waspsoton Posted August 2, 2014 Share #1 Posted August 2, 2014 EDIT by Trantor: Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0. For users who have not encountered any of the symptoms stated above, we highly recommend downloading and installing DSM 5.0, or any version below: -For DSM 4.3, please install DSM 4.3-3827 or later -For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later -For DSM 4.0, please install DSM 4.0-2259 or later Source : Synology forum Quote Link to comment Share on other sites More sharing options...
wallacefung Posted August 3, 2014 Share #2 Posted August 3, 2014 Yes, it also happened in Hong Kong. I come from HKEPC forum and read a post in http://www.hkepc.com/forum/viewthread.p ... ra=&page=1 A user posted a photo to show his friend's genuine Syno NAS was infected by the same ransomware, Synolocker. Quote Link to comment Share on other sites More sharing options...
waspsoton Posted August 3, 2014 Author Share #3 Posted August 3, 2014 Thanks for the reply, looks like is very new. I am going to try something this evening. But I won't be paying for the ransom Quote Link to comment Share on other sites More sharing options...
Schnapps Posted August 3, 2014 Share #4 Posted August 3, 2014 Try to update to nanoboot and latest DSM or keep your machine off the internet by deleting all port forwarding. If this is true, it's pretty big shit! Quote Link to comment Share on other sites More sharing options...
sl0n Posted August 3, 2014 Share #5 Posted August 3, 2014 i just tired t log into my server and this came up (See attachment) any ideas??? i can't be the first person this has ever happened to Is your DSM "visible" from the Internet? If it's not, then it's worrying. Quote Link to comment Share on other sites More sharing options...
waspsoton Posted August 3, 2014 Author Share #6 Posted August 3, 2014 i just tired t log into my server and this came up (See attachment) any ideas??? i can't be the first person this has ever happened to Is your DSM "visible" from the Internet? If it's not, then it's worrying. Yes I use remote acces on it think this could be a start of a very big problem. I am going to try a restore of the os in a bit. Will report back when I know more Quote Link to comment Share on other sites More sharing options...
toshas Posted August 3, 2014 Share #7 Posted August 3, 2014 Which version of xpenology do you have (4.2/4.3/5.0, any updates) ? Quote Link to comment Share on other sites More sharing options...
waspsoton Posted August 3, 2014 Author Share #8 Posted August 3, 2014 Which version of xpenology do you have (4.2/4.3/5.0, any updates) ? I am on 4.3 with no updates Quote Link to comment Share on other sites More sharing options...
toshas Posted August 3, 2014 Share #9 Posted August 3, 2014 Do you know anything about recent OpenSSL bug ? Vulnerability is described here - http://heartbleed.com/ . You can test your nas hare - https://filippo.io/Heartbleed/ . It was fixed in updates for 4.3 and 5.0. Quote Link to comment Share on other sites More sharing options...
waspsoton Posted August 3, 2014 Author Share #10 Posted August 3, 2014 Do you know anything about recent OpenSSL bug ?Vulnerability is described here - http://heartbleed.com/ . You can test your nas hare - https://filippo.io/Heartbleed/ . It was fixed in updates for 4.3 and 5.0. Yes I heard of it, but didn't apply the update. What version is safe and has the update already done Quote Link to comment Share on other sites More sharing options...
Schnapps Posted August 3, 2014 Share #11 Posted August 3, 2014 No offense but if you're not on the latest version and you keep your box on the internet, hacking like this is gonna happen all the time and you're kinda' asking for it. Quote Link to comment Share on other sites More sharing options...
waspsoton Posted August 3, 2014 Author Share #12 Posted August 3, 2014 No offense but if you're not on the latest version and you keep your box on the internet, hacking like this is gonna happen all the time and you're kinda' asking for it. No offence taken mate, I know it's pretty much my own fault for not updating, just pissed off more than anything and the fact when I first posted this no one on the internet had posted anything Quote Link to comment Share on other sites More sharing options...
Schnapps Posted August 3, 2014 Share #13 Posted August 3, 2014 It sucks to be 1st (in this case) But tell us more. Is all your data encrypted? Quote Link to comment Share on other sites More sharing options...
waspsoton Posted August 3, 2014 Author Share #14 Posted August 3, 2014 I have a way to get my data back and get my server working, will post in a few days a full walk through. The short version is pull all the hard drives out apart from one u are happy to wipe, reinstall the os so the server will boot fully. Then use Linux to get ur data back and put onto the hd u pulled out of ur server Quote Link to comment Share on other sites More sharing options...
