costib Posted February 18, 2014 Share #76 Posted February 18, 2014 Have you tried to do a reboot after your update procedure? From which version are you trying to update? I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update. Try again my offline method but without connection to internet. Quote Link to comment Share on other sites More sharing options...
costib Posted February 18, 2014 Share #77 Posted February 18, 2014 Have you tried to do a reboot after your update procedure? From which version are you trying to update? I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update. Try again my offline method but without connection to internet. Quote Link to comment Share on other sites More sharing options...
kaho Posted February 18, 2014 Share #78 Posted February 18, 2014 Have you tried to do a reboot after your update procedure?From which version are you trying to update? I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update. Try again my offline method but without connection to internet. Thanks for the reminder! I disconnected my machine from the Internet and the update was successful Quote Link to comment Share on other sites More sharing options...
kaho Posted February 18, 2014 Share #79 Posted February 18, 2014 Have you tried to do a reboot after your update procedure?From which version are you trying to update? I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update. Try again my offline method but without connection to internet. Thanks for the reminder! I disconnected my machine from the Internet and the update was successful Quote Link to comment Share on other sites More sharing options...
costib Posted February 18, 2014 Share #80 Posted February 18, 2014 You're welcome and welcome aboard. @ stanza: can you update the procedure from first post with this hint? Quote Link to comment Share on other sites More sharing options...
costib Posted February 18, 2014 Share #81 Posted February 18, 2014 You're welcome and welcome aboard. @ stanza: can you update the procedure from first post with this hint? Quote Link to comment Share on other sites More sharing options...
fabjan Posted February 18, 2014 Share #82 Posted February 18, 2014 Tanks, update done Quote Link to comment Share on other sites More sharing options...
fabjan Posted February 18, 2014 Share #83 Posted February 18, 2014 Tanks, update done Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 18, 2014 Share #84 Posted February 18, 2014 I'm also infected by the virus. I've got the problem that when it slowed down, I thought about restarting the NAS. Now, when I want to login by web (port 5000, 5001), I can't... 'System is starting services, please wait.'. After 8 hours still the same message. I've read threads on the internet about it, it seems to be a mining-virus. It is not the 'PWNED' virus, but, similar, the 'lolz' virus. Got three different processes (or maybe even more); synolog, lolzm, lolzb I've tried to trace & delete the virus, but I can't even trace it:( Appelboom> pidof lolzm 11073 11072 11071 11070 11069 11068 Appelboom> ls -lha /proc/11073 | grep exe lrwxrwxrwx 1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm Appelboom> ls -lha /proc/11073/exe/ ls: cannot access /proc/11073/exe/: Not a directory Well, I'm trying to reinstall my NAS (and keep my data (such as movies, music, documents, ect.!)) but since I can not login by web, I don't know how. The Synology solution for this problem is reinstall it after pressing the 'reset button'. But my custom-made NAS doesn't have a reset button What can I do now? Or is there a simple command for resetting the NAS? Are there other things I may have to try? Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 18, 2014 Share #85 Posted February 18, 2014 I'm also infected by the virus. I've got the problem that when it slowed down, I thought about restarting the NAS. Now, when I want to login by web (port 5000, 5001), I can't... 'System is starting services, please wait.'. After 8 hours still the same message. I've read threads on the internet about it, it seems to be a mining-virus. It is not the 'PWNED' virus, but, similar, the 'lolz' virus. Got three different processes (or maybe even more); synolog, lolzm, lolzb I've tried to trace & delete the virus, but I can't even trace it:( Appelboom> pidof lolzm 11073 11072 11071 11070 11069 11068 Appelboom> ls -lha /proc/11073 | grep exe lrwxrwxrwx 1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm Appelboom> ls -lha /proc/11073/exe/ ls: cannot access /proc/11073/exe/: Not a directory Well, I'm trying to reinstall my NAS (and keep my data (such as movies, music, documents, ect.!)) but since I can not login by web, I don't know how. The Synology solution for this problem is reinstall it after pressing the 'reset button'. But my custom-made NAS doesn't have a reset button What can I do now? Or is there a simple command for resetting the NAS? Are there other things I may have to try? Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 18, 2014 Share #86 Posted February 18, 2014 I had the lolz virus aswell (but i never restarted on that one, so I'm unsure if the startup is related), I also had the httpd-pid, dhcp virus but never the PWNED one. Are you able to ssh into the box? EDIT: sorry just re-read your post and it seems as though you do. I would suggest killall lolz that you can find running, also delete the /lolz folder. next i would look at /usr/syno/etc/rc.d/S97apache-sys.sh and see if you can find anything abnormal. also after a quick check. I found lolz was being started up from /usr/syno/etc/rc.d/S99p.sh EDIT: What you can also try is running /usr/syno/etc/rc.d/S97apache-sys.sh start then see if you can login after that Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 18, 2014 Share #87 Posted February 18, 2014 I had the lolz virus aswell (but i never restarted on that one, so I'm unsure if the startup is related), I also had the httpd-pid, dhcp virus but never the PWNED one. Are you able to ssh into the box? EDIT: sorry just re-read your post and it seems as though you do. I would suggest killall lolz that you can find running, also delete the /lolz folder. next i would look at /usr/syno/etc/rc.d/S97apache-sys.sh and see if you can find anything abnormal. also after a quick check. I found lolz was being started up from /usr/syno/etc/rc.d/S99p.sh EDIT: What you can also try is running /usr/syno/etc/rc.d/S97apache-sys.sh start then see if you can login after that Quote Link to comment Share on other sites More sharing options...
