OD_stub.exe Trojan Detected but Unable to Delete

These are on the OS partition, so you would need to enable ssh, and delete them from the linux CLI.

These aren't part of the normal NAS install, so you probably have installed some apps.  Which ones?

I installed the Plex Media Server (for RN2xx) and VPN Server, but could easily delete those.  The VPN Server isn't even enabled, and has never worked, anyway, so I think I'll just delete that. 

I don't have Linux on my machine, can you give me more details on how to delete these files?  Sorry, but I'm really new to the server area.

Thanks for the reply.

 I just checked SSH and it is enabled, so if you could tell me how to delete the file, that would be great.  Thanks.

Based on your logs, the file's name/path is `/root/.42/MITMf/libs/bdfactory/onionduke/OD_stub.exe`.

The directory paths show that it could be related to a `backdoor-factory` and `man-in-the-middle-framework`. If these files are not something that you installed, you should be advised to remove the `/root/.42/MITMf` directory (or maybe the whole `/root/.42` depending on what other content is in there), since these are not files that is part of the OS.

OOM-9, could you possibly send me something that tells me exactly how to delete these files or directories, since I am unable to see them at all.  I tried typing /root/... into my header field and am getting nowhere with trying to blindly bring up the file or folders.

Like I said before, I am really new to servers and can't seem to get the "root" directory to show up when I log into the ReadyNAS server.  Believe me, if I could see it, I would delete it.  Thanks for any help you can provide.

A few things for a new user to the CLI.

`~` in the typically shows you in your home folder. Since you are logged in as root,  you are probably at `~` which defaults to `/root/`.

To list the directories (to help be safe/see what is happening), you can use the `ls` cmd. Since this directory is hidden with the `.` at the beginning of the folder (or file), you will need to have a flag `-a`, and if you want to see the list `-l`.

In one line to see what you have in the `.42` would look like this: `ls -la /root/.42`.

The contents from what you have listed in that folder does not sound good, so I would suggest deleting everything in there if you are sure that you do not need to keep the contents: `rm -r /root/.42/` (`rm` is remove, and `-r` is recursive for everything in the directory.)

If you had questions about the options about some of the commands and their options, you can check their `man` pages. We do not provide those in the unit, so if you seach for `man ls`, you typically land on the public facing `man` pages. (`man` is short for manual, and is available on most linux based systems.)

Okay, so it's obvious that you guys are lightyears ahead of me on this, but I've tried going to the DOS command line from my computer and typing in the command you gave me to list the contents of the .42 folder and that doesn't work.  When I go to the ReadyNAS admin page from Google Chrome, the header line has "IP address/admin/" in the header (I didn't type in the actual IP address).  There is no `~` symbol anywhere that I can see.  What am I doing wrong???  I'm really sorry that I'm not getting it here.

It looks like I missed the step of being able to ssh into the ReadyNAS with SSH to run those commands.

There is putty or Windows ssh options as an ssh client to log intot he ReadyNAS over ssh.

(I think once you get connect over SSH, some of my steps might make more sense.)

Does the Putty program run on Windows 7?  I'm having trouble getting it to work.  I think I've finally logged in with it, but I can't type a damn thing in what looks like the Command Window.  Looks like the Windows program link that you gave me is for Windows 10 machines, so I haven't tried downloading it.  I'm about ready to just give up on this whole mess and just toss the thing off my deck.

Hey @kcejo 

It can always be a bit frustrating when diving into something new. When you get the hang of it, it will be a breeze. Stick with it 🙂

Firstly, make sure that SSH is enabled on the NAS and that password authentication is enabled as well. Login to the ReadyNAS admin web page and head to "System" --> "Settings". Here you click on the SSH icon under the "Services" section. A pop-up will appear. Please ensure that you tick both check-boxes here and hit "Apply".

Next, you need to know the IP address of the NAS. It sounds like you already know it, but just in case... You can find this in multiple ways. One way would be to be open the RAIDar application if you have that installed. It should show the IP address. Alternatively, you can again go to the ReadyNAS admin web page and navigate to the "Network" section. Here you can see the "IP Address" on the network card that is green. Note: It is not the IPv6 address you are after, just the one called "IP Address". Take note of this address.

Now, for actually logging into the terminal of the NAS. There is a great step-by-step guide here on how use Putty:

https://mediatemple.net/community/products/dv/204404604/using-ssh-in-putty-

That guide also contain a link to the direct download for Putty (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). When you get to the download section for Putty, I suggest that you take the 32-bit version of "putty.exe" (Windows 7 is 32-bit). Look for the section "Alternative binary files" and you will find it there.

