hacked ressource Monitor

Questions pertaining to Power settings, Auto Block, Permissions, User Quotas and Email alerts may be posted here.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

Attacked by a virus, please help

Postby jayce996 » Wed Jan 15, 2014 9:49 pm

hello everyone,

I've been attacked by someone.
yesterday i discovered that my CPU was running 100% with no reasons. by looking at the processes i found a process dedicated to bitcoins mining. i killed it, deleted folders pointing to it, and upgraded my syno to the latest version 4.3.
today, i still have my CPU running 100%, by doing a TOP, i have the following:
Code: Select all
11334     1 root     S    29332  5.7 83.3 /sbin/syslog-ng --module-path=/lib/syslogmod --pidfile=/var/run/syslogng.pid
 5515     2 root     SW       0  0.0  0.6 [nfsd]
 5514     2 root     SW       0  0.0  0.6 [nfsd]
13605  5401 root     S    29800  5.8  0.2 /usr/syno/sbin/smbd -D
 5366     1 root     S    21880  4.2  0.2 /usr/syno/sbin/nmbd -D
24834 24010 root     R     4148  0.8  0.2 top
 5513     2 root     SW       0  0.0  0.2 [nfsd]
 8306     1 root     S    63140 12.3  0.0 /var/packages/VideoStation/target/sbin/synovpcd
 5120  5022 admin    S    34456  6.7  0.0 postgres: admin synolog [local] idle
 5022     1 admin    S    33768  6.6  0.0 /usr/syno/pgsql/bin/postgres -D /var/services/pgsql --config_file=/usr/syno/pgsql/etc/postgresql.conf --hba_file=/usr/
 5028  5022 admin    S    33768  6.6  0.0 postgres: writer process
 5029  5022 admin    S    33768  6.6  0.0 postgres: wal writer process
 5247     1 root     S N  33244  6.4  0.0 /usr/syno/sbin/synoindexd
 8297     1 root     S N  32688  6.3  0.0 /var/packages/VideoStation/target/sbin/synovideometadatad
 8289     1 root     S N  32676  6.3  0.0 /var/packages/VideoStation/target/sbin/synovideoindexd
 5252     1 root     S N  28548  5.5  0.0 /usr/syno/bin/synomkthumbd
 5553     1 root     S N  28544  5.5  0.0 /usr/syno/sbin/synomkflvd
 5401     1 root     S    28448  5.5  0.0 /usr/syno/sbin/smbd -D
 5414  5401 root     S    28448  5.5  0.0 /usr/syno/sbin/smbd -D
23991  5594 root     S    19564  3.8  0.0 sshd: root@pts/1
 3151     1 root     S    18124  3.5  0.0 scemd
10345     1 root     S    16148  3.1  0.0 /var/packages/VideoStation/target/bin/synodtv start
10356     1 root     S    16148  3.1  0.0 /var/packages/VideoStation/target/bin/synodtv start
 4769     1 root     S    14832  2.9  0.0 /usr/syno/sbin/snmpd -Ln -c /usr/syno/etc/snmpd.conf -p /var/run/snmpd.pid udp:161,udp6:161,tcp:161,tcp6:161
 5745     1 root     S    14176  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd-webdav.conf-sys
 5770  5745 root     S    14176  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd-webdav.conf-sys
 5771  5745 root     S    14176  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd-webdav.conf-sys
13615  5643 root     S    13976  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
13895  5643 root     S    13808  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
17777  5643 root     S    13808  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
18468  5643 root     S    13808  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
21470  5643 root     S    13808  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
24075  5643 root     S    13808  2.7  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 5744  5691 nobody   S    13708  2.6  0.0 /usr/syno/apache/bin/httpd -DSSL
 5743  5691 nobody   S    13708  2.6  0.0 /usr/syno/apache/bin/httpd -DSSL
 5691     1 root     S    13560  2.6  0.0 /usr/syno/apache/bin/httpd -DSSL
 5742  5691 nobody   S    13560  2.6  0.0 /usr/syno/apache/bin/httpd -DSSL
11707  5691 nobody   S    13560  2.6  0.0 /usr/syno/apache/bin/httpd -DSSL
 5643     1 root     S    13556  2.6  0.0 /usr/syno/apache/bin/httpd -DSSL -f /usr/syno/apache/conf/httpd.conf-sys
 4771     1 root     S    13440  2.6  0.0 /usr/syno/sbin/ddnsd
 5237     1 root     S N  13140  2.5  0.0 /usr/syno/sbin/fileindexd

