wedjat Posted Friday at 05:16 AM Share #1 Posted Friday at 05:16 AM Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it. Specifically: 1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked 2. "synopkg chkupgradepkg" starts synowedjat-exec 3. synowedjat-exec - Uploads hardware info to account.synology.com/wedjat - Downloads and extracts synowedjat.sa, a synology archive which contains the backdoor - Runs the main binary "synowedjat protection" 4. synowedjat has several modes - Debugging modes (controlled by argv) - "collect" and "collect-enc" uploads a comprehensive set of host info to synology's server, in plain text, or encrypted - "punish" resets the login page's background, and sends a piracy notification - "protection" is the default mode - Runs /run/ai_tool.cpython-38.pyc to twiddle with the "Active Insight" package settings, periodically - Uploads a comprehensive set of host info to synology's server - Enters the "punish" mode according to the servers' response Recommendations: 1. Stop the processes: killall -KILL synowedjat 2. Remove the package: rm /run/synowedjat* 3. Remove the configuration: rm /usr/syno/etc/wedjat.status 4. Remove the "Active Insight" package 5. Since synowedjat-exec is bundled with the OS, do not remove it. Instead, edit /etc/hosts to disable the access to account.synology.com and dlid.synology.com 2 Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.