Once Putty is downloaded, simply locate it in your "Downloads" folder on the PC. Hereafter double-click on it to launch it and follow the guide above.

Note: when you get to step 9 in the guide it is time to login to the NAS terminal. User name will be root and password will be whatever password you also use when accessing the ReadyNAS admin web page.

You should now be logged and ready to go. Follow the steps given by @OOM-9 

Bear in mind that the commands given to you had little quotation marks around them ' '. Such as: `ls -la /root/.42`

When you run the commands, you need to run without those quotes. As in, just: ls -la /root/.42

And so on.

I hope that makes sense.

Cheers

Hey, @Hopchen 

Well, I've gotten a little further along now, but am still being stumped by this thing.  In the link you provided, it mentions something about logging into PLESK, which I don't have, and I don't know if that's part of my problem or not.  Anyway, I am finally able to launch Putty, but it does not seem to like my Login as: user id or maybe my password.  I have tried user IDs of "admin" , "root", and the actual name that I have named the ReadyNAS, no luck.  I have also tried typing "ssh user id" without the quotes, of course, using all of those IDs again, and still no joy.  I am using the same password as I use when I log into the ReadyNAS admin page using Google Chrome, so unless there is a different SSH password or user id, I'm stuck again. 

FYI, when I'm logged into the ReadyNAS admin page, my header is "IP address/admin/"

I have enabled SSH under the Services section and ticked both boxes.  I have also enabled FTP under the Services section.  And, under the Accounts section, I have checked the Settings on the user "admin" and under SSH I have ticked the "Allow Shell Access" box.  Do I need to change something with the Title, Comment or Fingerprint info or Import a Public Key?

Still scratching my head....

Hi again

Thanks for sticking with it. You confused me for a second with refering to "plesk" 🙂 Then I went back to the article and realised that they linked to some sub-article under the "Requirements" section. You can totally ignore that sub-article. It is not relevant for you needs. It would have awfully confusing if you are new to this - my bad! I should have examined the article more carefully as that would surely have sent you down a rabbit hole.

Anyhow, now that you can actually open Putty, all you have to do is follow the steps (1-10) in the main article (under section "Instructions"). It seems that you did that and you get to the login prompt?

You should only use the user name: root

Password is again the same as the password used for the ReadyNAS admin web page.

Try it a few times and make 110% sure you are using the correct password here. Note, as the article states as well, you will not see your cursor moving, or any characters typed (such as ******), when typing your password. This is a standard PuTTY security feature. Once you finished typing your password then hit Enter.

Let us know how it goes.

Hi, Hopchen

Well, since nothing was working to get me signed in, I uninstalled Putty and re-installed it just in case.  I'm still unable to access my ReadyNAS through it.  I'm following all the steps 1-10 in the main article, just like I did yesterday.  When Putty opens, I put the IP address in, as xxx.xxx.x.xxx, leave everything else as the default, and click on Open.  I go to the login window, where it asks "login as:" and I type "root", without the quotes.  It then replies with "root@xxx.xxx.x.xxx's password:" and I type my password, very carefully, hit enter and it replies with "Access denied".  I have logged out of the ReadyNAS admin webpage and logged back in to make sure that I have the correct password, but I still cannot get access.  I've also tried typing "admin" as the login userid and get the same access denied message.

Do I need to add "root" as a User?  And, if I can whine for just a moment, why, oh why do I need a separate piece of software to be able to delete a single file off my server?  Why can't I just use the ReadyNAS software or get to it through Windows???  Sorry, don't really expect an answer here, just venting  🙂

I'm guessing there's something that's not set up on my ReadyNAS to allow SSH connection, but have no clue where to go from here.  Help!

When enabling SSH using the NAS UI have you:-

Enabled SSH

Enabled password authentication

Downloaded SSH key file

I have gone to SSH Settings, clicked Enable SSH, clicked Enable Password Authentication, and clicked Download SSH Key File, but what do I do with the SSH Key file????  It still tells me Access denied on Putty.

Thanks for the reply.

Is the NAS admin password still set to the default password?  If so, try changing it to something else.

Circling back to this:

---

@OOM-9 wrote:

The directory paths show that it could be related to a `backdoor-factory` and `man-in-the-middle-framework`.

---

In other words, your NAS might have been hacked.  That could also explain why you are struggling to get into the NAS (though it could of course just be something else).

Whatever the cause of the ssh issues - if there's a good chance your ReadyNAS was hacked, then I suggest backing up all your data files, doing a factory reset (which reformats the disks), reconfigure/rebuild the NAS, and restore your data from the backup.  There could be more issues than the couple of ClamAV alerts.

