synology Hacked , Trojan IptabLes IptabLex

Questions pertaining to Power settings, Auto Block, Permissions, User Quotas and Email alerts may be posted here.
Forum rules
1) This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu
2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

synology Hacked , Trojan IptabLes IptabLex

Postby pneves » Mon May 12, 2014 11:38 am

Hi,

was getting alot of random traffic in my router and decided to investigate.
So far a conclude that the traffic comes from 2 files:
/usr/.IptabLes
/usr/.IptabLex
I am not sure how this files got there.
I don't see much information online about this Malware.

This Synology had 22 and 5000 port opened to the outside. Because Synology support was solving an issue I had.
Apart from that only the 9901 VideoStation por is open.

You can see the information I gather so far:
Code: Select all
vs02> ls -al
drwxr-xr-x    8 root     root          4096 May 11 20:09 .
drwxr-xr-x   24 root     root          4096 May 11 20:09 ..
-r----x--t    1 root     root       1103207 May 11 20:09 .IptabLes
-r----x--t    1 root     root        722392 May 11 20:09 .IptabLex
drwxr-xr-x    2 root     root          4096 Apr  2 20:51 bin
lrwxrwxrwx    1 root     root             4 Apr  2 20:38 lib -> /lib
lrwxrwxrwx    1 root     root             6 Apr  2 20:38 lib64 -> /lib64
drwxr-xr-x   16 root     root          4096 Apr  2 20:38 libexec
drwxr-xr-x    7 root     root          4096 Apr  2 20:56 local
drwxr-xr-x    2 root     root          4096 Apr  2 20:38 sbin
drwxr-xr-x   10 root     root          4096 Apr  2 20:38 share
drwxr-xr-x   27 root     root          4096 Apr  2 20:38 syno
vs02> pwd
/usr
vs02> ps -w | grep IptabLe
21048 root      1220 S    /usr/.IptabLes
21070 root       856 S    /usr/.IptabLex
21081 root      3816 S    grep IptabLe
31977 root       856 S    /usr/.IptabLex
31979 root      1220 S    /usr/.IptabLes
vs02>


Random connections generated.
I blocked the traffic from this synology to any IP on port 53 and 666.
Code: Select all
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:36089         119.145.148.56:666      SYN_SENT    20389/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:36089         119.145.148.56:666      SYN_SENT    20389/.IptabLes
vs02> netstat -nape | grep IptabLes
vs02> netstat -nape | grep IptabLes
vs02> netstat -nape | grep IptabLes
udp        0      0 0.0.0.0:51152           0.0.0.0:*                           20595/.IptabLes
vs02> netstat -nape | grep IptabLes
udp        0      0 0.0.0.0:51152           0.0.0.0:*                           20595/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:34365         112.33.19.8:666         SYN_SENT    20595/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:34365         112.33.19.8:666         SYN_SENT    20595/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:34365         112.33.19.8:666         SYN_SENT    20595/.IptabLes
vs02> netstat -nape | grep IptabLes ;date
Mon May 12 12:14:26 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:35443         122.228.242.51:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:29 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:35443         122.228.242.51:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:32 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:35443         122.228.242.51:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:34 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
Mon May 12 12:14:38 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
Mon May 12 12:14:40 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:58164         59.63.167.167:666       SYN_SENT    20595/.IptabLes
Mon May 12 12:14:43 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:36720         119.145.148.56:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:59 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:36720         119.145.148.56:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:15:01 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:55258         119.145.148.76:666      SYN_SENT    20613/.IptabLex
Mon May 12 12:15:04 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:55258         119.145.148.76:666      SYN_SENT    20613/.IptabLex
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:08 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:11 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:14 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:55389         119.145.148.76:666      SYN_SENT    20860/.IptabLex
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:17 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:34994         112.33.19.8:666         SYN_SENT    20832/.IptabLes
tcp        0      1 10.1.1.14:55389         119.145.148.76:666      SYN_SENT    20860/.IptabLex
Mon May 12 12:15:20 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:34994         112.33.19.8:666         SYN_SENT    20832/.IptabLes
tcp        0      1 10.1.1.14:55389         119.145.148.76:666      SYN_SENT    20860/.IptabLex
Mon May 12 12:15:22 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:34994         112.33.19.8:666         SYN_SENT    20832/.IptabLes
Mon May 12 12:15:25 CEST 2014
vs02>



This is the info I found about this Trojan.
http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=VServer%20Trojan
pneves
Rookie
Rookie
 
Posts: 32
Joined: Tue Feb 09, 2010 12:36 pm

Re: synology Hacked , Trojan IptabLes IptabLex

Postby pneves » Mon May 12, 2014 4:52 pm

Although I don't know where I got it from.
After upgrading the DSM the Torjan disappeared.
Hopefully I won't see it again.

If someone had a similar experience, please post here.
It would be nice to know how this happened.

Thanks,

Pedro
pneves
Rookie
Rookie
 
Posts: 32
Joined: Tue Feb 09, 2010 12:36 pm

Re: synology Hacked , Trojan IptabLes IptabLex

Postby hacktron » Thu Jun 19, 2014 2:20 am

Hi I also have a lot of random traffic from 119.145.148.76

I have yet to resolve it and came across your post while searching the ip.

what was your site for, I want to know to see if its similar to mine or not.

Thanks
hacktron
I'm New!
I'm New!
 
Posts: 1
Joined: Thu Jun 19, 2014 2:17 am


Return to System Management

Who is online

Users browsing this forum: No registered users and 6 guests