thenexus7 Posted August 4, 2014 Share #15 Posted August 4, 2014 Hi everyone, It seems there's a workaround for this problem for "legacy" Synology NAS 1. Shut down the NAS 2. Remove all the hard drives from the NAS 3. Find a spare hard drive that you will not mind wiping and insert it into the NAS 4. Use Synology Assistant to find the NAS and install the latest DSM onto this spare hard drive (use the latest DSM_file.pat from Synology) 5. When the DSM is fully running on this spare hard drive, shut down the NAS from the web management console. 6. Remove the spare drive and insert ALL your original drives. 7. Power up the NAS and wait patiently. If all goes well after about a minute you will hear a long beep and the NAS will come online. 8. Use Synology Assistant to find the NAS. It should now be visible with the status "migratable". 9. From Synology Assistant choose to install DSM to the NAS, use the same file you used in step 4 and specify the same name and IP address as it was before the crash. 10. Because the NAS is recognized as "migratable", the DSM installation will NOT wipe out the data on either the system partition nor the data partition. 11. After a few minutes, the installation will finish and you will be able to log in to your NAS with your original credentials. That means, in your case where you're running a non upgraded 4.3 version that you can definitively pass on Trantor's Beta 8 version, and then use local upgrades to go until the latest version (update 5 I think) ... just by flashing your USB startup key with latest you'll obtain the "migratable" state and being able to "reinstall" DSM without loosing data - Link to Trantor's (thanks again Trantor) DSM 4.3 Beta 8: viewtopic.php?f=2&t=1361&p=17406#p17406 - Tutorial to use DSM internal update to go to the latest DSM update version (tested myself, it's working great, thanks Stanza): viewtopic.php?f=15&t=2999&hilit=3827 Hope this helps you waspsoton taking the control back on your NAS... Quote Link to comment Share on other sites More sharing options...
sadycus Posted August 4, 2014 Share #16 Posted August 4, 2014 Hello, i know this is my first post around here but i'm a little concerned. http://www.guru3d.com/news-story/synology-nas-servers-plagued-by-ransomware.html Quote Link to comment Share on other sites More sharing options...
nsfw Posted August 4, 2014 Share #17 Posted August 4, 2014 I just powered down. Synology will not bail out xpenology of course. Quote Link to comment Share on other sites More sharing options...
ad911 Posted August 4, 2014 Share #18 Posted August 4, 2014 For real synology product, I would suggest that don't use their free DDNS services, It just let the hacker know that you are using synology DSM Besides that the hackers may mass scanning the ip Address ports 5000, 5001 to test it is synology product, using free synology domain name (such as synology.me) is very dangerous and vulnerable to attack I think it is very stupid to use such manufacturer specific DDNS services, it just draw the hackers attention Quote Link to comment Share on other sites More sharing options...
Schnapps Posted August 4, 2014 Share #19 Posted August 4, 2014 If you're using both v5 or v4 updated to the latest version, you're safe. You could just isolate it from the internet and you'll be safe. Quote Link to comment Share on other sites More sharing options...
nsfw Posted August 4, 2014 Share #20 Posted August 4, 2014 what daemon was compromised and what versions? how do you know this? Quote Link to comment Share on other sites More sharing options...
manfriday Posted August 4, 2014 Share #21 Posted August 4, 2014 Hands up those who work in IT? Keep your hand up if you have pinged your Network guru guys and inquired about opening ports on your one and only retail ready router. Keep your hands up if after they made you a VISIO, drew a picture on a white board or explained in some detail what happens when you do that? Keep your hands up if you ignored every piece of advice and said, "this will not happen to me" Sorry but it's been a tough day at the coal face MF Quote Link to comment Share on other sites More sharing options...
lev400 Posted August 5, 2014 Share #22 Posted August 5, 2014 New ransomware that is effecting Synology DSM NAS's Have a Synology NAS? Is it accessible to the internet? If it is, You might want to take it offline for a while. Synolocker is a 0-day ransomware that once installed, will encrypt all of the NAS's files and hold them for ransom just like Cryptolocker does for windows PC's. The Virus is currently exploiting an unknown vulnerability to spread. Synology is investagating the issue. We'd like to give you an update regarding SynoLocker, a randsomware affecting certain Synology servers. When trying to access DSM, it displays the message below, in addition to instructions for paying a fee to unlock your data: "All important files on this NAS have been encrypted using strong crypotgraphy" What should you do? If you are seeing this message when trying to login to DSM, please: 1-power off your DiskStation immediately to avoid more files being encrypted 2-contact our Support team so we can investigate further Source: http://hardware.slashdot.org/story/14/08/05/0344244/synolocker-0-day-ransomware-puts-nas-files-at-risk More Info on Forums http://forum.synology.com/enu/viewtopic.php?f=108&t=88770 Quote Link to comment Share on other sites More sharing options...
lev400 Posted August 5, 2014 Share #23 Posted August 5, 2014 More info: http://www.guru3d.com/news-story/synology-nas-servers-plagued-by-ransomware.html Quote Link to comment Share on other sites More sharing options...
elmuziko Posted August 5, 2014 Share #24 Posted August 5, 2014 Further info here: http://www.theregister.co.uk/2014/08/05 ... y_attacks/ Although according to the comments it's been patched? I'll ask the same questions on here as I have on theregister: I disabled the admin account and created a new one. I have SSH turned off. I have SSL turned on and auto-redirected. I have auto-block IP on 2 password fuck-ups. Am I doing everything I should to keep safe? Quote Link to comment Share on other sites More sharing options...
ad911 Posted August 5, 2014 Share #25 Posted August 5, 2014 Further info here: http://www.theregister.co.uk/2014/08/05 ... y_attacks/ Although according to the comments it's been patched? I'll ask the same questions on here as I have on theregister: I disabled the admin account and created a new one. I have SSH turned off. I have SSL turned on and auto-redirected. I have auto-block IP on 2 password fuck-ups. Am I doing everything I should to keep safe? hackers do not necessary need to try your admin password, once the hackers identified your device is synology NAS, and have some security vulnerabilities that haven't been fixed, it is possible hackers can remote access your nas as root user - disable port forwards 5000, 50001 ... ports - stop using synology free DDNS, synology domain is unsafe Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.