what can i do and how?
the process concerned is called https_armv5tel
and doing a ps | grep https_armv5tel, i get:
26126 root 4076 S grep https_armv5tel

thank you in advance for your help!
jayce996
Trainee
Trainee
 
Posts: 18
Joined: Tue Apr 10, 2012 9:42 pm

Re: Attacked by a virus, please help

Postby jayce996 » Thu Jan 16, 2014 9:56 am

Hi there,
nobody can help me or redirect me to another place where i can find support?
where is located the cron tab?
how can i clean everything?
what can i do to prevent this again?
and so on,
i'm really worried about my personal data and my server in general.
thank you in advance
jayce996
Trainee
Trainee
 
Posts: 18
Joined: Tue Apr 10, 2012 9:42 pm

Re: Attacked by a virus, please help

Postby Pesho_t » Thu Jan 16, 2014 8:41 pm

Hi,

I've noticed my CPU usage being 100% constantly with same symptoms as you:

"top" says high usage by the syslog-ng process and DSM's resource manager shows https_armv5tel.

I don't have solution yet but if I do find something I'll be sure to post it here. Please do the same :)

How did you find out the process is mining for bitcoin?
Pesho_t
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Jan 16, 2014 8:37 pm

Re: Attacked by a virus, please help

Postby jayce996 » Thu Jan 16, 2014 9:57 pm

hi, thank you, i though i was alone with this.
regarding the mining bitcoin stuff, before having this https_armv5tel i found this process running:
/usr/bin/https -o stratum+tcp://178.254.23.132:3333 -O foilo.root3:test
in the meantime, if someone wants to kill & destroy this machine i would be thankful.
by looking at where is this ip i found that it was in Germany.
(i'm in France...)
jayce996
Trainee
Trainee
 
Posts: 18
Joined: Tue Apr 10, 2012 9:42 pm

Re: Attacked by a virus, please help

Postby Pesho_t » Thu Jan 16, 2014 10:27 pm

Interesting, there was an update available (4.3 3810 Update 4), I applied it and now both processes hogging the CPU are gone. Is your NAS up to date?

The reason I don't believe this has nothing to do with bitcoin mining is because the processor in the NAS is very weak for the calculations required to mine, and even if it wasn't CPU mining is surpassed by GPU and ASIC mining by far.

I'm not too sure what to suggest. If you've got SSH enabled, connect to it and check the running processes (ps -w). Grep for syslog, after the update I only have "/usr/sbin/syslog-ng -F" running. If you have any other instances running, you can try killing them (with -9 just in case) but I don't know how this can affect your NAS. Maybe someone with more experience can comment?

You can check what's connected to it with "netstat". However blocking any addresses which aren't familiar to you won't guarantee safety as if you've really been attacked then the addresses you see are probably just machines hackers use to mask their true location.