Have you forwarded any ports to the NAS in your router?

OMG, I just tried "admin" as my Login ID and the default password and I was able to connect through Putty.  I can't believe that the password is still set to default.  I had tried to set up the ability to recover the administrator password over 2 years ago and nobody at Support could get it work, so I finally just gave up.  This thing has been nothing but problems for me.  It even installed an app on its own called BOGO, which I could never see to delete and, again, nobody at Support had a clue what to do. 

I'm going to try some of the commands that were recommended earlier and I'll report back with results soon.  If nothing else, then I was already looking at just pulling the data off, reformatting and starting over, as suggested.  Thanks for suggesting the defaults.

Now try root with the default password and proceed from there

Well, logging in as "admin" isn't helping much.  I'm unable to run the commands that were suggested.  I tried entering ls -la /root/.42 and got a reply of "ls: cannot access '/root/.42': Permission denied".  I tried logging in as "root" with the default password and that didn't work, so I don't know, maybe I am looking at backing up the data on here and reformatting.  Unless somebody else has any other ideas.

I think our replies got crossed in the ether.  When I try to login as "root" with the default password, it denies access.

And I forgot to answer an earlier question about ports.  I logged into my router yesterday and was trying to see if there was a port assigned to the ReadyNAS.  I couldn't find any port assigned to it, so I think my answer to that question is no.

---

@kcejo wrote:

I tried logging in as "root" with the default password and that didn't work, 

---

First, changing stuff on the OS partition requires root access.  Using admin can leave you with an unbootable NAS.

The solution to this bit is easy.  Log into the web ui, and change the admin password to something else.

But given the history

• nas using default credentials for an extended period of time
• suspicious files on the NAS for no known reason

then factory reset might be the best option.

But did you uninstall the vpn server app?  If not, I'd suggesting doing that next, and see if any of these folders disappear. 

---

@StephenB wrote:

---

@kcejo wrote:

I tried logging in as "root" with the default password and that didn't work, 

---

First, changing stuff on the OS partition requires root access.  Using admin can leave you with an unbootable NAS.

 

The solution to this bit is easy.  Log into the web ui, and change the admin password to something else.

 

But given the history

• nas using default credentials for an extended period of time
• suspicious files on the NAS for no known reason

then factory reset might be the best option.

 

But did you uninstall the vpn server app?  If not, I'd suggesting doing that next, and see if any of these folders disappear. 

 

---

I would tend to agree at this stage. Also given that no password seemingly works for the CLI anymore... Who knows what lurks in the depths? 🙂 An option could also be paid support from NETGEAR but a reset might a better route to ensure a clean NAS.

Thanks for all your replies and help.  Yes, I deleted the VPN app and also the Plex app first thing, a couple days ago now, I think  And I'm still seeing the same infected files showing up on the antivirus scan logs one day and two days later.  So, I spent some time yesterday copying files from the ReadyNAS to an external drive and will be reformatting it, then returning the files afterward.  Hopefully, without the malware.  I also backed up my PC, in case it got infected and may do a reformat there, as well, although antivirus scans don't show any issues on the PC.  We'll see how far I get

I agree that this is the best option at this point.  I've tried getting some other, lesser issues resolved through Support when I first bought the server and they were zero help in resolving any of those problems, so I don't see the point in trying to get them to resolve this issue.  I think it would be a waste of time and I'd still be reformatting, anyway.

Thank you all so much for your time, expertise and patience in helping me out and trying to make the fix easier than reformatting!  I really do appreciate everything you've contributed.

Thought you all might like an update after doing the factory reset.  I'm happy to report that all went pretty well.  I was able to set up remote password changes, I also changed the admin password and I noticed something about SSH when I was going through the setup that I don't remember from the original installation.  There is a notice that pops up, asking if you want to enable SSH, but it also says that you might not get support from Netgear if you do enable this - something to that effect.  I did enable SSH this time, but might not have last time.  And, while I went through the steps before all of this to enable SSH, it might have still denied access.  Who knows.

Anyway, I am now able to log in as "root" using Putty and I tried the command to list the folder that contained the trojan malware.  It came back and told me that it couldn't find that folder, so it appears to be gone.  For some reason, the antivirus software does not appear to have performed a scan and I can't find a way to tell it to scan now.  Why that's the case is beyond me - I've never seen antivirus software that doesn't allow a user to perform a scan at will, but whatever.  Even though it's been over 24 hours since I did the reformatting and I do have the antivirus software set to Enable real-time antivirus scanning and Protect ReadyNAS OS, it still hasn't run.  When it does eventually decide to run, though, I expect it to find nothing this time.  If that's not the case, I'll be back.....