Loumeer Posted February 2, 2014 Share #1 Posted February 2, 2014 Hello everybody, For the past couple of days I have been noticing some wierd behavior of my xpenology install. Today I did some digging and realized there was a process call Synodns making my CPU clock at 100% constantly. I am not sure how it was done and what methods were used by apparently my synology install was compromised and "synodns" was installed. From what I can tell "synodns" is a renamed Cpu miner: "Running /usr/syno/bin/synodns --help does indeed show it is a miner. Usage: minerd [OPTIONS] Options: -a, --algo=ALGO specify the algorithm to use scrypt scrypt(1024, 1, 1) (default) sha256d SHA-256d -o, --url=URL URL of mining server (default: http://127.0.0.1:9332/) -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME username for mining server -p, --pass=PASSWORD password for mining server ... snip ... -V, --version display version information and exit -h, --help display this help text and exit" See also: http://www.reddit.com/r/synology/commen ... edsynodns/ http://forum.synology.com/enu/viewtopic ... ns#p301696 I am not the most advanced in internet security so if one of you guys could let me know what I can do to better protect myself from stuff like this in the future I would appreciate it. Link to comment Share on other sites More sharing options...
stanza Posted February 2, 2014 Share #2 Posted February 2, 2014 Cough http://xpenology.com/forum/viewtopic.php?f=2&t=2049 . Link to comment Share on other sites More sharing options...
Loumeer Posted February 3, 2014 Author Share #3 Posted February 3, 2014 Thanks for the link but I would like to add on to your post. I was running version 4.2 so it seems that both DSM 4.2 and 4.3 (pre update 4) are vulnerable to this sort of attack. Link to comment Share on other sites More sharing options...
anthonyuk Posted February 3, 2014 Share #4 Posted February 3, 2014 I was also affected on 4.2. I've removed the entry from crontab, the affected program and closed all external ports except VPN for the time being. Link to comment Share on other sites More sharing options...
loderunner Posted February 3, 2014 Share #5 Posted February 3, 2014 I've take one at my xpenology 4.2 right now and googled this post. Link to comment Share on other sites More sharing options...
loderunner Posted February 3, 2014 Share #6 Posted February 3, 2014 can you help me to safely upgrade from 4.2 to 4.3. any links? It was second miner at my NAS. first was minerd two months ago. Link to comment Share on other sites More sharing options...
Diverge Posted February 3, 2014 Share #7 Posted February 3, 2014 Kinda crazy that somehow people are hacking miners into other peoples NASes. I personally don't leave any ports open on my LAN but SSH on a non standard port, and tunnel anything I need to do through SSH. The times when I did have FTP open on my NAS, the logs were pretty crazy with the amount of bots trying to bruteforce in. Link to comment Share on other sites More sharing options...
ZeroQI Posted February 3, 2014 Share #8 Posted February 3, 2014 was on 4.1, synodns using 100% Used gateone NAS> /usr/syno/bin/synodns #[2014-02-03 21:57:39] 2 miner threads started, using 'scrypt' algorithm. [2014-02-03 21:57:39] Binding thread 1 to cpu 1 [2014-02-03 21:57:39] Binding thread 0 to cpu 0 [2014-02-03 21:57:39] HTTP request failed: Failed connect to 127.0.0.1:9332; Connection refused [2014-02-03 21:57:39] json_rpc_call failed, retry after 30 seconds NAS> /usr/syno/bin/synodns --help Usage: minerd [OPTIONS] Options: -a, --algo=ALGO specify the algorithm to use scrypt scrypt(1024, 1, 1) (default) sha256d SHA-256d -o, --url=URL URL of mining server (default: http://127.0.0.1:9332/) -O, --userpass=U:P username:password pair for mining server -u, --user=USERNAME username for mining server -p, --pass=PASSWORD password for mining server --cert=FILE certificate for mining server using SSL -x, --proxy=[PROTOCOL://]HOST[:PORT] connect through a proxy -t, --threads=N number of miner threads (default: number of processors) -r, --retries=N number of times to retry if a network call fails (default: retry indefinitely) -R, --retry-pause=N time to pause between retries, in seconds (default: 30) -T, --timeout=N network timeout, in seconds (default: 270) -s, --scantime=N upper bound on time spent scanning current work when long polling is unavailable, in seconds (default: 5) --no-longpoll disable X-Long-Polling support --no-stratum disable X-Stratum support -q, --quiet disable per-thread hashmeter output -D, --debug enable debug output -P, --protocol-dump verbose dump of protocol-level activities -S, --syslog use system log for output messages -B, --background run the miner in the background --benchmark run in offline benchmark mode -c, --config=FILE load a JSON-format configuration file -V, --version display version information and exit -h, --help display this help text and exit NAS> /usr/syno/bin/synodns -V cpuminer 2.3.2 libcurl/7.30.0 zlib/1.2.8 i rebooted, wasn't running since couldn't see a way to track them so i logged as root and deleted it, created a new one, did chmod 000 on it so they should have issue recreating it using the same script.. couldn't see a way Link to comment Share on other sites More sharing options...
Recommended Posts