NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
ReadyNas422 high latency
Hi - So, after major connectivity issues starting a week ago that were never present before and Cox Business repairing the line (packet loss and high latency) to remove extremely high latency, fix d...
jkahn wrote:
The system we have is setup for Readynas 422 to be plugged direct onsite into router. The Readynas 422 then backups to an off-site Readynas 102 (Firmware 6.10.2).
ReadyNas 422 (Firmware 6.10.2)
How are you doing this backup? Rsync over SSH?
If you disable the backup(s) does the problem disappear?
Ok - so we were finally able to get into the Readynas and found the following in the logs:
System: Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/wmvmaqyhva. Please delete the infected file soon.
System: Antivirus scanner found a threat (Unix.Trojan.DDoS_XOR-1) in the file /lib/libudev.so. Please delete the infected file soon.
Antivirus never notified us. You would assume that an email would be auto generated... Also, the antivirus is green in system overview.
Now, we cannot determine how to delete these files. Can someone please share the commands needed to delete these files?
Also, where do we need to type the commands?
Thank you!
jkahn wrote:
Ok - so we were finally able to get into the Readynas and found the following in the logs:
System: Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/wmvmaqyhva. Please delete the infected file soon.
That's a rather strange folder name, and it doesn't exist on my RN526. /lib/libudev.so isn't there either. ClamAV sometimes does yield false positives - you could pursue that possibility on https://www.clamav.net But that strange folder name makes me think it's a real infection (and libudev.so is part of the signature).
What apps do you have installed on the NAS?
Did you forward ports to the ReadyNAS? If so, which ones?
Did you put the ReadyNAS in the DMZ of the router?
jkahn wrote:
Now, we cannot determine how to delete these files. Can someone please share the commands needed to delete these files?
The files are on the OS partition - you'd need to enable ssh, and use the linux command line to access the folders. Deleting the files isn't enough to clean the system. If you google "Unix.Trojan.DDoS_XOR-1" you'll find some guidance - but you will need to tailor it somewhat, since the trojan does use a random process name that you need to identify. Also, if the system was hacked from outside, there might be other issues that don't trigger ClamAV.
I'm not sure if Netgear paid support will clean the system. JohnCM_S or Marc_V?
You could also do a factory reset, set up the NAS again, and restore the data from the backup.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
