Jump to content
XPEnology Community

Beware my synology was compromised


Loumeer

Recommended Posts

Hello everybody,

 

For the past couple of days I have been noticing some wierd behavior of my xpenology install. Today I did some digging and realized there was a process call Synodns making my CPU clock at 100% constantly.

 

I am not sure how it was done and what methods were used by apparently my synology install was compromised and "synodns" was installed.

 

From what I can tell "synodns" is a renamed Cpu miner:

 

"Running /usr/syno/bin/synodns --help does indeed show it is a miner.

Usage: minerd [OPTIONS]

Options:

-a, --algo=ALGO specify the algorithm to use

scrypt scrypt(1024, 1, 1) (default)

sha256d SHA-256d

-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)

-O, --userpass=U:P username:password pair for mining server

-u, --user=USERNAME username for mining server

-p, --pass=PASSWORD password for mining server

... snip ...

-V, --version display version information and exit

-h, --help display this help text and exit"

 

See also:

http://www.reddit.com/r/synology/commen ... edsynodns/

http://forum.synology.com/enu/viewtopic ... ns#p301696

 

I am not the most advanced in internet security so if one of you guys could let me know what I can do to better protect myself from stuff like this in the future I would appreciate it.

Link to comment
Share on other sites

Kinda crazy that somehow people are hacking miners into other peoples NASes. I personally don't leave any ports open on my LAN but SSH on a non standard port, and tunnel anything I need to do through SSH. The times when I did have FTP open on my NAS, the logs were pretty crazy with the amount of bots trying to bruteforce in.

Link to comment
Share on other sites

was on 4.1, synodns using 100%

Used gateone

 

NAS> /usr/syno/bin/synodns

#[2014-02-03 21:57:39] 2 miner threads started, using 'scrypt' algorithm.

[2014-02-03 21:57:39] Binding thread 1 to cpu 1

[2014-02-03 21:57:39] Binding thread 0 to cpu 0

[2014-02-03 21:57:39] HTTP request failed: Failed connect to 127.0.0.1:9332; Connection refused

[2014-02-03 21:57:39] json_rpc_call failed, retry after 30 seconds

 

NAS> /usr/syno/bin/synodns --help

Usage: minerd [OPTIONS]

Options:

-a, --algo=ALGO specify the algorithm to use

scrypt scrypt(1024, 1, 1) (default)

sha256d SHA-256d

-o, --url=URL URL of mining server (default: http://127.0.0.1:9332/)

-O, --userpass=U:P username:password pair for mining server

-u, --user=USERNAME username for mining server

-p, --pass=PASSWORD password for mining server

--cert=FILE certificate for mining server using SSL

-x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy

-t, --threads=N number of miner threads (default: number of processors)

-r, --retries=N number of times to retry if a network call fails

(default: retry indefinitely)

-R, --retry-pause=N time to pause between retries, in seconds (default: 30)

-T, --timeout=N network timeout, in seconds (default: 270)

-s, --scantime=N upper bound on time spent scanning current work when

long polling is unavailable, in seconds (default: 5)

--no-longpoll disable X-Long-Polling support

--no-stratum disable X-Stratum support

-q, --quiet disable per-thread hashmeter output

-D, --debug enable debug output

-P, --protocol-dump verbose dump of protocol-level activities

-S, --syslog use system log for output messages

-B, --background run the miner in the background

--benchmark run in offline benchmark mode

-c, --config=FILE load a JSON-format configuration file

-V, --version display version information and exit

-h, --help display this help text and exit

 

NAS> /usr/syno/bin/synodns -V

cpuminer 2.3.2

libcurl/7.30.0 zlib/1.2.8

 

i rebooted, wasn't running since

couldn't see a way to track them so i logged as root and deleted it, created a new one, did chmod 000 on it so they should have issue recreating it using the same script..

couldn't see a way

Link to comment
Share on other sites

×
×
  • Create New...