Shellshock attacks target QNAP's network storage, FireEye says

A backdoor gives hackers full control over the NAS device, according to the security vendor

If a Shellshock attack against a QNAP device is successful, a shell script is downloaded that gives attackers persistent access, FireEye said.

If a Shellshock attack against a QNAP device is successful, a shell script is downloaded that gives attackers persistent access, FireEye said.

FireEye has detected Shellshock attacks against network-attached storage devices made by Taipei-based QNAP and used by universities and research institutes in Korea, Japan and the U.S.

The security vendor said the attacks are some of the first seen using Shellshock targeting embedded Linux, which QNAP's devices run, James T. Bennett and J. Gomez of FireEye wrote in a blog post on Wednesday.

"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS," they wrote.

QNAP's storage products are used for a variety of applications, including professional video surveillance systems using IP cameras.

Shellshock is a two-decades-old flaw in Bash, a command-line shell processor present in most Unix and Linux systems. Its discovery last week has set off a scramble to assess the potential risk, as it is easy to exploit and gives attackers full control over a vulnerable server.

QNAP warned on Sunday that its Turbo NAS products were vulnerable, advising administrators to disable Web administration, Web server, WebDAV and other applications and services that use a Web-based interface.

FireEye said taking that precaution may not mitigate the threat, as attackers could find another vulnerable entry point into an organization's systems and laterally move in order to find a NAS device.

The attack tries to get NAS devices to download a script from a remote server. That script then uploads an SSH (secure shell) key to the local authorized_keys file, which allows the hackers to log in without a password in the future, FireEye wrote.

Also installed is an ELF executable, which is a Linux backdoor that provides shell access. FireEye said that file is named "term_x86_64" or "term_i686." The servers hosting the malware are in the U.S. and Korea.

In some instances, the backdoor listens for a connection on port 58273. The backdoor serves up a shell if a packet is sent with the text "IAMYOURGOD," FireEye wrote.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityFireEyeExploits / vulnerabilitiesmalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?