Virus/Trojan - 4.3 Update your Xpenology now


Recommended Posts

Have you tried to do a reboot after your update procedure?

From which version are you trying to update?

I suppose you're trying to apply over the 4.3 build 3810 my offline package of v4 update.

Try again my offline method but without connection to internet.

 

 

I did a fresh install on a new Microserver today

 

Noticed when using the offline update there was a couple of segfaults happen when the control panel DSM update is selected

 

Might have to install again and see if I can catch them :roll:

 

.

Link to post
Share on other sites
How would I go about upgrading to update 4 now that 4.3-3827 is available?

 

I'm switching the update 4 file in but it won't install them as it see's the newer version is available.. quite frustrating!

 

 

I managed to update by disconnecting from the internet and using the manual method. After you goto DMS update, it will say disconnected etc. I clicked manual DSM update then cancel and it somehow refreshed and used the local files. If you have problems updating because you have been infected (like i had), login via ssh and edit

 

/usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade.cgi

 

then remove pipe '|' and the sed part off the file and save.

 

what local files? and what dafuq does this mean???

then remove pipe '|' and the sed part off the file and save

I opened the upgrade.cgi file in editor and nothing with sed and pipe | shows up, however a bunch of gibrish and other stuff appears. So far within the dsm gui i can download the 3827, but installing is another question.. so should I just do the download from the gui unplug it and cross my fingers?.
Link to post
Share on other sites

Read the first post! the local files downloaded to do the update.

 

"If you have problems updating because you have been infected (like i had)" means exactly that, if you had the same virus as me and couldn't update. then follow my instruction to fix it. If you don't see it, then most likely your not infected or you don't have the same virus/problem I had etc. in which case you don't need to do anything... simple as that.

 

btw you can't update to 3827 from the gui and this has been mention a few times in this thread, you can only update to 3810 v4.

Link to post
Share on other sites

Ok the seg fault is to do with the cgi script of the update panel

 

Something to do with libstc**

 

Will have another go at trying to catch the actual output later

 

As it only lasts a short time until the box reboots

 

Can see it on console output eg monitor connected, but doesn't show on sash console output.... So copying the error and pasting it is hard.

 

.

Link to post
Share on other sites

btw you can't update to 3827 from the gui and this has been mention a few times in this thread, you can only update to 3810 v4.

 

Ohw, sorry then... But can you tell me if 3810 v4 is safe to use now, or does it have the same bug?

I get 3-5 different people that are trying to connect via SSH every day... The log tells me 'login fail' so at least they fail, but I'm still worried about it...

Link to post
Share on other sites

Can someone please tell me how to Upgrade from 4.2 to 4.3

i have downloaded "XPEnology_3827-pre-v1.1_beta7.7z" does this include the fix?

just dont know what to do next. HELP

 

keep getting the following msg so might have been hacked

DiskStation> top

ERROR: ld.so: object '/lolz/jynx2.so' from LD_PRELOAD cannot be preloaded: ignored.

top: error while loading shared libraries: libproc-3.2.8.so: cannot open shared object file: No such file or directory

 

cheers

Link to post
Share on other sites
Can someone please tell me how to Upgrade from 4.2 to 4.3

i have downloaded "XPEnology_3827-pre-v1.1_beta7.7z" does this include the fix?

just dont know what to do next. HELP

 

keep getting the following msg so might have been hacked

DiskStation> top

ERROR: ld.so: object '/lolz/jynx2.so' from LD_PRELOAD cannot be preloaded: ignored.

top: error while loading shared libraries: libproc-3.2.8.so: cannot open shared object file: No such file or directory

 

cheers

unpack the three files inside

 

write synoboot-3827-pre-v1.1_v7.img to a usb stick

boot from this new usb stick

connect either by synologyassistant or try find.synology.com

choose migrate

choose 3rd option and feed it the beta7.pat file

give new passwords and server name

pray

when it reboots, connect again

and you might have to reinstall applications and users / settings etc.

 

good luck

.

Link to post
Share on other sites

God, is anyone able to help me

 

So i followed this simple guide a page back:

What I did (for other people having issues, its already described in parts in this thread, but again:)

- Download the DSM 4.3-3810 v4 package from Trantor (see first post).

