bearcat Posted March 28, 2014 Share #1 Posted March 28, 2014 (edited) Im currently running dsm 4.2-3211 on my hp n54l. It has been working great until a power outage today. After the server came back up my resource monitor widget keeps saying "loading" and when i try to open the resource monitor itself the error "connection failed. please check your network connection" appears. So this is seriously bugging me. I dont know how to fix this and making sure that all data on my 3 disks remain intact. How can i reinstall? I tried to upgrade to this 4.3 version out of the dsm itself through manual update and selecting the pat file but after 30 seconds or so i get the error "unknown error occurs (Error no:21). How can i solve the resource monitor issue. Dont care about the fix, even if it is by upgrading to a newer dsm version (5.0?) just as long that all data on my 3 disks remain intact! The very same thing happened to me a few days ago, running the same HP N54L and DSM4.2-3211 Repack v1.2, I'm running 5x4TB (WD-RED) in SHR mode, so it took "a while" until the system completed the raid/parity checks. Using the external monitor program, from Synology Assistent, I saw 100% CPU usage during the diskcheck, so I thought that was the reason. When Volume1 was declared "healthy", I did a controlled reboot, hoping the problem would go away, but no such luck.... Googled and read some posts, referring to the SNMP service, which was disabled. Tried to enable and reboot, no change, tried to disable again and a new reboot, no change. Using putty, I connected and ran "TOP", and was only seeing some 2-3% CPU being used by fileindexd (if I remember correct). But still the external monitor shows me 100% CPU being used. (I have tried to look for the Virus/backdoor files that is currently "running around", but have found no trace of it). Question: Has anyone else experienced this, and found a way to solve the problem ? disclaimer: Yes, I know I should have used an UPS, it's on top of my what to buy next list Edit: Topic was "Failing resource monitor widget, CPU usage ?", changed to Edited April 5, 2014 by Guest Link to comment Share on other sites More sharing options...
bearcat Posted April 3, 2014 Author Share #2 Posted April 3, 2014 OK, I see that I'm the only one here with this problem But I was lucky enough to do some googling, and I found out one thing I had overseen... When looking for virus/hacker attacks, better logging with putty as root, not as admin I was hacked, and one of the things hacked, was "top" fooling me into thinking it was not so much CPU usage. The solution to _my_ problem, I found here: http://blog.jandorsman.com/blog/synolog ... -preloaded thanks to the "error ldpreload cannot be preloaded" clue I found. I hope no one else will see this problem, but if you happen to do, then try to follow the steps posted by Jan. Link to comment Share on other sites More sharing options...
generious Posted April 4, 2014 Share #3 Posted April 4, 2014 Nope you aren't not the only one with this problem, I have had this problem week and I used the exact same link But I'm still seeing a pile of left over junk which I'm not happy about thus re-installing later this evening. Link to comment Share on other sites More sharing options...
bearcat Posted April 6, 2014 Author Share #4 Posted April 6, 2014 Yes, it seems like there is still some problems left, when I use the resource manager "live" it seems to work OK. But if I try to see historic info, it fails: So I guess I have to do a backup, and reinstall to make it really clean Link to comment Share on other sites More sharing options...
nick w Posted April 7, 2014 Share #5 Posted April 7, 2014 I had exactly the same thing, 8TB of data i backed up... then done a fresh build of 4.3.... i was on the same version as you as well before i got the virus. Link to comment Share on other sites More sharing options...
toshas Posted April 7, 2014 Share #6 Posted April 7, 2014 Hi! Do you use router or firewall ? What kind of ports is open to internet (web/ftp/smb)? Link to comment Share on other sites More sharing options...
bearcat Posted April 7, 2014 Author Share #7 Posted April 7, 2014 My box is behind a router (with openwrt), and I had forwarded port 5001 (https) to my box, where I had not been bothered to activate the firewall, trusting that username/password would be enough to keep it "safe". Now, both my router and box have been locked down to only allow a few known IP addresses to connect, learning by mistakes it's called btw: FTP (port 21) is also forwarded, and is now restricted to the same IP addresses as 5001. Edit: I have disabled UPnP on my router, to make sure none of my boxes tries to create an unknown port-mapping. Link to comment Share on other sites More sharing options...
HDMann Posted April 7, 2014 Share #8 Posted April 7, 2014 Bearcat: thanks fr the update! I don't use http or ftp and port forward a very narrow range for Plex and Transmission (and non-standard ones at that). Good idea on the UPnP- I don't need it either but had it on by default. But your post also makes me wonder how the hacker gets in: brute force U/P attack? Link to comment Share on other sites More sharing options...
bearcat Posted April 7, 2014 Author Share #9 Posted April 7, 2014 According to what I read http://packetstormsecurity.com/files/cve/CVE-2013-6955: there has been at least 2 major security problems: Dec-2013 webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header. Mars-2014 This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable. So, there is not just 4.3 that is vulnerable, as you might think after reading some posts on this subject. Keep it secure, keep it tight and updated (if possible). Link to comment Share on other sites More sharing options...
bearcat Posted April 8, 2014 Author Share #10 Posted April 8, 2014 Found a few more bad files, using: " find / -xdev -user 502 " /usr/syno/synoman/webman/modules/ControlPanel/modules/.upgrade.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/.top.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/.rsrcmonitor2.cgi Deleted those, and restored the original files, that had been renamed to /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi This made me able to load the historic CPU data, that was blocked in one of my earlier posts. As you can see, it shows you when i started fresh with this box, and when I was infected.... Some more info can be found here: http://forum.synology.com/enu/viewtopic ... 32#p303732 Link to comment Share on other sites More sharing options...
bearcat Posted April 8, 2014 Author Share #11 Posted April 8, 2014 This seems to follow the CPU usage, have not seen this mentioned anywhere Link to comment Share on other sites More sharing options...
bearcat Posted April 12, 2014 Author Share #12 Posted April 12, 2014 update: It seems like I was able to clean up the mess, but just to make sure, I will reinstall DSM. For now, my "backup" server, another N54L, that was supposed to run Windows 2012R, is currently running DSM 4.3 - 3827 beta 7, thanks to Trantor. It will take some time to transfer an backup 14TB, even though its on 1GB network, maybe I need to find 2x 10GB NIC's for later use Link to comment Share on other sites More sharing options...
Recommended Posts