繼前陣子群暉NAS被拿來挖礦的問題之後
http://forum.synology.com/enu/viewtopic.php?f=7&t=78993
七月底八月初,群暉的NAS又出包了,這次是被駭客入侵後,把NAS上的檔案加密,
並要求付出比特幣做為贖金(大概台幣 12000左右)
不然資料就會被保留在加密的狀態,無法使用。
詳情請參閱: http://www.pcdiy.com.tw/webroot/article.php?art=544
事情發生之後,群暉也發出了信件通知USER應該怎麼處理,信件內容如下
Dear Synology users,
We would like to inform you that a ransomware called "SynoLocker" is
currently affecting some Synology NAS users. This ransomware locks down
affected servers, encrypts users’ files, and demands a fee to regain
access to the encrypted files.
We have confirmed that the ransomware only affects Synology NAS servers
running older versions of DiskStation Manager by exploiting a security
vulnerability that was fixed and patched in December, 2013.
Affected users may encounter the following symptoms:
When attempting to log in to DSM, a screen appears informing users
that data has been encrypted and a fee is required to unlock data.
Abnormally high CPU usage or a running process called “synosync”
(which can be checked at Main Menu > Resource Monitor).
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or
earlier; DSM 4.0-2257 or earlier is installed, but the system says
no updates are available at Control Panel > DSM Update.
If you have encountered the above symptoms, please shutdown the system
immediately and contact our technical support here:
https://myds.synology.com/support/support_form.php
If you have not encountered the above symptoms, we strongly recommend
downloading and installing DSM 5.0, or any version below:
DSM 4.3-3827 or later
DSM 4.2-3243 or later
DSM 4.0-2259 or later
DSM 3.x or earlier is not affected
You can manually download the latest version from our Download Center and
install it at Control Panel > DSM Update > Manual DSM Update.
If you notice any strange behavior or suspect your Synology NAS server has
been affected by the above issue, please contact us at
security@synology.com
We sincerely apologize for any problems or inconvenience this issue has
caused our users. We’ll keep you updated with the latest information as
we continue to address this issue.
Thank you for your continued patience and support.
Sincerely,
Synology Development Team
在知道這件事情之後,我從外部連回公司,先把FW上面跟NAS相關、而且有開啟的
port forward policy先關閉。
(5000 我是已經關閉很久了,但是還有開一個 SSH 給群暉遠端連進來檢查)
隔天進公司之後,把NAS叫出來看,本來還以為沒事的,結果檢查到第三條
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier;
DSM 4.0-2257 or earlier is installed, but the system says no updates are
available at Control Panel > DSM Update.
啊,系! 我的版本還在 4.2 ,而且也的確顯示為已經是最新版本。
跟群暉確認過之後,群暉建議還是依照他們的方法來處理
1.關機
2.把原有的硬碟抽出來
3.裝一顆新的硬碟進去
4.安裝 DSM 4.3-3810之後的版本
5.關機
6.接回原本的硬碟
7.開機
8.重新安裝DSM到 4.3-3810以後的版本
以上是我簡述過的步驟,原文是
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into
the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto
this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS
from the web management console.
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute
you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the
status "migratable".
9. From Synology Assistant choose to install DSM to the NAS, use the same
file you used in step 4 and specify the same name and IP address as it was
before the crash.
10. Because the NAS is recognized as "migratable", the DSM installation will
NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to
log in to your NAS with your original credentials.
在這之前,因為我手邊還有一台退役的 RS810+ ,想說先問問客服,我能不能把資料從
現役的 DS 轉到 RS 上,做個備份比較安心
結果客服居然回說:「那你是不相信我們的作法囉???」
好吧,既然你客服都這樣說了,反正我本來就有備份到USB,頂多就損失一天的資料唄!
依照步驟操作,過程中倒是沒有發生什麼問題,但是,事情絕對不像我想的那麼簡單
在安裝完最新版DSM、系統重開之後,我直接從我的筆電上開啟檔案總管去連NAS ,
可以看到之前設定分享的目錄,但是會跳出詢問帳號密碼的視窗
進到NAS管理界面檢查,發現沒有JOIN DOMAIN ..........
手動加入網域、重開NAS,還是一樣會詢問帳號密碼
再進入管理界面檢查,發現所有目錄設定的權限,包含ACL都不見了..............
這是我第二次在操作群暉NAS升級時,發生這種升級成功、資料順利保留,
但是權限不見的狀況,偏偏敝公司NAS上的權限管制又特別的多、格外的複雜,
想到要重設....靠北啊,整個想哭啊...
這是從BLOG上轉過來的,懶得一一修正排版了。
給大家做個參考,如果還沒進行升級的,
先跟群暉確認一下關於目錄權限還有 ACL 設定的部分要怎麼保留...
我也不知道是我跟群暉犯衝還是怎樣,通常這種重大的更新
我這邊的環境跟著做就是會有問題,所以我前面推文才會說我很少會去更新..
至於port forward的問題,因為我手邊還有幾台群暉的NAS
不過因為都不對外,所以其他幾台沒有這種問題,
有一台還停留在 DSM 2.2 這台也沒問題 XD
只有這台有開過5000 PORT mapping的機器,才有出現1/3的症狀
所以我懷疑之前有開過5000 port但是沒有關起來,駭客用掃的去掃出這些機器
然後去種木馬(前面的挖礦、這次的綁架)
作為以後的借鏡,如果非必要,就不要開PORT了,如果真要開,請愛用port forward轉
開了PORT,記得要去巡一下,沒用的就關一關吧