DSM 4.0-2259

Description

After installing DSM 4.0-2259, the updating process will repair the system and remove malware caused by the vulnerability:

• A vulnerability to allow unauthorized access via DSM from HTTP. (CVE-2013-6955)

Common Symptoms

The followings are common symptoms to appear on affected DiskStation and RackStation:

• Exceptionally high CPU usage detected in Resource Monitor:
  CPU resource occupied by processes such as dhcp.pid, minerd, synodns, PWNED, PWNEDb, PWNEDg, PWNEDm, or any processes with PWNED in their names
• Appearance of non-Synology folder:
  An automatically created shared folder with the name “startup”, or a non-Synology folder appearing under the path of “/root/PWNED”
• Redirection of the Web Station:
  “Index.php” is redirected to an unexpected page
• Appearance of non-Synology CGI program:
  When you login to terminal via SSH or telnet, files with meaningless names exist under the path of “/usr/syno/synoman”
• Appearance of non-Synology script file:
  When you login to terminal via SSH or telnet, Non-Synology script files, such as “S99p.sh”, appear under the path of “/usr/syno/etc/rc.d”

Resolution

If you find any of above situation, please reinstall DSM 4.0-2259 or later by following the instruction here.

For others who haven't encountered above symptoms, it is recommended to go to DSM > Control Panel > DSM Update page, install the latest updates to protect DiskStation from malicious attacks.