How to check linux integrity

bezbota
bezbota Posts: 7  Freshman Member
edited October 2019 in Personal Cloud Storage
My NAS326 was hacked. I did a factory settings and then one more again. Is it enough? Is possible that something left in linux file system? How can I know that nothing harmful is still running as a process? 

I used factory settings and I haven't downloaded any extra applications. I have just changed user settings a bit and changed folder sharing (I mean sharing via SMB protocol vith local computers only).

#NAS_Oct_2019

Accepted Solution

  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓
    Hm. That's not clear to me.

    To get back to your original question, if a sufficiently skilled person hacked your NAS, then in theory there is no way to remove the infection, as you depend on the firmware to update/overwrite it, and the firmware cannot be trusted.

    In practice it's not that hard. Most hackers are script kiddies, which are searching for some general vulnerabilities, and maybe find a 326, which gets some easy script to do some work for the hacker. But it's not deeply embedded in the firmware. So in most cases a factory reset is enough to remove the scripts.

    My actions would be:
    Remove all packages, if any.
    Enable the ssh server, login over ssh, and execute
    <div>cd /i-data/sysvol/.system/zy-pkgs/</div><div><br></div><div>pwd<br></div><div></div>
    The output of pwd should read '/i-data/sysvol/.system/zy-pkgs'. If so, execute
    <div>rm -rf *<br></div><div></div>
    Remove the disk(s)
    Perform a factory reset.
    Downgrade the firmware and upgrade again.
    Start the ssh server on the NAS.
    Login over ssh and execute 'ps', to see a list of running processes. Store that list somewhere.
    Put back the disks, and run ps again. Compare it to the old list. Find out what the unique processes in the second list are. If they are a normal part of the firmware, you're done.

    Rationale:
    The easiest way for a script to get started on boot is to hide in an installable package, so these have to be removed all.
    The directory /i-data/sysvol/.system/zy-pkgs/ contains a package cache, plus possibly a list of scripts which have to be started on boot, so that directory has to be cleared up.
    By down- and upgrading without harddisk inserted, there is nowhere the hostile script can hide. So I assume the box to be clear after that. By comparing the list of running processes without a with disks, the hostile script should show up, if it somehow survived on the disk.




All Replies

  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Why do you think your nas was hacked?
  • bezbota
    bezbota Posts: 7  Freshman Member
    edited October 2019
    It seems that all firmware directories are deleted first and then new firmware is uploaded there from backup location. Integrity check of backup location is done before starting reset to factory settings. So any malicious changes should disapper.
  • Mijzelf
    Mijzelf Posts: 2,788  Guru Member
    250 Answers 2500 Comments Friend Collector Seventh Anniversary
    Answer ✓
    Hm. That's not clear to me.

    To get back to your original question, if a sufficiently skilled person hacked your NAS, then in theory there is no way to remove the infection, as you depend on the firmware to update/overwrite it, and the firmware cannot be trusted.

    In practice it's not that hard. Most hackers are script kiddies, which are searching for some general vulnerabilities, and maybe find a 326, which gets some easy script to do some work for the hacker. But it's not deeply embedded in the firmware. So in most cases a factory reset is enough to remove the scripts.

    My actions would be:
    Remove all packages, if any.
    Enable the ssh server, login over ssh, and execute
    <div>cd /i-data/sysvol/.system/zy-pkgs/</div><div><br></div><div>pwd<br></div><div></div>
    The output of pwd should read '/i-data/sysvol/.system/zy-pkgs'. If so, execute
    <div>rm -rf *<br></div><div></div>
    Remove the disk(s)
    Perform a factory reset.
    Downgrade the firmware and upgrade again.
    Start the ssh server on the NAS.
    Login over ssh and execute 'ps', to see a list of running processes. Store that list somewhere.
    Put back the disks, and run ps again. Compare it to the old list. Find out what the unique processes in the second list are. If they are a normal part of the firmware, you're done.

    Rationale:
    The easiest way for a script to get started on boot is to hide in an installable package, so these have to be removed all.
    The directory /i-data/sysvol/.system/zy-pkgs/ contains a package cache, plus possibly a list of scripts which have to be started on boot, so that directory has to be cleared up.
    By down- and upgrading without harddisk inserted, there is nowhere the hostile script can hide. So I assume the box to be clear after that. By comparing the list of running processes without a with disks, the hostile script should show up, if it somehow survived on the disk.




Consumer Product Help Center