Publish Time: 2014-02-14 00:00:00 UTC+8
Last Updated: UTC+8
By installing DSM 4.3-3827, you can repair the DSM operating system and remove malware caused by two vulnerabilities below:
- A vulnerability to allow unauthorized access via File Station; fixed in DSM 4.3-3810 Update 1 and released in November 2013. (CVE-2013-6955)
- A vulnerability to allow unauthorized access via DSM from HTTP; fixed in DSM 4.3-3810 and released in December 2013. (CVE-2013-6987)
The followings are common symptoms to appear on affected DiskStation and RackStation:
- Exceptionally high CPU usage detected in Resource Monitor:
CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
- Appearance of non-Synology folder:An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”
- Redirection of the Web Station:“Index.php” is redirected to an unexpected page
- Appearance of non-Synology CGI program:When you login to terminal via SSH or telnet, files with meaningless names exist under the path of “/usr/syno/synoman”
- Appearance of non-Synology script file:When you login to terminal via SSH or telnet, Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d”
If you find any of above situation, please reinstall DSM 4.3-3827 by following the instruction here.
For others who haven't encountered above symptoms, it is recommended to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks.
Resolution of Update Failure
If your DiskStation/RackStation shows either or all of the symptoms below, it’s probably infected by malwares:
- Power LED light blinks blue
- Cannot log in DSM. Error message: "System is getting ready..."
- Synology Assistant shows "Starting Services..."
- Status LED light blinks orange and Synology Assistant shows “Migratable” status
Please note, damaged motherboard can also cause blue LED blinking, you could confirm the main board status with the following guide: http://www.synology.com/en-global/support/faq/366
You need to upgrade to DSM 4.3-3827 (or the latest version of DSM for your model) to patch this security vulnerability. If you’re unsure how to execute the steps, please contact Synology support for further assistance.
There are three solutions to this issue:
Note: If you have ever encountered a message prompting you about the data is to be deleted, please stop proceeding further and contact Synology Support.
[Solution 1] Use a spare disk - the settings and volume will stay intact
- Remove all disks when power is off.
- Insert a spare disk to your DiskStation/RackStation, boot up and install DSM 4.3-3827(or the latest version of DSM for your model), then power off.
- Remove the spare disk, and insert the original disks back.
- Synology Assistant will show "Migratable". Please right click DiskStation in Assistant > Install. Install DSM 4.3 3827 (or the latest version of DSM for your model) on the original disks.
[Solution 2] Reinstall DSM - some settings will be lost, but the volume will stay intact
- Please follow the Sec. 3 of the tutorial below to reinstall DSM: http://www.synology.com/support/tutorials/493#t3
- Please ensure you Install DSM 4.3 3827 (or the latest version of DSM for your model)
[Solution 3] Boot up without disks and contact us
Please perform the following actions:
- Remove all disks and try to install DSM with Synology Assistant. The process will stop at a point where telnet port 23 is enabled.
- Insert all disks back to DiskStation/RackStation while the power is still on.
- Make sure port 23 of your DiskStation is accessible from Internet. (Port forwarding for port 23 must be set up properly.)
- Provide your Internet IP address or DDNS name.
- Once the DiskStation/RackStation boots up properly, please manually Install DSM 4.3 3827 (or the latest version of DSM for your model) ASAP.
After installing the latest DSM with security fix through the three solutions above, please go to the shared folder "Homes" > "admin" to remove the file named ".profile " if any.
Upgrading to DSM 4.3 3827 (or the latest version of DSM for your model) is required to fix this issue. DiskStation/RackStation can stay vulnerable if the upgrades are not done properly.