ASUSTOR Community Forum

Hello

since 1-2 Weeks it run a process on my asustor 608t name: xmr-stack (using everytime 25-75% CPU of my NAS)

i killed the Process with putty (kill -9 PID) but after some hours it come back and use again 25-75% cpu....

what can i do? How can i protect against that? is it really a "mining cpu virus?"



Hope someone can help me....

Hello again

I found the Files today.... it was really a miner.... that used my NAS for mining process....

The Files was Saved in SERVER MAINDIR \tmp\

one file was named with: pools.txt (see attachment) ---> You see the Wallet ID and the Server Adress...

another file was called: xmr-stack

i deleted this files and since then it is all ok on my nas.... Maybe it help someone

You are not the only one infected. I wonder how xmr-stak was installed on your device.

Did you have ADM web interface (ports 8000/8001) accessible from Internet on your NAS? What version of ADM do you have running now?

vitosx wrote:You are not the only one infected. I wonder how xmr-stak was installed on your device.

Did you have ADM web interface (ports 8000/8001) accessible from Internet on your NAS? What version of ADM do you have running now?

yes 8000/8001
adm: 3.1.0.RFQ3

i have closed now the SSH Service for admin and root.
Because he upload /install this miner directly in the maindir of the nas. (i think the maindir is not available in Adm Webinterface? or?)

So maybe he acceess via Putty or similar.

If ADM webinterface was compromised somehow, you can't say "maindir is not available". I don't have it publicly accessible over Internet, but that's me.

The 3.1.2 ADM update released today fixes nvradmin account vulnerability, which might be connected to this xmr-stak infection.