Jump to content
XPEnology Community

Virus/Trojan - 4.3 Update your Xpenology now


stanza

Recommended Posts

Have you tried to do a reboot after your update procedure?

From which version are you trying to update?

I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update.

Try again my offline method but without connection to internet.

 

Thanks for the reminder! I disconnected my machine from the Internet and the update was successful :mrgreen::mrgreen:

Link to comment
Share on other sites

Have you tried to do a reboot after your update procedure?

From which version are you trying to update?

I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update.

Try again my offline method but without connection to internet.

 

Thanks for the reminder! I disconnected my machine from the Internet and the update was successful :mrgreen::mrgreen:

Link to comment
Share on other sites

I'm also infected by the virus.

 

I've got the problem that when it slowed down, I thought about restarting the NAS. Now, when I want to login by web (port 5000, 5001), I can't... 'System is starting services, please wait.'.

After 8 hours still the same message. I've read threads on the internet about it, it seems to be a mining-virus.

It is not the 'PWNED' virus, but, similar, the 'lolz' virus.

 

Got three different processes (or maybe even more); synolog, lolzm, lolzb

I've tried to trace & delete the virus, but I can't even trace it:(

 

Appelboom> pidof lolzm
11073 11072 11071 11070 11069 11068

Appelboom> ls -lha /proc/11073 | grep exe
lrwxrwxrwx   1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm

Appelboom> ls -lha /proc/11073/exe/
ls: cannot access /proc/11073/exe/: Not a directory

 

Well, I'm trying to reinstall my NAS (and keep my data (such as movies, music, documents, ect.!)) but since I can not login by web, I don't know how.

The Synology solution for this problem is reinstall it after pressing the 'reset button'. But my custom-made NAS doesn't have a reset button :!:

What can I do now? Or is there a simple command for resetting the NAS? Are there other things I may have to try?

Link to comment
Share on other sites

I'm also infected by the virus.

 

I've got the problem that when it slowed down, I thought about restarting the NAS. Now, when I want to login by web (port 5000, 5001), I can't... 'System is starting services, please wait.'.

After 8 hours still the same message. I've read threads on the internet about it, it seems to be a mining-virus.

It is not the 'PWNED' virus, but, similar, the 'lolz' virus.

 

Got three different processes (or maybe even more); synolog, lolzm, lolzb

I've tried to trace & delete the virus, but I can't even trace it:(

 

Appelboom> pidof lolzm
11073 11072 11071 11070 11069 11068

Appelboom> ls -lha /proc/11073 | grep exe
lrwxrwxrwx   1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm

Appelboom> ls -lha /proc/11073/exe/
ls: cannot access /proc/11073/exe/: Not a directory

 

Well, I'm trying to reinstall my NAS (and keep my data (such as movies, music, documents, ect.!)) but since I can not login by web, I don't know how.

The Synology solution for this problem is reinstall it after pressing the 'reset button'. But my custom-made NAS doesn't have a reset button :!:

What can I do now? Or is there a simple command for resetting the NAS? Are there other things I may have to try?

Link to comment
Share on other sites

I had the lolz virus aswell (but i never restarted on that one, so I'm unsure if the startup is related), I also had the httpd-pid, dhcp virus but never the PWNED one. Are you able to ssh into the box?

 

EDIT: sorry just re-read your post and it seems as though you do. I would suggest killall lolz that you can find running, also delete the /lolz folder. next i would look at

 

/usr/syno/etc/rc.d/S97apache-sys.sh

 

and see if you can find anything abnormal.

 

also after a quick check. I found lolz was being started up from /usr/syno/etc/rc.d/S99p.sh

 

EDIT: What you can also try is running

 

/usr/syno/etc/rc.d/S97apache-sys.sh start

 

then see if you can login after that

Link to comment
Share on other sites

I had the lolz virus aswell (but i never restarted on that one, so I'm unsure if the startup is related), I also had the httpd-pid, dhcp virus but never the PWNED one. Are you able to ssh into the box?

 

EDIT: sorry just re-read your post and it seems as though you do. I would suggest killall lolz that you can find running, also delete the /lolz folder. next i would look at

 

/usr/syno/etc/rc.d/S97apache-sys.sh

 

and see if you can find anything abnormal.

 

also after a quick check. I found lolz was being started up from /usr/syno/etc/rc.d/S99p.sh

 

EDIT: What you can also try is running

 

/usr/syno/etc/rc.d/S97apache-sys.sh start

 

then see if you can login after that

Link to comment
Share on other sites

@cquote

I can not find the lolz folder. It seems like there is no lolz folder.

