Strange user and error while deleting the file "there was a problem with the network"

Options
Recently noticed that when deleting any file from any directory I get an error (no number) There was a problem with the network. Used android application solid explorer. At first I dropped everything on the application itself, but then I checked it on another ftp and everything is fine there. The error is reproduced both from the local network (inside) as well as from the cloud.

Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****" (the last five characters are replaced by * for security reasons) what kind of user is this? has anyone encountered such problems?
«1

All Replies

  • Derweis
    Options

    I also consulted with a friend, he said to look at the logs in the var / log directory, but there is nothing there, except for two files
  • Mijzelf
    Mijzelf Posts: 2,645  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Did you use solid explorer as ftp client? If yes, does samba show the same problems?
    Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****"
    Where did you find that user?
    look at the logs in the var / log directory, but there is nothing there, except for two files
    That is normal. The NAS isn't a full featured Linux box. The log directory is in ram, so ZyXEL tuned the system to log as little is possible (and that logdir isn't accessible for 'ordinary users' anyway)
  • Derweis
    Options
    Mijzelf said:
    Did you use solid explorer as ftp client? If yes, does samba show the same problems?
    Then i went over ssh and looked at users and found "zK9UKHeN6BOT-9hAvh*****"
    Where did you find that user?
    look at the logs in the var / log directory, but there is nothing there, except for two files
    That is normal. The NAS isn't a full featured Linux box. The log directory is in ram, so ZyXEL tuned the system to log as little is possible (and that logdir isn't accessible for 'ordinary users' anyway)
    yes, as a customer, samba is fine. There is such a user in the / home / folder.

    also looked at the list of users through the cat / etc / passwd command
  • Mijzelf
    Mijzelf Posts: 2,645  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    It's a bit hard to read your response. Do you mean the user has an own homedirectory, and can also be found in /etc/passwd, or is it not in /etc/passwd?
    I checked my NAS520, and it doesn't have such a user. It /might/ be an internal user of some package, and I think about dropbox or googledrive, or something like that. Can you see any process running in that users context when running 'top'? If it is in /etc/passwd, can you share the line and position (is it the last one?)
    Does the directory in /home survive a reboot? (/home is in a ramdrive, so it has to be repopulated on reboot)

    If samba doesn't have this problem, then I would have a look at the file permissions.
    ls -l /i-data/sysvol/<sharename>

    AFAIK samba runs as root, but pure-tftpd spawns a subprocess in the logged in users context, so that could cause the difference, if the permissions aren't right.
  • Derweis
    Options
    ВMijzelf said:
    It's a bit hard to read your response. Do you mean the user has an own homedirectory, and can also be found in /etc/passwd, or is it not in /etc/passwd?
    I checked my NAS520, and it doesn't have such a user. It /might/ be an internal user of some package, and I think about dropbox or googledrive, or something like that. Can you see any process running in that users context when running 'top'? If it is in /etc/passwd, can you share the line and position (is it the last one?)
    Does the directory in /home survive a reboot? (/home is in a ramdrive, so it has to be repopulated on reboot)

    If samba doesn't have this problem, then I would have a look at the file permissions.
    ls -l /i-data/sysvol/<sharename>

    AFAIK samba runs as root, but pure-tftpd spawns a subprocess in the logged in users context, so that could cause the difference, if the permissions aren't right.

     This user (zK9UKHeN6BOT-9hAvh *****) is in / etc / passwd. I looked at the process manager (command "top") and there is nothing with this user, there is only root, admin, mysql, nobody. User (zK9UKHeN6BOT-9hAvh *****) occupies the last line in the etc / passwd list. sorry for my English, I don't know it at all (((
  • Mijzelf
    Mijzelf Posts: 2,645  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Can you post that line? Assuming it's a rogue user, I have a hard time to think why this user is added to passwd. To change passwd you need to be root. If some malware runs as root, why would it add a user? The only reason I can think of is that it adds a second root user (in which case the user and group id both are 0), with an own password (in which case the password field is either 'x' (the password is in /etc/shadow) or some hash), or an own homedirectory containing an ssh certificate in .ssh/.
    This way an injected 'adduser' in some init script could open the box for root shell access from outside.
    If this user doesn't have a login password, nor a homedirectory containing .ssh/ with a certificate, and there is no process running within it's context, I don't get the purpose.
  • Derweis
    Options
    Mijzelf said:
    Can you post that line? Assuming it's a rogue user, I have a hard time to think why this user is added to passwd. To change passwd you need to be root. If some malware runs as root, why would it add a user? The only reason I can think of is that it adds a second root user (in which case the user and group id both are 0), with an own password (in which case the password field is either 'x' (the password is in /etc/shadow) or some hash), or an own homedirectory containing an ssh certificate in .ssh/.
    This way an injected 'adduser' in some init script could open the box for root shell access from outside.
    If this user doesn't have a login password, nor a homedirectory containing .ssh/ with a certificate, and there is no process running within it's context, I don't get the purpose.
    zK9UKHeN6BOT-9hAvh*****:x:5001:500:type&portal_dev_owner:/home/zK9UKHeN6BOT-9hAvh*****:/bin/sh

    here is the complete line, and in etc/shadow, only root has a character set. All other users have a similar data set. The problematic user has this - zK9UKHeN6BOT-9hAvh*****:!:19004:0:99999:7:::
    (for example, here is a user created by me personally - home:!:19004:0:99999:7:::
    ). He has nothing in his home directory /home/



  • Derweis
    Options

  • Derweis
    Derweis Posts: 8
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Security
    edited January 2022
    Options
    I found pairs of files in etc that differ by "-" (group and passwd and shadow) Should this be?
  • Mijzelf
    Mijzelf Posts: 2,645  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    That user doesn't have shell access. No password, and no certificate.

    You can try to find the package causing this:

    cd /i-data/sysvol/.PKG/
    grep -r "zK9UKHeN6" *

    I found pairs of files in etc that differ by "-" (group and passwd and shadow) Should this be?
    Yes, that is normal. It is the backup of the previous version created by adduser & friends.


Consumer Product Help Center