- Unzip it (Mac: Stuffit Expander, Windows: WinRAR)

- Make a directory on volume 1, called 'public' (as described)

You can do this with SSH or in the GUI

SSH: mkdir /volume1/public

GUI: >ControlCenter >SharedFolders >Create (name it public, give at least the admin read/write permissions)

- Copy the files 'autoupd@te.info' (<- thats a file) and '@smallupd@te.deb' (<- thats a folder) to /volume1/public by afp (or ftp) (just simply drag and drop it)

Mac: Use AFP, Windows: use FTP

- Move the files to their new location.

CODE: SELECT ALL

cp /volume1/public/autoupd@te.info /

cp -a /volume1/public/@smallupd@te_deb/ /volume1/

 

- DISCONNECT YOUR ROUTER (or switch) FROM THE INTERNET

- REBOOT THE NAS

You can do this with the SSH or in the GUI

SSH: reboot

GUI: >reboot

 

- Use the GUI: go to >ControlPanel >DSMUpdate

- Click 'manual update'

- Click 'cancel'

(Now you need to see the 'update now' button)

- Click that button

 

I even had to sort these files out:

 

Successfully stopped all process called lolzm, lolzb, synolog (killall lolzm lolzb synolog)

Successfully deleted S99p.sh (main script that start 'lolzm' 'lolzb' and 'synolog' when booting)

Successfully located and deleted the /lolz folder and its contents.

Successfully deleted /opt/bin (where some modified versions of ls kill top ps where located)

Successfully deleted /etc/ld.so.preload

 

These steps below didnt seem to help so i had to revert these changes

Successfully moved /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi

Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi

Successfully moved /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi

 

 

 

It looks like i got the LOL virus, and now i am struggling to update

I have follow the guide to the T, but when i get to the update screen, i cant for the life of me get the update button.

 

Its getting to the point where im thinking of buying 2x 4tb drives to migrate off, to re-install DSM 4.3 to then migrate back....

 

Any help, i would be happy to throw some beer tokens your way!

Link to post
Share on other sites

I found the tricks to get it to work are

 

Copy files to relevant places

Check for update

Select manual

Cancel

 

Go to your routers interface and disconnect from internet.... But leave router running so it gives out dhcp ip addresses etc

Reboot xpenology box

 

Log back into xpenology box and check for update again....

Wait

It should now appear

Run update and reboot

When it comes back alive, log into router and re connect to internet

Link to post
Share on other sites
I found the tricks to get it to work are

 

Copy files to relevant places

Check for update

Select manual

Cancel

 

Go to your routers interface and disconnect from internet.... But leave router running so it gives out dhcp ip addresses etc

Reboot xpenology box

 

Log back into xpenology box and check for update again....

Wait

It should now appear

Run update and reboot

When it comes back alive, log into router and re connect to internet

 

Thanks for the reply but i think i may be in a worse state since tinkering...

 

Still my resource monitor is broken, think thats from the LOL Virus

Now when i click updateDSM in control panel, it says no internet connected, you select ok, then the update window goes.

 

BAD TIMES :sad:

Untitled.jpg.e89aee637966088f15bccc8da2cea5c0.jpg

Link to post
Share on other sites

Hello! Sorry for the english I'm using google translate.

Yesterday I installed DSM 5 beta on DS713 +, this turned into another, much better!

 

But appeared a problem, searching the internet I found that it was a virus, this must have been on DS for long.

 

After the update it started to present an error message every command, to remove the problem I did the following:

 

Login as root, put a # before the export LD_PRELOAD ....

 

 

DiskStation> cd / volume1/homes/admin /

DiskStation> vi. Profile

 

# export LD_PRELOAD = / lolz/jynx2.so

export PATH=/opt/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin

~

Link to post
Share on other sites
  • 1 month later...
  • 1 month later...

Hello,

 

I running 4.3-3810 on a HP NL36 Microserver.

 

After a power outage, I can't access any service on the station except couchpotato, the default landing page of the webserver and the personal photostation.

 

SSH doesn't work, Management Web on both port 5000 and 5001 don't work, also SMB shares are not accessible.

Is this also the result of the virus ?

 

I also tried to connect to the console with a Logitech S510 wireless keyboard, but no reaction on keyboard trikes.

Is this a comparability issue with the keyboard or also the virus at work.

Link to post
Share on other sites

This virus, at least the one I encountered was very nice and made me some backups. The original upgrade.cgi was renamed to upgrade2.cgi. so:

 

cd /usr/syno/synoman/webman/modules/ControlPanel/modules/

mv upgrade.cgi upgrade.cgi.bad

mv upgrade2.cgi upgrade.cgi

 

This restored update capability.

Link to post
Share on other sites
  • 2 years later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.