synology Hacked , Trojan IptabLes IptabLex

Questions pertaining to Power settings, Auto Block, Permissions, User Quotas and Email alerts may be posted here.
Forum rules
This is a user forum for Synology users to share experience/help out each other: if you need direct assistance from the Synology technical support team, please use the following form:
https://myds.synology.com/support/suppo ... p?lang=enu

synology Hacked , Trojan IptabLes IptabLex

Postby pneves » Mon May 12, 2014 11:38 am

Hi,

was getting alot of random traffic in my router and decided to investigate.
So far a conclude that the traffic comes from 2 files:
/usr/.IptabLes
/usr/.IptabLex
I am not sure how this files got there.
I don't see much information online about this Malware.

This Synology had 22 and 5000 port opened to the outside. Because Synology support was solving an issue I had.
Apart from that only the 9901 VideoStation por is open.

You can see the information I gather so far:
Code: Select all
vs02> ls -al
drwxr-xr-x    8 root     root          4096 May 11 20:09 .
drwxr-xr-x   24 root     root          4096 May 11 20:09 ..
-r----x--t    1 root     root       1103207 May 11 20:09 .IptabLes
-r----x--t    1 root     root        722392 May 11 20:09 .IptabLex
drwxr-xr-x    2 root     root          4096 Apr  2 20:51 bin
lrwxrwxrwx    1 root     root             4 Apr  2 20:38 lib -> /lib
lrwxrwxrwx    1 root     root             6 Apr  2 20:38 lib64 -> /lib64
drwxr-xr-x   16 root     root          4096 Apr  2 20:38 libexec
drwxr-xr-x    7 root     root          4096 Apr  2 20:56 local
drwxr-xr-x    2 root     root          4096 Apr  2 20:38 sbin
drwxr-xr-x   10 root     root          4096 Apr  2 20:38 share
drwxr-xr-x   27 root     root          4096 Apr  2 20:38 syno
vs02> pwd
/usr
vs02> ps -w | grep IptabLe
21048 root      1220 S    /usr/.IptabLes
21070 root       856 S    /usr/.IptabLex
21081 root      3816 S    grep IptabLe
31977 root       856 S    /usr/.IptabLex
31979 root      1220 S    /usr/.IptabLes
vs02>


Random connections generated.
I blocked the traffic from this synology to any IP on port 53 and 666.
Code: Select all
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:36089         119.145.148.56:666      SYN_SENT    20389/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:36089         119.145.148.56:666      SYN_SENT    20389/.IptabLes
vs02> netstat -nape | grep IptabLes
vs02> netstat -nape | grep IptabLes
vs02> netstat -nape | grep IptabLes
udp        0      0 0.0.0.0:51152           0.0.0.0:*                           20595/.IptabLes
vs02> netstat -nape | grep IptabLes
udp        0      0 0.0.0.0:51152           0.0.0.0:*                           20595/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:34365         112.33.19.8:666         SYN_SENT    20595/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:34365         112.33.19.8:666         SYN_SENT    20595/.IptabLes
vs02> netstat -nape | grep IptabLes
tcp        0      1 10.1.1.14:34365         112.33.19.8:666         SYN_SENT    20595/.IptabLes
vs02> netstat -nape | grep IptabLes ;date
Mon May 12 12:14:26 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:35443         122.228.242.51:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:29 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:35443         122.228.242.51:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:32 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:35443         122.228.242.51:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:34 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
Mon May 12 12:14:38 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
Mon May 12 12:14:40 CEST 2014
vs02> netstat -nape | grep IptabLes ;date
tcp        0      1 10.1.1.14:58164         59.63.167.167:666       SYN_SENT    20595/.IptabLes
Mon May 12 12:14:43 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:36720         119.145.148.56:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:14:59 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:36720         119.145.148.56:666      SYN_SENT    20595/.IptabLes
Mon May 12 12:15:01 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:55258         119.145.148.76:666      SYN_SENT    20613/.IptabLex
Mon May 12 12:15:04 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:55258         119.145.148.76:666      SYN_SENT    20613/.IptabLex
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:08 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:11 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:14 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:55389         119.145.148.76:666      SYN_SENT    20860/.IptabLex
udp        0      0 0.0.0.0:43193           0.0.0.0:*                           20832/.IptabLes
Mon May 12 12:15:17 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:34994         112.33.19.8:666         SYN_SENT    20832/.IptabLes
tcp        0      1 10.1.1.14:55389         119.145.148.76:666      SYN_SENT    20860/.IptabLex
Mon May 12 12:15:20 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:34994         112.33.19.8:666         SYN_SENT    20832/.IptabLes
tcp        0      1 10.1.1.14:55389         119.145.148.76:666      SYN_SENT    20860/.IptabLex
Mon May 12 12:15:22 CEST 2014
vs02> netstat -nape | grep IptabLe ;date
tcp        0      1 10.1.1.14:34994         112.33.19.8:666         SYN_SENT    20832/.IptabLes
Mon May 12 12:15:25 CEST 2014
vs02>



This is the info I found about this Trojan.
http://www.ebel-computing.de/JSPWiki/Wiki.jsp?page=VServer%20Trojan
pneves
Rookie
Rookie
 
Posts: 31
Joined: Tue Feb 09, 2010 12:36 pm

Re: synology Hacked , Trojan IptabLes IptabLex

Postby pneves » Mon May 12, 2014 4:52 pm

Although I don't know where I got it from.
After upgrading the DSM the Torjan disappeared.
Hopefully I won't see it again.

If someone had a similar experience, please post here.
It would be nice to know how this happened.

Thanks,

Pedro
pneves
Rookie
Rookie
 
Posts: 31
Joined: Tue Feb 09, 2010 12:36 pm

Re: synology Hacked , Trojan IptabLes IptabLex

Postby hacktron » Thu Jun 19, 2014 2:20 am

Hi I also have a lot of random traffic from 119.145.148.76

I have yet to resolve it and came across your post while searching the ip.

what was your site for, I want to know to see if its similar to mine or not.

Thanks
hacktron
I'm New!
I'm New!
 
Posts: 1
Joined: Thu Jun 19, 2014 2:17 am


Return to System Management

Who is online

Users browsing this forum: No registered users and 5 guests