Hello, some days ago, my TerraMaster F2-210 has been attacked by Ransomware eCh0raix / QNAPCrypt
My System version was 4.1.31
I had opened in my router port 8181 for web interface because I want access from outside my network if needed. Im using a secure password and Im sure attackers does not knows.
Now, all documents and photos are encrypted with extension .encrypt and a txt message saying I have to go to .onion link to pay a rescue.
Following information is added by TerraMaster customer service
Official notice about eCh0raix(QNAPCrypt)
My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
- CarlosMtnez
- Posts: 8
- Joined: 26 Dec 2020, 23:44
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
My F4-210 I just bought also got attacked by the same ransomware and I have no idea how to remove it without a full server format. ClamAV doesn't detect any viruses or ransomware.
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
I am curious...
Was it only the port 8181 open in your router?
Have you checked for any clue about the attack in the logs?
Was it only the port 8181 open in your router?
Have you checked for any clue about the attack in the logs?
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
I am sorry to hear that your data has been infected by ransomware.
We have some advices here viewtopic.php?f=75&t=1291&p=6581#p6581
Please check if this could be help: https://www.bugsfighter.com/remove-ech0 ... ypt-files/
We have some advices here viewtopic.php?f=75&t=1291&p=6581#p6581
Please check if this could be help: https://www.bugsfighter.com/remove-ech0 ... ypt-files/
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
- CarlosMtnez
- Posts: 8
- Joined: 26 Dec 2020, 23:44
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
I'm pretty sure attacker entered through web portal.
In the system logs there was some Events "Web Logout Succesful!" from weird ip address. About 3 or 4 logs like that in the past 2 days. Only that, No other messages from that ips.
I left open web admin port (8181) because I want to access from outside to access my data tree and or download individual files.
I DO NOT had opened telnet nor SSH port. Also is checked only local connections.
I think its a vulnerability from Web admin interface.
Hope TerraMaster investigate this and make a Patch.
In the system logs there was some Events "Web Logout Succesful!" from weird ip address. About 3 or 4 logs like that in the past 2 days. Only that, No other messages from that ips.
I left open web admin port (8181) because I want to access from outside to access my data tree and or download individual files.
I DO NOT had opened telnet nor SSH port. Also is checked only local connections.
I think its a vulnerability from Web admin interface.
Hope TerraMaster investigate this and make a Patch.
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
Good evening, I have also discovered, despite myself, that my NAs Terramaster has also been infected.
Do you have any ideas on how to solve the problem?
At the moment I have 1 tb of blocked data and a lot of work to do.
Please help us to resolve.
I have no intention of paying 1300€ to get my data back.
Many thanks.
Cristiano
Do you have any ideas on how to solve the problem?
At the moment I have 1 tb of blocked data and a lot of work to do.
Please help us to resolve.
I have no intention of paying 1300€ to get my data back.
Many thanks.
Cristiano
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
Searching for 'terramaster vulnerabilities' I found several pages with bad news... the code is prone to security holes
The most recent one confirmed is
https://packetstormsecurity.com/files/1 ... ution.html
I guess 4.2.07 is also affected.
I have taken mine offline. Looks like the first thing to do with these NASes is changing all the ports to something very unusual if you truly need them on Internet.
The most recent one confirmed is
https://packetstormsecurity.com/files/1 ... ution.html
I guess 4.2.07 is also affected.
I have taken mine offline. Looks like the first thing to do with these NASes is changing all the ports to something very unusual if you truly need them on Internet.
- armandomr81
- Posts: 6
- Joined: 28 Dec 2020, 12:10
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
I just find out the same thing happen to my T-NAS also on Dec 25 th. I have not used the NAS since Dec 20 th so I think the attac was similar to the other posted.
Is there a way to recover the .ENCRYPTED files? After this I would leave mine offline but there is very sensible information in my drive, such as taxes, goverment payments from my house and cars and thousands of family pictures.
Please help. Someone from Terramaster? At least point me in the rigth direction to contact someone can recover my files.
Armando Martinez.
F2-210 user
Is there a way to recover the .ENCRYPTED files? After this I would leave mine offline but there is very sensible information in my drive, such as taxes, goverment payments from my house and cars and thousands of family pictures.
Please help. Someone from Terramaster? At least point me in the rigth direction to contact someone can recover my files.
Armando Martinez.
F2-210 user
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
{L_BUTTON_AT}Spaniard
Please be well noted that the Vulnerability mentioned by packetstormsecurity in the article about "include/makecvs.php" has been resolved in 4.2.07
viewtopic.php?f=28&t=1136
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Re: My TerraMaster F2-210 has been infected by Ransomware eCh0raix / QNAPCrypt
It couldn't be updated automatically. If the folders are encrypted already, please go to TOS Control panel- update&recovery- restore to factory default to see whether it's ok.
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)