QNAP NAS Hacked

Pompeyexile

New Around Here
To begin with you wil have to excuse me as I am a total idiot whe it comes to computers etc which I guess is why I am in the pickle I am.

I have about 2000 cd's (and counting) that I painstakingly burned onto iTunes over a period of months, putting it on a single external hard drive. Unfortunately, after a couple of years that went wrong and I lost it all, so I bought a QNAP 2 Bay NAS went through the process all over again and in my naievety, thought that having two bays meant one would automatically back up to the other without me having to do anything (see what I mean when I say I'm an idiot). Anyway, all has been fine for several years and I still add newly bought CD's and burn onto my iTunes on my NAS.

However, a few weeks ago I noticed random tracks were missing and discovered they had been turned into 7Z format and found a read me file saying they had been encrypted and if I wanted to get them back to pay over a ransom in bitcoin. QNAP confirmed I had been hacked and proceeded to give me some instructions to recover my music files using something called photorec. I have also been told this happened because my NAS was/is connected to the internet and that it shouldn't be.

I have needed to buy another external hard drive with a large enough memory to connect to my NAS that I could transfer the rescued files onto. So, I have bought an 8TB WD MyBook which will be arriving any day soon.

When asking about this, people have mentioned stuff such as UPnP and turning that off. Port forwarding which means nothing to me and to disconnect my NAS from the intenernet and only connect it to my local/home network.

So, here are the daft questions… My NAS is connected directly to my BT home Hub router by a cable. Going into the router it shows it has a static IP address. In configuration I have UPnP turned off, yet in the firewall port forwarding section it shows UPnP ticked and if I click on the red cross, it asks if I want to remove the rules. Plus, being as thick as I am, I don’t understand why there are so many lines for my Nas showing (see picture below).

1645369193980.png


So, is my NAS connected to the internet or not? if it is, how do I disconnect it and have it only connected to my local (home) network? My laptop connected to the internet where I burn all my newly aquired CD's onto iTunes does say Private Network.

And of course, If I am lucky enough to retrieve my music files or not and I have to burn all my CD's again, how do I prevent this from happening again?

Sorry for this being so long winded and any help would be very much appreciated.
 

XIII

Very Senior Member
It looks like you have ports 80, 443, 8080, 8081, and 6881 wide open, so anyone using these ports on your public IP address will be redirected to your NAS?

PS: the process of transferring audio CD's to digital files is usually called "ripping" ("burning" is the opposite: transferring digital files to optical media)
 

ColinTaylor

Part of the Furniture
I'm not familiar with the Smart Hub but it does appear that remote access from the internet is currently enabled. I would immediately try to remove all 6 of those rules (presumably by clicking on the "X"). Then reboot the Hub followed by rebooting the NAS. Now monitor the forwarded ports to see if they return.

It looks like the NAS is currently configured to allow remote access to it using UPnP. Try to disable that remote access on the NAS. The NAS also appears to be running a BitTorrent client. Obviously this won't work if your objective is to not have this NAS connected to the internet, so you should turn off the BitTorrent client.
 

Pompeyexile

New Around Here
Thank you guys for your quick response. I will do as you suggest, but before I do, don't I have to be able to access the NAS to recover my music files when the new external drive arrives? If I do as you suggest, how will I be able to connect to the NAS? I disconnected the cable from my NAS to my BT router to see what would happen and I could no longer connect to the NAS from my laptop.
 

ColinTaylor

Part of the Furniture
We're talking about disabling remote access from the internet, not local access from your PCs. There should be an option for that in the NAS's configuration. I'm not a QNAP owner so I can't say exactly what that option is called. What is the model number of the QNAP?
 

CaptainSTX

Part of the Furniture
I am not familiar with what options are available using QNAP, but on my Synology NAS there are two options to access the NAS remotely. The first is called external access and the second is called quick connect. Using quick connect means using your account with Synology and connecting to this account on Synology's servers which then makes the connection to your local NAS.

If your NAS offers similar remote connectivity methods be sure to disable all methods unless you have a use case for remote access.
 

OzarkEdge

Part of the Furniture
Could it be possible that malware will need to be removed or else it will just keep compromising your LAN no matter what access you try to disable(?).

OE
 

L&LD

Part of the Furniture
With no data on the NAS currently (if I'm reading the above correctly), I would disconnect it from the internet (i.e. directly connected to a computer that is itself also disconnected from the internet) and flash the latest firmware on the QNAP. After it reboots, I would fully reset the NAS.

