Jump to content
XPEnology Community

Hacked! Failing resource monitor widget, CPU usage ?


bearcat

Recommended Posts

Im currently running dsm 4.2-3211 on my hp n54l. It has been working great until a power outage today. After the server came back up my resource monitor widget keeps saying "loading" and when i try to open the resource monitor itself the error "connection failed. please check your network connection" appears.

 

So this is seriously bugging me. I dont know how to fix this and making sure that all data on my 3 disks remain intact. How can i reinstall?

I tried to upgrade to this 4.3 version out of the dsm itself through manual update and selecting the pat file but after 30 seconds or so i get the error "unknown error occurs (Error no:21).

 

How can i solve the resource monitor issue. Dont care about the fix, even if it is by upgrading to a newer dsm version (5.0?) just as long that all data on my 3 disks remain intact!

 

The very same thing happened to me a few days ago, running the same HP N54L and DSM4.2-3211 Repack v1.2,

I'm running 5x4TB (WD-RED) in SHR mode, so it took "a while" until the system completed the raid/parity checks.

Using the external monitor program, from Synology Assistent, I saw 100% CPU usage during the diskcheck, so I thought that was the reason.

 

When Volume1 was declared "healthy", I did a controlled reboot, hoping the problem would go away, but no such luck....

Googled and read some posts, referring to the SNMP service, which was disabled.

Tried to enable and reboot, no change, tried to disable again and a new reboot, no change.

 

Using putty, I connected and ran "TOP", and was only seeing some 2-3% CPU being used by fileindexd (if I remember correct).

But still the external monitor shows me 100% CPU being used.

(I have tried to look for the Virus/backdoor files that is currently "running around", but have found no trace of it).

 

Question:

Has anyone else experienced this, and found a way to solve the problem ?

 

 

 

 

disclaimer: Yes, I know I should have used an UPS, it's on top of my what to buy next list :oops:

 

 

 

Edit:

Topic was "Failing resource monitor widget, CPU usage ?", changed to

Edited by Guest
Link to comment
Share on other sites

OK,

I see that I'm the only one here with this problem :?:

 

But I was lucky enough to do some googling, and I found out one thing I had overseen... :roll:

When looking for virus/hacker attacks, better logging with putty as root, not as admin :oops:

 

I was hacked, and one of the things hacked, was "top" fooling me into thinking it was not so much CPU usage.

 

The solution to _my_ problem, I found here:

http://blog.jandorsman.com/blog/synolog ... -preloaded

thanks to the "error ldpreload cannot be preloaded" clue I found.

 

I hope no one else will see this problem, but if you happen to do, then try to follow the steps posted by Jan. :idea:

Link to comment
Share on other sites

Yes, it seems like there is still some problems left,

when I use the resource manager "live" it seems to work OK.

TVVZVjFa.jpeg

 

But if I try to see historic info, it fails:

MTc2SHla.jpeg

 

So I guess I have to do a backup, and reinstall to make it really clean :sad:

Link to comment
Share on other sites

My box is behind a router (with openwrt),

and I had forwarded port 5001 (https) to my box, where I had not been bothered to activate the firewall,

trusting that username/password would be enough to keep it "safe".

 

Now, both my router and box have been locked down to only allow a few known IP addresses to connect,

learning by mistakes it's called :oops:

 

btw:

FTP (port 21) is also forwarded, and is now restricted to the same IP addresses as 5001.

 

 

 

Edit:

I have disabled UPnP on my router, to make sure none of my boxes tries to create an unknown port-mapping.

Link to comment
Share on other sites

Bearcat: thanks fr the update! I don't use http or ftp and port forward a very narrow range for Plex and Transmission (and non-standard ones at that). Good idea on the UPnP- I don't need it either but had it on by default. But your post also makes me wonder how the hacker gets in: brute force U/P attack?

Link to comment
Share on other sites

According to what I read http://packetstormsecurity.com/files/cve/CVE-2013-6955:

there has been at least 2 major security problems:

 

Dec-2013

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1

allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

 

Mars-2014

This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.

 

 

 

So, there is not just 4.3 that is vulnerable, as you might think after reading some posts on this subject.

 

Keep it secure, keep it tight and updated (if possible).

Link to comment
Share on other sites

Found a few more bad files, using:

" find / -xdev -user 502 "

/usr/syno/synoman/webman/modules/ControlPanel/modules/.upgrade.cgi

/usr/syno/synoman/webman/modules/ResourceMonitor/.top.cgi

/usr/syno/synoman/webman/modules/ResourceMonitor/.rsrcmonitor2.cgi

 

Deleted those, and restored the original files, that had been renamed to

/usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi

/usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi

/usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi

 

This made me able to load the historic CPU data, that was blocked in one of my earlier posts.

Vk5TcUZk.jpeg

As you can see, it shows you when i started fresh with this box, and when I was infected....

 

 

 

Some more info can be found here:

http://forum.synology.com/enu/viewtopic ... 32#p303732

Link to comment
Share on other sites

update:

 

It seems like I was able to clean up the mess, but just to make sure, I will reinstall DSM.

 

For now, my "backup" server, another N54L, that was supposed to run Windows 2012R,

is currently running DSM 4.3 - 3827 beta 7, thanks to Trantor.

 

It will take some time to transfer an backup 14TB, even though its on 1GB network, maybe I need to find 2x 10GB NIC's for later use :wink:

Link to comment
Share on other sites

×
×
  • Create New...