Regarding the reported instances of infection exploited from Bash (Shellshock) vulnerability on the QNAP NAS systems (with firmware versions prior to 4.1.1 build 1003 and are not applied with Qfix 1.0.2 build 1008), we provide a method for users to check their systems and remove the infection if it is found. Customers who have found an unusually large amount of Internet traffic generated from their NAS should continue reading the following sections and perform the remediation procedure as instructed.
Check for possible infections
Follow these steps to check for signs of infection:
Log into the NAS with an SSH connectivity tool. You will see that the Shell prompt has been modified to [admin@NAS-NAME ~] instead of [~]
Check the shadow and passwd files in /etc/config/shadow and /etc/config/passwd respectively using the cat command. Look for the suspicious username “request”. This user has the same user ID as the admin user (UID 0).
There will be a folder "optware" on the main data volume (e.g. /share/MD0_DATA/optware).
Check for abnormal .cgi processes by entering the command: ps | grep cgi:
8372 admin S 1724 18432 0.0 0.3 .cgi
8373 admin S 1724 18432 0.0 0.3 .cgi
8374 admin S 1724 18432 0.0 0.3 .cgi
8376 admin S 1724 18432 0.0 0.3 .cgi
8377 admin S 1724 18432 0.0 0.3 .cgi
8379 admin S 1724 18432 0.0 0.3 .cgi
8380 admin S 1724 18432 0.0 0.3 .cgi
8381 admin S 1724 18432 0.0 0.3 .cgi
8382 admin S 1724 18432 0.0 0.3 .cgi
8383 admin S 1724 18432 0.0 0.3 .cgi
8384 admin S 1724 18432 0.0 0.3 .cgi
If your system shows these signs, choose one of the following methods to clear the malware.
Method 1: Reinitialize your NAS to clear the malware.
Note: This method will clear all data in the NAS. Make sure you backup your data first!
Isolate the NAS from any internet-connected networks.
Back up any data which you do not want to lose on the NAS.
Power off the NAS and remove all HDDs.
Power on the NAS while all HDDs are still disconnected. The NAS will come online with default settings.
Connect to the NAS by an SSH client such as PuTTY (Windows) or Terminal (Mac OS). For instruction on how to use PuTTY, see:
Copy and paste the exact command below, and press enter: For ARM CPU models: mount -t ext2 /dev/mtdblock5 /tmp/config && rm /tmp/config/autorun.sh; umount /tmp/config
For Intel CPU models: mount -t ext2 `ls -1 /dev/sd*|grep 6` /tmp/config && rm /tmp/config/autorun.sh; umount /tmp/config
Connect to the NAS with a browser and continue with the quick setup. You must select a disk configuration (Single, RAID, JBOD) in the final step; otherwise, the malware will not be cleared! This action will also re-format any data on the NAS.
Method 2: Manually clear the malware.
It is recommended that only experienced system administrators who fully understand the implications of these changes perform the operations provided here.
Mount the filesystem:
mount /dev/mtdblock5 /tmp/config (for ARM models)
mount /dev/sdX6 /tmp/config (for Intel models, where where X can be found by the output of the command: ls -1 /dev/sd* | grep 6)
Enter the command to remove the injected autorun.sh script:
Unmount the filesystem:
Remove the ‘optware’ folder found in step 3 in checking the system for infection:
rm –r /’PathTo’/optware
Log into your Turbo NAS as the admin, go to “Control Panel”>”Users” and delete unknown usernames such as "request".
Reboot the system.
Update your system to the latest firmware version. For instructions on firmware update, go to the Firmware Update Section.
Go to “Control Panel” > “Firmware Update” and select the “Live Update” tab
Go to the QNAP website (/download) and choose your Turbo NAS model.
Select "Firmware", find the latest firmware from the list and choose to download from the Global, European or United States server depending on your location.
Decompress the ZIP file.
Login to your Turbo NAS as the admin, go to “Control Panel” > “Firmware Update” and choose the “Firmware Update” tab.