Sunday, November 02, 2014

Synology hacked by bitcoin miners?

More Fun with the Diskstation

After I'd made several posts in the past about my adventures hacking the Synology Diskstation, I got away from messing with the device due to several factors. First, I've been dealing with family issues that were more urgent and important than the device. Second, the client I was working with developed a different method for backing up their files so I didn't need to perform the remote backups anymore. 

A year later, I logged into the Diskstation to check on updates, as I'd not run any in a while. Synology updates the DSM software frequently and the update option in the control panel usually finds a new version. This time, there was no indication there was a new version available. This was very strange since I left my version, 4.2-3211 out of date on purpose due to bugs encountered in subsequent releases.

I then went to the Synology website and found that I was indeed several versions behind that the DSM software was up to version 5. I figured that perhaps my tinkering with the Diskstation caused a problem with the update. Or perhaps the Synology guys had read some of my posts and said, "Ok, we'll make sure your device is dropped from notifications. No updates for you!" 

Not a problem! The Synology site has a download page where you can get the update file and then manually update your device. But when I tried to perform the manual update I got an error saying "Field value is invalid". Those Synology guys must have really hated my posts, right?

The reality is much worse. The Internet is filled with pinheads. Crafty tech-savvy pinheads. There was an exploit from some hackers that found Diskstations and put processes on them to turn the servers into zombies doing mining/farming work for bitcoins. Older versions of the DSM software are vulnerable, and one of the signs of this is that it breaks the automatic update capability. 

Thank goodness the Internet is also filled with crafty good people. I found a post [Arinium Blog] at Arinium Blog that discussed the same issue I had. The fellow there had the same version of the DSM and was having trouble upgrading. He did not identify the hack as being the issue, but he successfully identified there was a problem with 4.2-3211 and that upgrading manually to 5 wasn't working. His solution was to tinker a bit and go to 4.3 before going to 5.

The bitcoin hack is referenced in the comments section of the post. One of the responses references a dialog with Synology where the exploit is noted. The Synology support team suggests two options:

  1. Shut down the Diskstation. Pull out the hard drive, replace with a single spare hard drive, and then update the DSM. When finished, shut down the Diskstation again, reinstall the original hard drives, then start up. 
  2. The other way is to reinstall the DSM software. There is a link in the post to instructions on how to do this. 
I didn't like Option 1 since it was a bit of hassle, getting a spare hard drive and messing with taking the existing drives out. Option 2 involves a mildly arcane exercise of pressing the reset button on the back of the Diskstation, then doing it again within 10 seconds and then doing some checks after logging into the station.

I instead did something else:
  • Download the oldest version of the DSM 4.3 (in my case 4.3-3776)
  • Download the latest version of DSM 5 
  • Manually update to 4.3
  • In my case, the Diskstation behaved a little oddly, like it wasn't taking the update, but then it rebooted on its own and came back with DSM 4.3 so it must have worked
  • I then manually updated the Diskstation to DSM 5
This all seemed to work at successfully updating the DSM software, but it did reset a number of settings. I had to reinstall several of the applications like Audio Station and I had to reapply DDNS settings. I'm still working to configure some things. And I'm noticing so far that my old nemesis, the Diskstation's refusal to sleep, has returned. But reviewing the process monitor shows the new version of Audio Station is running the indexing process on the media files, so perhaps this will pass when it is done.

Your mileage may vary depending on how badly your system was compromised. Some of the posts indicate people had to do more tinkering to get things straight again, but I'm glad I was able to fix it without having to fiddle with hard drives.

In any event, a big "thank you" goes out to Ari, of the Arinium Blog for his post.