NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Lots of virus detection after 6.10.4 update
Hi,
I upgraded yesterday evening to 6.10.4 and I immediatly got following alerts after the reboot:
Antivirus scanner found a threat ( Unix.Trojan.Xorddos-7650646-0) in the file /bin/bkitbvdn. Please delete the infected file soon.
Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/sjkylbzdsf. Please delete the infected file soon.
Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/zzqdjmrmsn. Please delete the infected file soon.
Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/bcvwdjnsin. Please delete the infected file soon.
Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /lib/libudev.so. Please delete the infected file soon.
Antivirus scanner found a threat ( Unix.Trojan.Xorddos-7650646-0) in the file /bin/bdguhkqrekq. Please delete the infected file soon.
Antivirus scanner found a threat ( Unix.Trojan.Xorddos-7650646-0) in the file /bin/qkerqkhugdb. Please delete the infected file soon.
Yesterday evening I got 5 alerts, today it's 7. (The NAS powers down during the night.)
Should I be worried? I've already seems similar topics about firmware updates that trigger such events.
My biggest problem is how to access that file structure. Probably using SSH?
Thanks for the feedback.
2 Replies
Karunaji wrote:Should I be worried?
Yes. None of those files should be on your NAS. So it has been hacked somewhere along the line. That likely didn't happen when you updated it - it's more likely that the problem was there before. The new alerts could be due to an AV definitions update, or possibly a settings change in the AV (maybe it wasn't scanning these folders before).
I'd first change the network configuration to prevent the NAS from reaching the internet. One way to do that is to temporarily enter a static IP address (which can match the address the NAS is using now), but to set the wrong gateway address in the NAS network configuration.
You could then try to fix it with ssh, but I'd consider copying off the files in the shares, doing a factory default, reconfiguring the NAS, and then restoring the files from your backup. Otherwise it is very likely you will miss something, and the virus/malware could come back. Make sure you do a virus/malware scan of the backup (and that the PC that you use for this has real-time protection).
Are you forwarding ports to the NAS? Or putting it in the DMZ of your router? If you are, then stop doing that altogether for now, and then try to sort out exactly how this happened.
Thanks for the feedback, I was afraid of that.
Port forwarding & DMZ is now off & I'll do the steps you advise as well.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
