So, after major connectivity issues starting a week ago that were never present before and Cox Business repairing the line (packet loss and high latency) to remove extremely high latency, fix dowload and upload speed, there still remains very high latency and basically no upload speed when the ReadyNas 422 is plugged into the router or the modem. When we take the Readynas off the system, the internet speed works perfectly. Once Readynas 422 is plugged back in, extreme slow downs, high latency (700+ms) and basically no upload (0.0MBS). (There is also a private server connected and is not showing any latency or upload problems when connected).
The system we have is setup for Readynas 422 to be plugged direct onsite into router. The Readynas 422 then backups to an off-site Readynas 102 (Firmware 6.10.2).
ReadyNas 422 (Firmware 6.10.2)
We are on Static IP, which was also just reissued by Cox in an attempt to repair the line as well.
We changed out Nighthawk twice, changed Arris SB modem and replaced Nighthawk wtih ASUS and still have same high latency problems whenever the ReadyNas 422 is online. This just started a week ago after we were using this system for quite some time.
Really need help trying to figure out what is going on with Readynas? basically grind the internet connection to a halt.
thanks
JK
Model: RN102|ReadyNAS 100 Series 2- Bay, RN4220X|ReadyNAS 4220 10Gbase-T (chassis only)
The system we have is setup for Readynas 422 to be plugged direct onsite into router. The Readynas 422 then backups to an off-site Readynas 102 (Firmware 6.10.2).
ReadyNas 422 (Firmware 6.10.2)
How are you doing this backup? Rsync over SSH?
If you disable the backup(s) does the problem disappear?
Ok - so we were finally able to get into the Readynas and found the following in the logs:
System: Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/wmvmaqyhva. Please delete the infected file soon. System: Antivirus scanner found a threat (Unix.Trojan.DDoS_XOR-1) in the file /lib/libudev.so. Please delete the infected file soon.
Antivirus never notified us. You would assume that an email would be auto generated... Also, the antivirus is green in system overview.
Now, we cannot determine how to delete these files. Can someone please share the commands needed to delete these files?
Ok - so we were finally able to get into the Readynas and found the following in the logs:
System: Antivirus scanner found a threat ( Unix.Trojan.DDoS_XOR-1) in the file /usr/bin/wmvmaqyhva. Please delete the infected file soon.
That's a rather strange folder name, and it doesn't exist on my RN526. /lib/libudev.so isn't there either. ClamAV sometimes does yield false positives - you could pursue that possibility on https://www.clamav.net But that strange folder name makes me think it's a real infection (and libudev.so is part of the signature).
What apps do you have installed on the NAS?
Did you forward ports to the ReadyNAS? If so, which ones?
Did you put the ReadyNAS in the DMZ of the router?
Now, we cannot determine how to delete these files. Can someone please share the commands needed to delete these files?
The files are on the OS partition - you'd need to enable ssh, and use the linux command line to access the folders. Deleting the files isn't enough to clean the system. If you google "Unix.Trojan.DDoS_XOR-1" you'll find some guidance - but you will need to tailor it somewhat, since the trojan does use a random process name that you need to identify. Also, if the system was hacked from outside, there might be other issues that don't trigger ClamAV.
I'm not sure if Netgear paid support will clean the system. @JohnCM_S or @Marc_V?
You could also do a factory reset, set up the NAS again, and restore the data from the backup.
