Synology Backdoor

Synowedjat is a backdoor from Synology. When checking package updates, it is downloaded from the server and executed, no matter whether you are using a genuine Synology device or not. It is highly recommended to remove it. Specifically: 1. When the background service checks for updates, "synopkg chkupgradepkg" is invoked 2. "synopkg chkupgradepkg" starts synowedjat-exec 3. synowedjat-exec - Uploads hardware info to account.synology.com/wedjat - Downloads and extracts synowed

By wedjat, March 17, 2023
24 replies

So for 7.2RC : /usr/bin/cat << EOF > /etc/apparmor/usr.syno.bin.dlid /usr/syno/bin/dlid { deny network, deny capability net_raw, deny capability net_admin, } EOF /usr/bin/sleep 2 /sbin/apparmor_parser -r /etc/apparmor/usr.syno.bin.dlid /bin/rm -f /usr/syno/etc/dlid.status