 

Appelboom> ls /    
bin  etc.defaults  lib64       opt   sbin     tmp  var.defaults  volumeUSB1
dev  initrd	   lost+found  proc  scripts  usr  volume1
etc  lib	   mnt	       root  sys      var  volume2

 

Appelboom> ls -lha /proc/11073 | grep exe
lrwxrwxrwx   1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm

Appelboom> ls -lha /proc/11073/exe/
ls: cannot access /proc/11073/exe/: Not a directory

Appelboom> whereis lolzm
-ash: whereis: not found

 

The process is coming from a folder that doesn't exist.

 

 

I tried to start the S97, as you suggested, but with no results:(

Appelboom> /usr/syno/etc/rc.d/S97apache-sys.sh start
Start System Apache Server .....  -f /usr/syno/apache/conf/httpd.conf-sys
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
Recover to default setting
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
/usr/syno/etc/rc.d/S97apache-sys.sh: system httpd could not be started 

 

 

By the way, it seems like the ps-command is also blocked.

Appelboom> ps
ps: error while loading shared libraries: libproc-3.2.8.so: cannot open shared object file: No such file or directory

 

Appelboom> readelf /bin/ps
-ash: readelf: not found
Appelboom> readelf /usr/bin/ps
-ash: readelf: not found

 

 

It just seems to me that I've got a much worse virus than the 'PWNED' virus where everyone is talking about.

Link to comment
Share on other sites

@cquote

I can not find the lolz folder. It seems like there is no lolz folder.

 

Appelboom> ls /    
bin  etc.defaults  lib64       opt   sbin     tmp  var.defaults  volumeUSB1
dev  initrd	   lost+found  proc  scripts  usr  volume1
etc  lib	   mnt	       root  sys      var  volume2

 

Appelboom> ls -lha /proc/11073 | grep exe
lrwxrwxrwx   1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm

Appelboom> ls -lha /proc/11073/exe/
ls: cannot access /proc/11073/exe/: Not a directory

Appelboom> whereis lolzm
-ash: whereis: not found

 

The process is coming from a folder that doesn't exist.

 

 

I tried to start the S97, as you suggested, but with no results:(

Appelboom> /usr/syno/etc/rc.d/S97apache-sys.sh start
Start System Apache Server .....  -f /usr/syno/apache/conf/httpd.conf-sys
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
Recover to default setting
(98)Address already in use: make_sock: could not bind to address [::]:5000
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000
no listening sockets available, shutting down
Unable to open logs
/usr/syno/etc/rc.d/S97apache-sys.sh: system httpd could not be started 

 

 

By the way, it seems like the ps-command is also blocked.

Appelboom> ps
ps: error while loading shared libraries: libproc-3.2.8.so: cannot open shared object file: No such file or directory

 

Appelboom> readelf /bin/ps
-ash: readelf: not found
Appelboom> readelf /usr/bin/ps
-ash: readelf: not found

 

 

It just seems to me that I've got a much worse virus than the 'PWNED' virus where everyone is talking about.

Link to comment
Share on other sites

I had the same virus because i had to also physically delete the lolz folder and process but i think i never reboot while i had that virus which maybe the reason I didn't get the results that you have. Unfortunately with the amount that's going on with your system, I would suggest doing a clean install then updating immediately because there is just too much digging around to find out what has been changed and where and even after fixing bits and pieces, there's no guarantee that its all quarantined.

 

Also reinstalling will not delete your data, only the system files. But you will need to reconfigure everything again eg. user names, apps, services etc.

Link to comment
Share on other sites

I had the same virus because i had to also physically delete the lolz folder and process but i think i never reboot while i had that virus which maybe the reason I didn't get the results that you have. Unfortunately with the amount that's going on with your system, I would suggest doing a clean install then updating immediately because there is just too much digging around to find out what has been changed and where and even after fixing bits and pieces, there's no guarantee that its all quarantined.

 

Also reinstalling will not delete your data, only the system files. But you will need to reconfigure everything again eg. user names, apps, services etc.

Link to comment
Share on other sites

Successfully stopped all process called lolzm, lolzb, synolog (killall lolzm lolzb synolog)

Successfully deleted S99p.sh (main script that start 'lolzm' 'lolzb' and 'synolog' when booting)

Successfully located and deleted the /lolz folder and its contents.

Successfully deleted /opt/bin (where some modified versions of ls kill top ps where located)

Successfully deleted /etc/ld.so.preload

Successfully moved /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi

Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi

Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi

 

Now trying to update, but I don't know how to?

