g*******t
发帖数: 7704 | 1 【 以下文字转载自 Hardware 讨论区 】
发信人: subzero8080 (Chilling), 信区: Hardware
标 题: 【紧急提醒】Synology box 被hack!快检查你的
发信站: BBS 未名空间站 (Thu Feb 13 01:42:55 2014, 美东)
我的212j前两天觉得不对,总是100%CPU,今天搜了一下发现无数人都发现被Hack了,
大概是DSM有漏洞被人利用,现在还没有解决办法,我已经关机了。
具体表现是被安装一个process用来连到一个外界IP来搞coin mining,目前我找到有两
种:
1. 创建一个/PWNED folder;这种有的人发现还创建一个假的resource monitor,让你
觉得CPU不是100%;参见:
http://www.facebook.com/synology/posts/10152007533142897
http://forum.synology.com/enu/viewtopic.php?f=19&t=80857
http://www.reddit.com/r/Bitcoin/comments/1xm01l/synology_nas_sy
2. 我中的是这个(我用的DSM 4.3-3810),更隐蔽:创建了一个dhcp.pid的进程占100%
CPU,而有人指出DSM里面没有dhcp; 参见:
http://forum.synology.com/enu/viewtopic.php?f=19&t=81026
怀疑中毒的请telnet或者ssh进去运行下面的来确定:
ps | grep PWNED
ps | grep dhcp
更新,found more info at http://thesbsguy.com/?p=244
Update: There seems to be two versions.
The one I found (user ‘smmsp’ with multiple PWNEDm process running –
actually a program called mined that’s been renamed , no other apparent
damage besides tampering with some Synology web-interface files ot hide it’
s CPU activity. Seems to all be started form a user called smmsp (Sendmail
user – listed in the /etc/passwd file)
There also seems to be another variant that actively looks for username/
passwords in places such as /etc/ddns.conf, adds a folder called /volume1/
startup with a Pearl script to activate itself. This one also seems to
tamper with some rudimentary command line tools such as ls, cat and top to
prevent removal. |
g*******t
发帖数: 7704 | 2 Synology也太离谱了, 躲在router后内网都被黑, 老美的公司都是偷窥无底线, |
t*********u
发帖数: 26311 | 3 这个是4v的
【在 g*******t 的大作中提到】
: Synology也太离谱了, 躲在router后内网都被黑, 老美的公司都是偷窥无底线,
|
o**o
发帖数: 3964 | 4 3810至少有四个security patch,上个月升级的v4。
这些被hack的是新版么? |
e*****r
发帖数: 700 | 5 这个在router里禁止synology 与 internet 有链接是否可以安全? |
t*********a
发帖数: 366 | 6 日,我的也被黑了。但是4.1版本的黑群辉N54L没被黑,4.3的211j中枪了。
【在 o**o 的大作中提到】
: 3810至少有四个security patch,上个月升级的v4。
: 这些被hack的是新版么?
|
