Missing files and device full of info.zip

[Andrew Wright]

Got a weird issue on my hands. My NAS has a bunch of missing files (so far only found Win7/8/10 ISOs deleted) and had a huge folder moved into a RECYCLED folder.  No idea how any of this happened. 

Also the drive is littered with info.zip files everywhere that contain a vb script file. 

Its like the device has been infected, but I don't get how. 

[João Cardoso]

Yes, it looks like. How long ago has that happened?

Was the Alt-F webUI exposed to the internet? It was not designed  with that purpose in mind and it is prone to CGI injection attacks; such an attack has already been reported in this forum.

Can you ssh or telnet the box? remove the box from the internet, save all logs for further examination, including the output of the  'ps' command.

In principle a reboot will remove the infection, but it will also prevent further diagnosing. If you have no expertise on doing that, rebooting is probably the only thing you can do.

After the reboot you should examine the 'ps' command output again, to see if only expected processes are running.

Do you have Alt-F packages installed? Was lighttpd/PHP running?

The only way for most infections to survive a reboot will be to install themselves on disk, overriding Alt-F programs, so you might want to examine the /Alt-F/bin /Alt-F/sbin /Alt-F/usr/bin and /Alt-F/usr/sbin directories for unusual files. You can get a listing executing 'ls -lR /Alt-F/' and saving its output.

Removing all Alt-F installed packages can be the most wise to do if you don't know what to do next.

[Andrew Wright]

I forgot that port 21 was open to it, but that's it. Though I wasn't actively blocking it from the internet either. I think I can do that (Asus RT-N66U with tomato on it). 

I have full access to the box. This has been happening for awhile just for some reason didn't think anything of it until my iso's were missing. Which is weird that's all that's missing... thankfully there is nothing critical on the drive. Just bulk music/tv storage. 

I don't think lighttpd/PHP are/were running. 

Which logs should I grab? And I should just ps > text file?

I have a old drive I think I can unformat to get most of my data back (paritiions were only deleted, nothing further written to it). Best way to do this is delete everything alt-f related? I have rebooted since I noticed the info.zip's and now I see photo.scr on the drive...

Thanks for the help!

[Andrew Wright]

No, lighttpd/PHP are not on there. 

I saved PS to a file, and coped /var/log to another location. 

I have a rpi with a nfs connection to the dlink nas. i had this to the root of it. The rpi is externally facing. Though i see no signs of it being compromised. I have now moved the folders it needs to access to a sub folder and changed the nfs mount to that folder instead of root. 

[João Cardoso]

On Thursday, 7 April 2016 08:23:37 UTC+1, Andrew Wright wrote:

No, lighttpd/PHP are not on there. 

So, if an infection exists, it was not PHP driven.

I saved PS to a file, and coped /var/log to another location. 

The system log doesn't appears there. You have to use the command line or use System->Utilities->View Logs, then select the relevant log and download it to another computer (browse to the log end, you will see a Download button.

Bit that should be done early, as soon as a possible attack is detected; after a while, the system log starts overwriting old entries. And after a reboot all logs vanish.

 

I have a rpi with a nfs connection to the dlink nas. i had this to the root of it. The rpi is externally facing. Though i see no signs of it being compromised. I have now moved the folders it needs to access to a sub folder and changed the nfs mount to that folder instead of root. 

On Wednesday, April 6, 2016 at 8:50:57 PM UTC-6, Andrew Wright wrote:

I forgot that port 21 was open to it, but that's it.

What only really matters regarding webUI CGI injection is if port 80/8080 or 443/8443 (http and https) were/are forwarded in your router to the box.

Or if port 21 (telnet) is/was forwarded to the box and you have a week (dictionary-based) password.

If that was not the case you might have to consider if other computer in your home network has been infected.

If you have some box MS-Windows shares mounted on such computer, the box shares would be affected by the computer infection.

 

Though I wasn't actively blocking it from the internet either. I think I can do that (Asus RT-N66U with tomato on it). 

By *default* most routers firewall default settings forbid incoming network connections, so the only way is if you port-forward some ports to the box (or other computer) or put the box (or other computer) on the DMZ (Demilitarized, not monitored, Zone)

I have full access to the box. This has been happening for awhile just for some reason didn't think anything of it until my iso's were missing. Which is weird that's all that's missing... thankfully there is nothing critical on the drive. Just bulk music/tv storage. 

I don't think lighttpd/PHP are/were running. 

Which logs should I grab? And I should just ps > text file?

System->Utilities->View Logs, Running Processed (and other)

 

I have a old drive I think I can unformat to get most of my data back (paritiions were only deleted, nothing further written to it). Best way to do this is delete everything alt-f related? I have rebooted since I noticed the info.zip's and now I see photo.scr on the drive...

There are only a few automated linux-arm (the box CPU) automated attacker; it is thus very improbable that such generic attacks o succeed. And action must  be immediate.

Have you rebooted the box? Do you have the 'ps' (Running Processe log) available before and after the reboot? Are you sure that no other computer is infected and the mounted nas shares affected that way?

[Andrew Wright]

Oh, ok well then the logs from before the reboot are gone then. 

I have attached the ps results from before the reboot and after. Everything looks the same. But what is crypto?

I don't see any alt-f directories on the drive. Only the ffp directory that I should probably delete. 

I have checked all my windows boxes. They are clean. But that said, I had a roomate a few months ago. I didn't even check the timestamps on those stupid info.zip and photo.scr files. I wonder if this all came from his computer. 

[João Cardoso]

On Friday, 8 April 2016 22:30:45 UTC+1, Andrew Wright wrote:

Oh, ok well then the logs from before the reboot are gone then. 

Yes, that's why I answered your initial question as soon as I saw it, half an hour after you post it.

On "real" computers, logs are persistent files, so you can make a live analysis after removing the PC from the network or a "post mortem" analysis after rebooting it. For the same reason, on "real" computers infections usually don't disappear after a reboot, but that is harder to do for automated attacks on embedded devices

 

I have attached the ps results from before the reboot and after. Everything looks the same.

Yes, nothing suspicious at first. Although an infected program might take the place (and name) of a legitimate program.

 

But what is crypto?

A legitime linux cryptographic kernel module, shipped with Alt-F,; it is needed for things like secure mail, secure http, etc.

 

I don't see any alt-f directories on the drive.

Then you have not used Packages->Alt-F, Install

 

Only the ffp directory that I should probably delete. 

Use Packages->ffp, Uninstall.

 

I have checked all my windows boxes. They are clean. But that said, I had a roomate a few months ago. I didn't even check the timestamps on those stupid info.zip and photo.scr files. I wonder if this all came from his computer. 

That's the most likely reason.

You probably should create users, which restrict them to use only their own folders, and secure your own files.