继前阵子群晖NAS被拿来挖矿的问题之后
http://forum.synology.com/enu/viewtopic.php?f=7&t=78993
七月底八月初,群晖的NAS又出包了,这次是被骇客入侵后,把NAS上的档案加密,
并要求付出比特币做为赎金(大概台币 12000左右)
不然资料就会被保留在加密的状态,无法使用。
详情请参阅: http://www.pcdiy.com.tw/webroot/article.php?art=544
事情发生之后,群晖也发出了信件通知USER应该怎么处理,信件内容如下
Dear Synology users,
We would like to inform you that a ransomware called "SynoLocker" is
currently affecting some Synology NAS users. This ransomware locks down
affected servers, encrypts users’ files, and demands a fee to regain
access to the encrypted files.
We have confirmed that the ransomware only affects Synology NAS servers
running older versions of DiskStation Manager by exploiting a security
vulnerability that was fixed and patched in December, 2013.
Affected users may encounter the following symptoms:
When attempting to log in to DSM, a screen appears informing users
that data has been encrypted and a fee is required to unlock data.
Abnormally high CPU usage or a running process called “synosync”
(which can be checked at Main Menu > Resource Monitor).
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or
earlier; DSM 4.0-2257 or earlier is installed, but the system says
no updates are available at Control Panel > DSM Update.
If you have encountered the above symptoms, please shutdown the system
immediately and contact our technical support here:
https://myds.synology.com/support/support_form.php
If you have not encountered the above symptoms, we strongly recommend
downloading and installing DSM 5.0, or any version below:
DSM 4.3-3827 or later
DSM 4.2-3243 or later
DSM 4.0-2259 or later
DSM 3.x or earlier is not affected
You can manually download the latest version from our Download Center and
install it at Control Panel > DSM Update > Manual DSM Update.
If you notice any strange behavior or suspect your Synology NAS server has
been affected by the above issue, please contact us at
security@synology.com
We sincerely apologize for any problems or inconvenience this issue has
caused our users. We’ll keep you updated with the latest information as
we continue to address this issue.
Thank you for your continued patience and support.
Sincerely,
Synology Development Team
在知道这件事情之后,我从外部连回公司,先把FW上面跟NAS相关、而且有开启的
port forward policy先关闭。
(5000 我是已经关闭很久了,但是还有开一个 SSH 给群晖远端连进来检查)
隔天进公司之后,把NAS叫出来看,本来还以为没事的,结果检查到第三条
DSM 4.3-3810 or earlier; DSM 4.2-3236 or earlier; DSM 4.1-2851 or earlier;
DSM 4.0-2257 or earlier is installed, but the system says no updates are
available at Control Panel > DSM Update.
啊,系! 我的版本还在 4.2 ,而且也的确显示为已经是最新版本。
跟群晖确认过之后,群晖建议还是依照他们的方法来处理
1.关机
2.把原有的硬盘抽出来
3.装一颗新的硬盘进去
4.安装 DSM 4.3-3810之后的版本
5.关机
6.接回原本的硬盘
7.开机
8.重新安装DSM到 4.3-3810以后的版本
以上是我简述过的步骤,原文是
1. Shut down the NAS
2. Remove all the hard drives from the NAS
3. Find a spare hard drive that you will not mind wiping and insert it into
the NAS
4. Use Synology Assistant to find the NAS and install the latest DSM onto
this spare hard drive (use the latest DSM_file.pat from Synology)
5. When the DSM is fully running on this spare hard drive, shut down the NAS
from the web management console.
6. Remove the spare drive and insert ALL your original drives.
7. Power up the NAS and wait patiently. If all goes well after about a minute
you will hear a long beep and the NAS will come online.
8. Use Synology Assistant to find the NAS. It should now be visible with the
status "migratable".
9. From Synology Assistant choose to install DSM to the NAS, use the same
file you used in step 4 and specify the same name and IP address as it was
before the crash.
10. Because the NAS is recognized as "migratable", the DSM installation will
NOT wipe out the data on either the system partition nor the data partition.
11. After a few minutes, the installation will finish and you will be able to
log in to your NAS with your original credentials.
在这之前,因为我手边还有一台退役的 RS810+ ,想说先问问客服,我能不能把资料从
现役的 DS 转到 RS 上,做个备份比较安心
结果客服居然回说:“那你是不相信我们的作法囉???”
好吧,既然你客服都这样说了,反正我本来就有备份到USB,顶多就损失一天的资料呗!
依照步骤操作,过程中倒是没有发生什么问题,但是,事情绝对不像我想的那么简单
在安装完最新版DSM、系统重开之后,我直接从我的笔电上开启档案总管去连NAS ,
可以看到之前设定分享的目录,但是会跳出询问帐号密码的视窗
进到NAS管理界面检查,发现没有JOIN DOMAIN ..........
手动加入网域、重开NAS,还是一样会询问帐号密码
再进入管理界面检查,发现所有目录设定的权限,包含ACL都不见了..............
这是我第二次在操作群晖NAS升级时,发生这种升级成功、资料顺利保留,
但是权限不见的状况,偏偏敝公司NAS上的权限管制又特别的多、格外的复杂,
想到要重设....靠北啊,整个想哭啊...
这是从BLOG上转过来的,懒得一一修正排版了。
给大家做个参考,如果还没进行升级的,
先跟群晖确认一下关于目录权限还有 ACL 设定的部分要怎么保留...
我也不知道是我跟群晖犯冲还是怎样,通常这种重大的更新
我这边的环境跟着做就是会有问题,所以我前面推文才会说我很少会去更新..
至于port forward的问题,因为我手边还有几台群晖的NAS
不过因为都不对外,所以其他几台没有这种问题,
有一台还停留在 DSM 2.2 这台也没问题 XD
只有这台有开过5000 PORT mapping的机器,才有出现1/3的症状
所以我怀疑之前有开过5000 port但是没有关起来,骇客用扫的去扫出这些机器
然后去种木马(前面的挖矿、这次的绑架)
作为以后的借镜,如果非必要,就不要开PORT了,如果真要开,请爱用port forward转
开了PORT,记得要去巡一下,没用的就关一关吧