stanza Posted February 19, 2014 Author Share #88 Posted February 19, 2014 You're welcome and welcome aboard. @ stanza: can you update the procedure from first post with this hint? Done, please check Quote Link to comment Share on other sites More sharing options...
stanza Posted February 19, 2014 Author Share #89 Posted February 19, 2014 You're welcome and welcome aboard. @ stanza: can you update the procedure from first post with this hint? Done, please check Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 19, 2014 Share #90 Posted February 19, 2014 @cquote I can not find the lolz folder. It seems like there is no lolz folder. Appelboom> ls / bin etc.defaults lib64 opt sbin tmp var.defaults volumeUSB1 dev initrd lost+found proc scripts usr volume1 etc lib mnt root sys var volume2 Appelboom> ls -lha /proc/11073 | grep exe lrwxrwxrwx 1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm Appelboom> ls -lha /proc/11073/exe/ ls: cannot access /proc/11073/exe/: Not a directory Appelboom> whereis lolzm -ash: whereis: not found The process is coming from a folder that doesn't exist. I tried to start the S97, as you suggested, but with no results:( Appelboom> /usr/syno/etc/rc.d/S97apache-sys.sh start Start System Apache Server ..... -f /usr/syno/apache/conf/httpd.conf-sys (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs Recover to default setting (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs /usr/syno/etc/rc.d/S97apache-sys.sh: system httpd could not be started By the way, it seems like the ps-command is also blocked. Appelboom> ps ps: error while loading shared libraries: libproc-3.2.8.so: cannot open shared object file: No such file or directory Appelboom> readelf /bin/ps -ash: readelf: not found Appelboom> readelf /usr/bin/ps -ash: readelf: not found It just seems to me that I've got a much worse virus than the 'PWNED' virus where everyone is talking about. Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 19, 2014 Share #91 Posted February 19, 2014 @cquote I can not find the lolz folder. It seems like there is no lolz folder. Appelboom> ls / bin etc.defaults lib64 opt sbin tmp var.defaults volumeUSB1 dev initrd lost+found proc scripts usr volume1 etc lib mnt root sys var volume2 Appelboom> ls -lha /proc/11073 | grep exe lrwxrwxrwx 1 root root 0 Feb 18 12:03 exe -> /lolz/lolzm Appelboom> ls -lha /proc/11073/exe/ ls: cannot access /proc/11073/exe/: Not a directory Appelboom> whereis lolzm -ash: whereis: not found The process is coming from a folder that doesn't exist. I tried to start the S97, as you suggested, but with no results:( Appelboom> /usr/syno/etc/rc.d/S97apache-sys.sh start Start System Apache Server ..... -f /usr/syno/apache/conf/httpd.conf-sys (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs Recover to default setting (98)Address already in use: make_sock: could not bind to address [::]:5000 (98)Address already in use: make_sock: could not bind to address 0.0.0.0:5000 no listening sockets available, shutting down Unable to open logs /usr/syno/etc/rc.d/S97apache-sys.sh: system httpd could not be started By the way, it seems like the ps-command is also blocked. Appelboom> ps ps: error while loading shared libraries: libproc-3.2.8.so: cannot open shared object file: No such file or directory Appelboom> readelf /bin/ps -ash: readelf: not found Appelboom> readelf /usr/bin/ps -ash: readelf: not found It just seems to me that I've got a much worse virus than the 'PWNED' virus where everyone is talking about. Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 19, 2014 Share #92 Posted February 19, 2014 I had the same virus because i had to also physically delete the lolz folder and process but i think i never reboot while i had that virus which maybe the reason I didn't get the results that you have. Unfortunately with the amount that's going on with your system, I would suggest doing a clean install then updating immediately because there is just too much digging around to find out what has been changed and where and even after fixing bits and pieces, there's no guarantee that its all quarantined. Also reinstalling will not delete your data, only the system files. But you will need to reconfigure everything again eg. user names, apps, services etc. Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 19, 2014 Share #93 Posted February 19, 2014 I had the same virus because i had to also physically delete the lolz folder and process but i think i never reboot while i had that virus which maybe the reason I didn't get the results that you have. Unfortunately with the amount that's going on with your system, I would suggest doing a clean install then updating immediately because there is just too much digging around to find out what has been changed and where and even after fixing bits and pieces, there's no guarantee that its all quarantined. Also reinstalling will not delete your data, only the system files. But you will need to reconfigure everything again eg. user names, apps, services etc. Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 19, 2014 Share #94 Posted February 19, 2014 Successfully stopped all process called lolzm, lolzb, synolog (killall lolzm lolzb synolog) Successfully deleted S99p.sh (main script that start 'lolzm' 'lolzb' and 'synolog' when booting) Successfully located and deleted the /lolz folder and its contents. Successfully deleted /opt/bin (where some modified versions of ls kill top ps where located) Successfully deleted /etc/ld.so.preload Successfully moved /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi Now trying to update, but I don't know how to? I can't just use the Synology software can I? (downloaded with 'DSM update' in the menu) I downloaded it, but I'm not sure to install it. I'm still running 4.3-3810 (v3?) Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 19, 2014 Share #95 Posted February 19, 2014 Successfully stopped all process called lolzm, lolzb, synolog (killall lolzm lolzb synolog) Successfully deleted S99p.sh (main script that start 'lolzm' 'lolzb' and 'synolog' when booting) Successfully located and deleted the /lolz folder and its contents. Successfully deleted /opt/bin (where some modified versions of ls kill top ps where located) Successfully deleted /etc/ld.so.preload Successfully moved /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi Now trying to update, but I don't know how to? I can't just use the Synology software can I? (downloaded with 'DSM update' in the menu) I downloaded it, but I'm not sure to install it. I'm still running 4.3-3810 (v3?) Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 20, 2014 Share #96 Posted February 20, 2014 It's my understanding now that you can access the gui from the browser, is this correct? If so you will need to download those files in the first post and follow those instructions in where to place them. Next disconnect from the internet, then in the GUI, goto control panel->DSM Update. The status may say disconnected, if so click manual DSM update below then click cancel and it should refresh (this is what worked for me) and hopefully find the local files. You may also need to double check /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi just to make sure it's there an not modified (you mentioned you moved it, so i'm guessing it should be ok but just double check inside the file). Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 20, 2014 Share #97 Posted February 20, 2014 It's my understanding now that you can access the gui from the browser, is this correct? If so you will need to download those files in the first post and follow those instructions in where to place them. Next disconnect from the internet, then in the GUI, goto control panel->DSM Update. The status may say disconnected, if so click manual DSM update below then click cancel and it should refresh (this is what worked for me) and hopefully find the local files. You may also need to double check /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi just to make sure it's there an not modified (you mentioned you moved it, so i'm guessing it should be ok but just double check inside the file). Quote Link to comment Share on other sites More sharing options...
TheDean Posted February 20, 2014 Share #98 Posted February 20, 2014 Thanks very much all for help. I am now on DSM 4.3 3810 Update 4, but DSM 4.3-3827 is available, but I (similar to another poster in the thread) just get a black 'ok screen' when I attempt to update as shown on this youtube vid: http://www.youtube.com/watch?v=VC3_Gam9 ... e=youtu.be Is there anyway to get to DSM 4.3-3827, or is it safe to stay on Update 4 for now? Quote Link to comment Share on other sites More sharing options...
mackevin11 Posted February 20, 2014 Share #99 Posted February 20, 2014 I finally succeed to update to 4.3-3810 v4. Is this version safe or do I need to update to 4.3-3827? I do not want that virus again on my NAS! What I did (for other people having issues, its already described in parts in this thread, but again:) - Download the DSM 4.3-3810 v4 package from Trantor (see first post). - Unzip it (Mac: Stuffit Expander, Windows: WinRAR) - Make a directory on volume 1, called 'public' (as described) You can do this with SSH or in the GUI SSH: mkdir /volume1/public GUI: >ControlCenter >SharedFolders >Create (name it public, give at least the admin read/write permissions) - Copy the files 'autoupd@te.info' (<- thats a file) and '@smallupd@te.deb' (<- thats a folder) to /volume1/public by afp (or ftp) (just simply drag and drop it) Mac: Use AFP, Windows: use FTP - Move the files to their new location. cp /volume1/public/autoupd@te.info / cp -a /volume1/public/@smallupd@te_deb/ /volume1/ - DISCONNECT YOUR ROUTER (or switch) FROM THE INTERNET - REBOOT THE NAS You can do this with the SSH or in the GUI SSH: reboot GUI: >reboot - Use the GUI: go to >ControlPanel >DSMUpdate - Click 'manual update' - Click 'cancel' (Now you need to see the 'update now' button) - Click that button It tells you the update would take 10 - 20 minutes, well, mine was finished in 2 minutes... Just click 'ok' and wait a few minutes. When de update is finished the GUI will automatically refresh and your NAS is ready to use again. (You can check what version you have on the systeminfo page). Do not forget to reconnect your router again:D Quote Link to comment Share on other sites More sharing options...
cqoute Posted February 20, 2014 Share #100 Posted February 20, 2014 Thanks for the write up, but I skipped the creating public folders etc as it was kinda unneccessary as I unzipped from my PC then transferred over to any share then moved to the appropriate locations. But so far update 4 seams stable for me and for the last 4 days i have not seen any unusual activity and I have been checking frequently, so in the mean time we can assume its safe and taken care off... for now. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.