NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
OD_stub.exe Trojan Detected but Unable to Delete
I have a ReadyNAS 212 device with 2 6TB disks, for a total of 12TB of data. I just upgraded firmware to 6.9.5. I have a Windows 7 machine.
I was just looking at the Logs and noticed 1 Trojan...
I installed the Plex Media Server (for RN2xx) and VPN Server, but could easily delete those. The VPN Server isn't even enabled, and has never worked, anyway, so I think I'll just delete that.
I don't have Linux on my machine, can you give me more details on how to delete these files? Sorry, but I'm really new to the server area.
Thanks for the reply.
I just checked SSH and it is enabled, so if you could tell me how to delete the file, that would be great. Thanks.
Based on your logs, the file's name/path is `/root/.42/MITMf/libs/bdfactory/onionduke/OD_stub.exe`.
The directory paths show that it could be related to a `backdoor-factory` and `man-in-the-middle-framework`. If these files are not something that you installed, you should be advised to remove the `/root/.42/MITMf` directory (or maybe the whole `/root/.42` depending on what other content is in there), since these are not files that is part of the OS.
OOM-9, could you possibly send me something that tells me exactly how to delete these files or directories, since I am unable to see them at all. I tried typing /root/... into my header field and am getting nowhere with trying to blindly bring up the file or folders.
Like I said before, I am really new to servers and can't seem to get the "root" directory to show up when I log into the ReadyNAS server. Believe me, if I could see it, I would delete it. Thanks for any help you can provide.
A few things for a new user to the CLI.
`~` in the typically shows you in your home folder. Since you are logged in as root, you are probably at `~` which defaults to `/root/`.
To list the directories (to help be safe/see what is happening), you can use the `ls` cmd. Since this directory is hidden with the `.` at the beginning of the folder (or file), you will need to have a flag `-a`, and if you want to see the list `-l`.
In one line to see what you have in the `.42` would look like this: `ls -la /root/.42`.
The contents from what you have listed in that folder does not sound good, so I would suggest deleting everything in there if you are sure that you do not need to keep the contents: `rm -r /root/.42/` (`rm` is remove, and `-r` is recursive for everything in the directory.)
If you had questions about the options about some of the commands and their options, you can check their `man` pages. We do not provide those in the unit, so if you seach for `man ls`, you typically land on the public facing `man` pages. (`man` is short for manual, and is available on most linux based systems.)
Is the NAS admin password still set to the default password? If so, try changing it to something else.
Circling back to this:
OOM-9 wrote:The directory paths show that it could be related to a `backdoor-factory` and `man-in-the-middle-framework`.
In other words, your NAS might have been hacked. That could also explain why you are struggling to get into the NAS (though it could of course just be something else).
Whatever the cause of the ssh issues - if there's a good chance your ReadyNAS was hacked, then I suggest backing up all your data files, doing a factory reset (which reformats the disks), reconfigure/rebuild the NAS, and restore your data from the backup. There could be more issues than the couple of ClamAV alerts.
Have you forwarded any ports to the NAS in your router?
OMG, I just tried "admin" as my Login ID and the default password and I was able to connect through Putty. I can't believe that the password is still set to default. I had tried to set up the ability to recover the administrator password over 2 years ago and nobody at Support could get it work, so I finally just gave up. This thing has been nothing but problems for me. It even installed an app on its own called BOGO, which I could never see to delete and, again, nobody at Support had a clue what to do.
I'm going to try some of the commands that were recommended earlier and I'll report back with results soon. If nothing else, then I was already looking at just pulling the data off, reformatting and starting over, as suggested. Thanks for suggesting the defaults.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