I can't just use the Synology software can I? (downloaded with 'DSM update' in the menu)

I downloaded it, but I'm not sure to install it.

 

I'm still running 4.3-3810 (v3?)

Link to comment
Share on other sites

Successfully stopped all process called lolzm, lolzb, synolog (killall lolzm lolzb synolog)

Successfully deleted S99p.sh (main script that start 'lolzm' 'lolzb' and 'synolog' when booting)

Successfully located and deleted the /lolz folder and its contents.

Successfully deleted /opt/bin (where some modified versions of ls kill top ps where located)

Successfully deleted /etc/ld.so.preload

Successfully moved /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi

Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi

Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi

 

Now trying to update, but I don't know how to?

I can't just use the Synology software can I? (downloaded with 'DSM update' in the menu)

I downloaded it, but I'm not sure to install it.

 

I'm still running 4.3-3810 (v3?)

Link to comment
Share on other sites

It's my understanding now that you can access the gui from the browser, is this correct? If so you will need to download those files in the first post and follow those instructions in where to place them. Next disconnect from the internet, then in the GUI, goto control panel->DSM Update. The status may say disconnected, if so click manual DSM update below then click cancel and it should refresh (this is what worked for me) and hopefully find the local files. You may also need to double check

 

/usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi

 

just to make sure it's there an not modified (you mentioned you moved it, so i'm guessing it should be ok but just double check inside the file).

Link to comment
Share on other sites

It's my understanding now that you can access the gui from the browser, is this correct? If so you will need to download those files in the first post and follow those instructions in where to place them. Next disconnect from the internet, then in the GUI, goto control panel->DSM Update. The status may say disconnected, if so click manual DSM update below then click cancel and it should refresh (this is what worked for me) and hopefully find the local files. You may also need to double check

 

/usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi

 

just to make sure it's there an not modified (you mentioned you moved it, so i'm guessing it should be ok but just double check inside the file).

Link to comment
Share on other sites

Thanks very much all for help.

 

I am now on DSM 4.3 3810 Update 4, but DSM 4.3-3827 is available, but I (similar to another poster in the thread) just get a black 'ok screen' when I attempt to update as shown on this youtube vid: http://www.youtube.com/watch?v=VC3_Gam9 ... e=youtu.be

 

Is there anyway to get to DSM 4.3-3827, or is it safe to stay on Update 4 for now?

Link to comment
Share on other sites

I finally succeed to update to 4.3-3810 v4. Is this version safe or do I need to update to 4.3-3827?

I do not want that virus again on my NAS!

 

What I did (for other people having issues, its already described in parts in this thread, but again:)

- Download the DSM 4.3-3810 v4 package from Trantor (see first post).

- Unzip it (Mac: Stuffit Expander, Windows: WinRAR)

- Make a directory on volume 1, called 'public' (as described)

You can do this with SSH or in the GUI

SSH: mkdir /volume1/public

GUI: >ControlCenter >SharedFolders >Create (name it public, give at least the admin read/write permissions)

- Copy the files 'autoupd@te.info' (<- thats a file) and '@smallupd@te.deb' (<- thats a folder) to /volume1/public by afp (or ftp) (just simply drag and drop it)

Mac: Use AFP, Windows: use FTP

- Move the files to their new location.

cp /volume1/public/autoupd@te.info /
cp -a /volume1/public/@smallupd@te_deb/ /volume1/

- DISCONNECT YOUR ROUTER (or switch) FROM THE INTERNET

- REBOOT THE NAS

You can do this with the SSH or in the GUI

SSH: reboot

GUI: >reboot

 

- Use the GUI: go to >ControlPanel >DSMUpdate

- Click 'manual update'

- Click 'cancel'

(Now you need to see the 'update now' button)

- Click that button

 

It tells you the update would take 10 - 20 minutes, well, mine was finished in 2 minutes... Just click 'ok' and wait a few minutes. When de update is finished the GUI will automatically refresh and your NAS is ready to use again. (You can check what version you have on the systeminfo page).

Do not forget to reconnect your router again:D

Link to comment
Share on other sites

Thanks for the write up, but I skipped the creating public folders etc as it was kinda unneccessary as I unzipped from my PC then transferred over to any share then moved to the appropriate locations. But so far update 4 seams stable for me and for the last 4 days i have not seen any unusual activity and I have been checking frequently, so in the mean time we can assume its safe and taken care off... for now.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...