Make sure your NAS is secure, disable your admin account, change the SSH port to something other than 22, enable auto-block for IPs (I've set mine to block anything with 3 login failures a minute) etc.
Pesho_t
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Jan 16, 2014 8:37 pm

Re: Attacked by a virus, please help

Postby jayce996 » Thu Jan 16, 2014 11:20 pm

so, yes i did to the upgrade to the latest version of the DSM.
regarding the syslog i'm now with you, only one running, but i assume that some will restart during the night.
i did a netstat too, i found:
Code: Select all
tcp        0      0 SYNODS411:57960         xx-xxx-87-148.HINET-IP.hinet.net:https TIME_WAIT
tcp        0      0 SYNODS411:56945         xx-xxx-41-250.HINET-IP.hinet.net:81 TIME_WAIT
tcp        0      0 SYNODS411:50702         ukc1.synology.com:8888  ESTABLISHED

how can i prevent this?
by disabling your admin account, you mean keep only the root one and disabling my user account who is admint too?
auto-block is set to 2 failures in 10 minutes.
regarding the 22 ssh port, i didn't find where to change it
anyway, THANK YOU so much

update: these HINET seems to be DDNS server checking the IP over the net of my NAS
jayce996
Trainee
Trainee
 
Posts: 18
Joined: Tue Apr 10, 2012 9:42 pm

Re: Attacked by a virus, please help

Postby Pesho_t » Thu Jan 16, 2014 11:43 pm

I had one of those IPs from HINET appear too, but it's now gone. HINET seems to be a Taiwanese telecom: http://en.wikipedia.org/wiki/Chunghwa_Telecom. I didn't like when I saw this and if you want you can probably block traffic from that domain on your router. I assume the synology.com is safe.

About disabling the account, see this page: http://www.synology.com/en-uk/support/tutorials/478. It will explain this to you and some extra steps to ensure better security on your NAS.

Regarding the SSH port, open up /etc/ssh/sshd_config with a text editor (vi is a good command line editor, but it's not very friendly if you've not used it before), remove the # sign before "Port xxxx" line (xxxx will be a number), delete the number and enter a new one. Beware, you may choose a port that is used by common application. Double check this list http://en.wikipedia.org/wiki/List_of_TC ... rt_numbers to ensure the new port number won't interfere with any other traffic on your network.

EDIT: You'll need to edit the sshd_config file with superuser permissions. When you save the file you need to restart the SSH daemon. Easiest way is from control panel in DSM, disable SSH and then reenable it again.

EDIT2: Never ever ever enable telnet unless it's absolutely necessary. It is very insecure. I was very careless once, disabled superuser privileges on all accounts via SSH and had to reenable it using telnet. I only had it enabled for a few minutes as there was no other way to do what had to be done.
Pesho_t
I'm New!
I'm New!
 
Posts: 3
Joined: Thu Jan 16, 2014 8:37 pm

Re: Attacked by a virus, please help

Postby 1of7 » Sun Jan 19, 2014 12:35 am

jayce996 wrote:hi, thank you, i though i was alone with this.
regarding the mining bitcoin stuff, before having this https_armv5tel i found this process running:
/usr/bin/https -o stratum+tcp://178.254.23.132:3333 -O foilo.root3:test
in the meantime, if someone wants to kill & destroy this machine i would be thankful.
by looking at where is this ip i found that it was in Germany.
(i'm in France...)


I also noticed my CPU running at 100%. 4 processes reported in DSM as https_x86_84 and listed in top as syslog-ng.
I also had a connection to that same German IP, 1 of the Taiwanese IPs listed, and another which appears to be in Singapore (I think this one may be related to NTP, but I don't know why I'd be getting that from Singapore instead of somewhere closer.)
1of7
I'm New!
I'm New!
 
Posts: 2
Joined: Sun Jan 19, 2014 12:24 am

Re: Attacked by a virus, please help

Postby ydna » Sun Jan 19, 2014 3:54 am

Hi jayce996,
Have you ever contacted Synology support through the following channel?
It's the official way to get help from our dedicated team.
Please note the forum is designed for discussion and information change.

