DSM 4.2-3243

Publish Time: 2013-11-14 00:00:00 UTC+8

Last Updated: UTC+8

Status
Resolved

Description

After installing DSM 4.3-3243, the updating process will repair the system and remove malware caused by one vulnerability:

  • A vulnerability to allow unauthorized access via DSM from HTTP. (CVE-2013-6987)

Common Symptoms

The followings are common symptoms to appear on affected DiskStation and RackStation:

  • Exceptionally high CPU usage detected in Resource Monitor:
    CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
  • Appearance of non-Synology folder:
    An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”
  • Redirection of the Web Station:
    “Index.php” is redirected to an unexpected page
  • Appearance of non-Synology CGI program:
    When you login to terminal via SSH or telnet, files with meaningless names exist under the path of “/usr/syno/synoman”
  • Appearance of non-Synology script file:
    When you login to terminal via SSH or telnet, Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d”

Resolution

If you find any of above situation, please reinstall DSM 4.3-3243 or later versions by following the instruction here.

For others who haven't encountered above symptoms, it is recommended to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks.