detail.
What Can It Help
You may install from [App Center] in your QTS directly or download from here which is a direct link to QNAP then manually install via ssh or [App Center]. Remember to unzip the download file to get QDK_2.2.14.qpkg.
Install from App Center
[App Center] may be launch in [Main Menu] on upper left corner. [Malware Remover] can be found in [Utilities] category or just search for “malware”.
If you decide to upload manually, click on the gear symbol on the upper-right corner in [App Center] to browse and install QDK_2.2.14.qpkg.
Install in Terminal Manually
Here is when you install Malware Remover 2.1.0 first time.
[/share/Public] # ./MalwareRemover_2.1.0.qpkg Install QNAP package on TS-NAS... 12+1 records in 12+1 records out ./ ./qpkg.cfg ./qinstall.sh ./package_routines ./built_info 0+1 records in 0+1 records out 12+0 records in 12+0 records out qinstall.sh: line 354: [: -gt: unary operator expected qinstall.sh: line 356: [: -lt: unary operator expected Firmware check is fine. Link service start/stop script: MalwareRemover.sh Set QPKG information in /etc/config/qpkg.conf [App Center] Malware Remover 2.1.0 has been installed in /share/CACHEDEV1_DATA/.qpkg/MalwareRemover successfully. [App Center] Malware Remover enabled. [/share/Public] #
Here is when you have already install Malware Remover, it will upgrade existing version.
[/share/Public] # ./MalwareRemover_2.1.0.qpkg Install QNAP package on TS-NAS... 12+1 records in 12+1 records out ./ ./qpkg.cfg ./qinstall.sh ./package_routines ./built_info 0+1 records in 0+1 records out 12+0 records in 12+0 records out MalwareRemover 2.1.0 is already installed. Setup will now perform package upgrading. qinstall.sh: line 354: [: -gt: unary operator expected qinstall.sh: line 356: [: -lt: unary operator expected Firmware check is fine. Link service start/stop script: MalwareRemover.sh Set QPKG information in /etc/config/qpkg.conf [App Center] Malware Remover 2.1.0 has been installed in /share/CACHEDEV1_DATA/.qpkg/MalwareRemover successfully. [App Center] Malware Remover enabled. [/share/Public] #
The configuration file is saved in/mnt/HDA_ROOT/.config/qpkg.conf as:
[MalwareRemover] Build = 20170504 Name = MalwareRemover Display_Name = Malware Remover Version = 2.1.0 Author = QNAP Systems, Inc. QPKG_File = MalwareRemover.qpkg Date = 2017-05-04 Shell = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh Install_Path = /share/CACHEDEV1_DATA/.qpkg/MalwareRemover RC_Number = 101 Enable = TRUE
What Have Been Installed
MalwareRemover_2.1.0.qpkg contains everything it installs. To extract qpkg, you have to install QDK (QNAP Development Kit) which may be download from GitHub. But I suggest to follow the [Install QDK] section in QDK Quick Start Guide to manually install in [App Center], get QDK 2.2.14, unzip this file, and upload QDK_2.2.14.qpkg is much easier.
If install successfully, you will see QDK 2.2.14 in [MyApps].
Next, ssh as admin and run qbuild to extract MalwareRemover_2.1.0.qpkg:
[/share/Public] # qbuild --extract MalwareRemover_2.1.0.qpkg ./MalwareRemover ./ ./qpkg.cfg ./qinstall.sh ./package_routines ./built_info
When you open [MallwareRemover], you will see data.tar.gz which is not on above list. We needs to be decompressed to know what it contains.
Because this file has been tar then zip compressed, use following command to unzip then untar. If you are interested, Unpacking or uncompressing gz files under Linux and UNIX systems on nixCraft has detail explain on this type of compressed file.
[/share/Public] # tar -zxvf data.tar.gz ./ ./MalwareRemover.sh ./.qpkg_icon_gray.gif ./.qpkg_icon.gif ./.gitkeep [/share/Public] #
Okay, now we know MalwareRemover_2.1.0.qpkg contains following files:
- MalwareRemover.sh (in data.tar.gz)
- .qpkg_icon_gray.gif (in data.tar.gz)
- .qpkg_icon.gif (in data.tar.gz)
- .gitkeep (in data.tar.gz)
As we may see, qinstall.sh is for installation while MalwareRemover.sh is the real removal shell script. Nothing specific to x86-64 only. If you want to run this script on NAS based on ARM architecture, it is totally possible. But on a different NAS brand, you need to modify environment variables and relative directories.
One-Time-Only Shell Script
QNAP actually rely on only MalwareRemover.sh to remove malware process, related files, and report to [System Logs]. But it’s apply for this case only, it’s not modern antivirus to separate scan and virus database. I suggest you download MalwareRemover_2.1.0.qpkg and keep it in a safe place.
According to Link service start/stop script section in qinstall.sh, it will be executed every restart or turn on automatically by a symbolic link /etc/init.d/MalwareRemover.sh which links to /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh*.
Update: 2.1.1 Adds Regular Scan at 3:00AM Everyday
QNAP release a new minor version update within 15 hours. I notice more message in system log and will execute at 3:00AM in the morning everyday.
More Message With Schedule Scan
After comparing the two MalwareRemover.sh, I notice 2.1.1 has an extra variable $ISCLEAN and more message to log – “[MalwareRemover] Scan completed.” and “[MalwareRemover] Scan completed and malware deleted.”.
These extra should be related to the new schedule scan task.
Schedule Scan Everyday
In package_routines, extra scripts have been added to cron. It will scan every 3:00AM in the morning everyday. You will see a new schedule task as below:
0 3 * * * /share/CACHEDEV1_DATA/.qpkg/MalwareRemover/MalwareRemover.sh start
What If my NAS is not Turn-On at the Given Time Period
Don’t worry, MalwareRemover.sh will be executed when you turn-on next time because there is a symbolic link to it in /etc/init.d.
Update: 2.1.2 Removes another Malware
QNAP release a new minor version update after 8 days. It remove more malware this time. I notice a lot of new scripts has been found in MalwareRemover.sh.
I notice it needs to identify models and assign a DEV_NAS_CONFIG value. Here is an example for TS-269H:
if [ x`/sbin/getcfg system model -f /etc/default_config/uLinux.conf` = xTS-269H ]; then DEV_NAS_CONFIG=/dev/mmcblk0p6 fi
Remove Another Malware
It also removes following files when Malware being detected:
Rename a file:
- Change /home/httpd/cgi-bin/QauthLogin.cgi into /home/httpd/cgi-bin/authLogin.cgi
And kill some process
pid=`lsof | grep qcloud_ag | tr -s " " | cut -d' ' -f2 | uniq` for p in $pid; do ISCLEAN="N" kill -9 $p > /dev/null 2>&1 /sbin/write_log "[MalwareRemover] Malwares process killed: qcloud_ag ($p)" 4 done
Update: 2.1.3 is a Fix for TS-269H Only
The solutions is to roll back to 2.1.1. tcbyxx shared his experience in #63 of this post as below:
I notice just a few difference in MalwareRemover.sh.
On 2.1.2, following code has been replaced:
/sbin/ldd /home/httpd/cgi-bin/authLogin.cgi >/dev/null 2>&1
It has been replace in 2.1.3 by:
LDD=`which ldd` $LDD /home/httpd/cgi-bin/authLogin.cgi >/dev/null 2>&1
- Admin’s Choice: Crontab – Quick Reference
- Check And Solve If Your QNAP NAS Has been Injected a CPUMiner Program
- GitBook: QDK – QPKG Development Kit
- GitBook: QDK Quick Start Guide
- GitHub: QDK
- HKEPC: [求救] QNAP 中咗malware
- Mobile01: QNAP用戶注意！ QTS 4.3.3 被植入XMR挖礦木馬，建議先不要升級！
- nixCraft: Unpacking or uncompressing gz files under Linux and UNIX systems
- QNAP Forum: disk_manage.cgi hogging CPU usage
- QNAP: Malware Removal 2.1.0
- QNAP: Malware Removal 2.1.3
- QNAP: QDK 2.2.14
- QNAP: QTS
- QNAP: TS-269H
- Wiki: ARM architecture
- Wiki: Cron
- Wiki: ldd (Unix)
- Wiki: Secure Shell
- Wiki: Shell script
- Wiki: vi
- Wiki: which (Unix)
- Wiki: x86-64