Please submit a support form via the link below for quickest support:
https://myds.synology.com/support/support_form.php?lang=enu
ydna
Synology Inc
Synology Inc
 
Posts: 56
Joined: Wed Jun 20, 2007 4:24 am

Re: Attacked by a virus, please help

Postby 1of7 » Mon Jan 20, 2014 12:40 pm

Pesho_t wrote:I had one of those IPs from HINET appear too, but it's now gone. HINET seems to be a Taiwanese telecom: http://en.wikipedia.org/wiki/Chunghwa_Telecom. I didn't like when I saw this and if you want you can probably block traffic from that domain on your router. I assume the synology.com is safe.


Oddly, HINET also apparently hosts a mirror of these forums at http://59-124-41-244.hinet-ip.hinet.net/enu/. I initially found this thread on their site and almost registered there before I realized it wasn't the correct URL.
1of7
I'm New!
I'm New!
 
Posts: 2
Joined: Sun Jan 19, 2014 12:24 am

Re: Attacked by a virus, please help

Postby jayce996 » Mon Jan 20, 2014 2:42 pm

Hello,

I did make this request to Synology, but i didn't though this would be handle by them.
i just have received an answer few minutes ago, and will deal with them and keep you posted.
anyway, since the update4 and the help you gave me, it seems that now it is better.
jayce996
Trainee
Trainee
 
Posts: 18
Joined: Tue Apr 10, 2012 9:42 pm

Re: Attacked by a virus, please help

Postby garbelini » Sun Jan 26, 2014 2:19 pm

Same here.
Had connections to both HINET and earlier today connections to http://rv1782.1blu.de/
Killed the https_armv5tel process and moved the file somewhere else.

I had the default admin account still enabled and some 3rd party apps running so God knows how they got in.
Had also ssh on all the time - I will be enabling this on demand from now on and maybe try to disable pass auth and rely only on trusted keys for login.

Any more answers from Synology?

Will probably move to reinstall everything since once things get compromised like this it's hard to get back to safety.
garbelini
I'm New!
I'm New!
 
Posts: 1
Joined: Sun Jan 26, 2014 2:08 pm

Re: Attacked by a virus, please help

Postby maxxfi » Tue Jan 28, 2014 11:17 am

garbelini wrote:Same here.
Had connections to both HINET and earlier today connections to http://rv1782.1blu.de/
Killed the https_armv5tel process and moved the file somewhere else.

Which version of DSM are you running? If you have 4.3 did you apply the latest updates (which include security fixes)?
DS-411 (DSM 4.3-3827u5) w/ 2x WD20EFRX + 1x WD10EFRX
DS-106j (DSM 3.0-1357), PATA-to-SATA adapter, 2.5" HM250HI
User avatar
maxxfi
Programmer
Programmer
 
Posts: 5789
Joined: Sun Dec 27, 2009 12:13 pm
Location: Espoo, Finland

CPU usage 100%

Postby addpeople-james » Thu Jan 30, 2014 1:50 pm

Hello,

we have and DS1812 8-bay nas box running DSM 4.1 in our business environment.

I use group policy to redirect staff "My Documents" folders to the NAS box.

My CPU usage on the NAS is constantly at 100%. Using resource monitor I can see the following values:

User = 3%
System = 96%
I/O Wait = 1%

While the CPU is at 100% the NAS box is almost unusable and people find connecting to the NAS box to save/retrieve files near impossible.

I need urgently, to know how I can diagnose what is causing this issue and then how to fix it. Although we have 90 staff using a mixture of My Documents and shared network drives, I would have expected the NAS box to be able to handle this.

Please help as I;m getting a lot of stick from bosses / managers etc about this issue.
Thanks
addpeople-james
Trainee
Trainee
 
Posts: 16
Joined: Wed Nov 14, 2012 4:24 pm

Re: CPU usage 100% makes NAS box unusable.

Postby synology_ukman » Thu Jan 30, 2014 4:20 pm

So under Resource Monitor, Process what processes are using CPU?
synology_ukman
Experienced
Experienced
 
Posts: 121
Joined: Fri Oct 26, 2012 4:51 pm

Next

Return to System Management

Who is online

Users browsing this forum: No registered users and 11 guests