Jump to content
XPEnology Community

Synology Backdoor


Recommended Posts

Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it.

1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked
2. "synopkg chkupgradepkg" starts synowedjat-exec
3. synowedjat-exec
   - Uploads hardware info to account.synology.com/wedjat
   - Downloads and extracts synowedjat.sa, a synology archive which contains the backdoor
   - Runs the main binary "synowedjat protection"
4. synowedjat has several modes
   - Debugging modes (controlled by argv[1])
     - "collect" and "collect-enc" uploads a comprehensive set of host info to synology's server, in plain text, or encrypted
     - "punish" resets the login page's background, and sends a piracy notification
   - "protection" is the default mode
     - Runs /run/ai_tool.cpython-38.pyc to twiddle with the "Active Insight" package settings, periodically
     - Uploads a comprehensive set of host info to synology's server
     - Enters the "punish" mode according to the servers' response


1. Stop the processes: killall -KILL synowedjat
2. Remove the package: rm /run/synowedjat*
3. Remove the configuration: rm /usr/syno/etc/wedjat.status
4. Remove the "Active Insight" package
5. Since synowedjat-exec is bundled with the OS, do not remove it. Instead, edit /etc/hosts to disable the access to account.synology.com and dlid.synology.com

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...