After it has fully reset, only configure the NAS using recommended defaults. Do not agree to any optional features or services. When you're satisfied that the NAS is now in a secure state, connect it to your network and verify that it is (all the suggestions in the posts above).
 

SSri

Regular Contributor
As a safe practice, considering it was encrypted and to remove any malware, if any, I would prefer starting with a clean slate. A full reformat and a fresh install.

It will however be a long windy road to the pre-encryption state, given the larger pool of collections.
 
Last edited:

XIII

Very Senior Member
However, a few weeks ago I noticed random tracks were missing and discovered they had been turned into 7Z format and found a read me file saying they had been encrypted and if I wanted to get them back to pay over a ransom in bitcoin. QNAP confirmed I had been hacked and proceeded to give me some instructions to recover my music files using something called photorec. I have also been told this happened because my NAS was/is connected to the internet and that it shouldn't be.
Are these 7Z (7-zip) files password protected?

It looks like the malware is ransomware that used 7-zip to take hostage of your files?

Photorec is a tool to recover deleted files. If that's indeed what QNAP is suggesting to restore files, please be aware that any write to your NAS reduces your chances of recovering files (because deleted files might get overwritten).
 

SSri

Regular Contributor
It looks like the malware is ransomware that used 7-zip to take hostage of your files?
You wouldn’t expect this malware / ransomware to delete the files, would you? This would perhaps be a long and a complex encryption leveraging 7z. If this is what it really is, how would a photorec be useful? I’m not sure.
 

XIII

Very Senior Member
Zipping files and then deleting the originals?

Just a guess…

Quite curious about the exact instructions regarding Photorec!
 

SSri

Regular Contributor
I haven’t read these documentations, which are here and here

PhotoRec saves the file in the same order as they are on the source disk, as long as the files are not fragmented. I understand it will the file with a number and the correct ext.
 
Last edited:

dosborne

Very Senior Member
Renaming (encrypting) to 7z files is QLocker ransomware. I would suggest creating an account on this site https://forum.qnap.com/ as it is well documented.

Do not connect your NAS to your LAN, and therefore the internet, until you have:
- disabled UPnP on your router
- removed any ports that are forwarded from your router to your NAS
-disabled UPnP on your NAS
- disabled the "check for new firmware versions" on your NAS
- disabled the beta program opt in
-disabled the "recommended version" autoupdate option.
-disabled the "latest version" autoupdate option
-disabled all qnapcloud options-disabled any 3rd party HBS3 options

Do not update the firmware or run the Malware Remover application until you have read about QLocker in the above link as either action could make recovering your data significantly harder.

To accomplish the step "Do not connect your NAS to your LAN, and therefore the internet, ", disconnect your ISP cable or modem of it is a separate device while you perform the steps. Otherwise, you are vulnerable to a further attack of QLocker, QLocker2, or even worse, the next and latest ransomware attack called "Deadbolt".

I would not recommend resetting to default or attempting to recover until you've read the details . After any future update to your firmware, go back and check each and every one of the items in this lost as the default enabled/disabled has been known to change during the update on occasion, specifically relating to the "autoupdate" code.

If at all possible, stay on the 4.5.4 firmware stream. The 5.0.0 firmware stream only partially works on some systems. It is worth downgrading if your system has already
"Upgraded".
 
Last edited:

dosborne

Very Senior Member
Could it be possible that malware will need to be removed or else it will just keep compromising your LAN no matter what access you try to disable(?).

OE
The QNAP Malware Remover application (which must be downloaded, installed and run) will be successful in removing the effects of the ransomware BUT it is actually CRUCIAL so save the text file (for QLocker) or index.htm and encryptor for Deadbolt so that if your only option is to pay the ransom, you will need those to obtain the correct Bitcoin address. Save the files and/or take a screenshot or the ransom notes as a backup.

So far, the attack *seems* to come through a vulnerability on an admin port so stopping the current run of the attack by shutting down and restarting, running the malware remover or killing the process manually via ssh to do trigger a restart. However, leaving the NAS vulnerable through port forwarding, DMZ or UPnP would leave you susceptible should " they" trigger it again remotely.
 
Last edited:
Similar threads
Thread starter Title Forum Replies Date
nick002 How to set up VPN QNAP NAS? QNAP 6
dosborne Another round of attacks on QNAP QNAP 3
D Strange Firewall Behavior on QNAP TS-230 QNAP 11

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top