D-Link Forums
The Graveyard - Products No Longer Supported => D-Link Storage => DNS-320 => Topic started by: GreenBay42 on April 11, 2019, 12:46:21 PM
-
Firmware has been released. This or any firmware will NOT recover encrypted files
Rev A1 / A2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip)
Rev B1 / B2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip)
It's recommended for user to NOT allow any form of external or remote connections to any NAS on there network.
Users are encouraged to have backups of there files that are important to them.
-
Thanks,
installed without problem, I'd like to known if this release include only Cr1pT0r fix or also other feature and/or bug fixes?
Thanks
Carlo
-
The release notes only mention 1. Fixed Cr1ptT0r ransomware security issue - login_mgr.cgi allows attackers pipe commands to the user.log
-
Hello!
I upgraded my DNS 320 A1 from version 2.00 to 2.06B01.
So far so good!
Thanks!
-
Enjoy. ;)
-
I finally tried upgrading my DNS-320 A1 from version 2.00 to 2.06B01 but unfortunately, even though the upgrade process appeared to be successful, the NAS was no longer accessible after it rebooted. Here are the symptoms:
- Web UI admin console no longer accessible
- The NAS never seems to reboot successfully - the power LED stays flashing blue the whole time and no longer changes to solid blue
- The NAS is no longer accessible from Windows Explorer via "\\192.168.1.x"
- The NAS still responds to ping, although it does seem to take a much longer time for it to respond
I'm afraid that I've bricked it :( Did anyone run into similar issues? Any help is much appreciated!
-
Be sure your accessing the correct IP address for the DNS as it may have changed.
Have you factory reset the DNS and then tryto connect to it's web page with a web browser?
I finally tried upgrading my DNS-320 A1 from version 2.00 to 2.06B01 but unfortunately, even though the upgrade process appeared to be successful, the NAS was no longer accessible after it rebooted. Here are the symptoms:
- Web UI admin console no longer accessible
- The NAS never seems to reboot successfully - the power LED stays flashing blue the whole time and no longer changes to solid blue
- The NAS is no longer accessible from Windows Explorer via "\\192.168.1.x"
- The NAS still responds to ping, although it does seem to take a much longer time for it to respond
I'm afraid that I've bricked it :( Did anyone run into similar issues? Any help is much appreciated!
-
Yes, I confirmed that the IP address didn't change. I tried doing a factory reset but that didn't seem to do anything. In fact, the NAS wouldn't even shut down when I tried holding down the power button for a few seconds while the power LED was still flashing blue - I had to unplug the power to shut it down. The power LED would never turned solid blue after bootup like it used to do - it almost seems like it's stuck on something at bootup, of course I have absolutely no idea what it's getting stuck on :(
I even tried pulling out the hard drives and boot it up without the drives in - still the same behavior and the web interface is not accessible :(
-
Try a factory reset with out the drives installed. Hold the reset button for 10 seconds then let go...
Yes, I confirmed that the IP address didn't change. I tried doing a factory reset but that didn't seem to do anything. In fact, the NAS wouldn't even shut down when I tried holding down the power button for a few seconds while the power LED was still flashing blue - I had to unplug the power to shut it down. The power LED would never turned solid blue after bootup like it used to do - it almost seems like it's stuck on something at bootup, of course I have absolutely no idea what it's getting stuck on :(
I even tried pulling out the hard drives and boot it up without the drives in - still the same behavior and the web interface is not accessible :(
-
Thanks for the suggestion - doing factory reset without the drives did work to a point that the NAS is now able to boot up to solid blue power LED after ~1 min without the drives (and the web interface accessible). However, once I tried putting the drives back in and power it up, it's the same issue again - I cannot run the setup wizard to reconfigure the NAS because it's still stuck on the flashing blue power LED light (with the drives in it) and the admin console is apparently inaccessible when the NAS is in that state :(
I believe the drives are good though, as I was able to read it via a Linux reading utility and read the data out from the drives (I had RAID 1 set up before). I'm wondering if I should reformat both drives and try again, although reloading the data would be a very time consuming process.
-
Hi
Does this work on the DNS-320LW ? I see that on the DLink site that the L has newer firmware than the LW. I always thought the L and LW were the same nas but the LW was white and not black
Cheers
Jason
-
This is only for the DNS-320. L is a Cloud based DNS model.
W=White case version
Hi
Does this work on the DNS-320LW ? I see that on the DLink site that the L has newer firmware than the LW. I always thought the L and LW were the same nas but the LW was white and not black
Cheers
Jason
-
Firmware has been released. This or any firmware will NOT recover encrypted files
Rev A1 / A2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip)
Rev B1 / B2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip)
WARNING!!!!!! These fixes DO NOT COVER the bug! Today I was attached from Cr1pT0r ransomware and a lot of my files went distrupted, until I powered off the NAS!!! My 320 has v2.06 firmware!!
The big problem is that the ransomware is in active in the operating system, loaded form disk! Now my Nas is stand alone and criptography starts again as I power on the NAS. If I remove disks form it and install a new disk, virus do not start again, if I put back infected disk in the nas, virus start again.
How can I stop infection and save my files?
Thanks
carlo
-
When was this version of FW applied to your DNS? When it was first released?
How is your DNS connected to the router? Do you have your DNS setup for remote access by chance?
Wondering if your unit had been infected prior to you loading v2.06...No body else has reported being infected after this fix was applied.
The FW is supposed to prevent any more infections. Don't know if how to decrypt the files. Do you have a backup of your DNS else where or is this the only copy you have is on this infected drive?
Did you factory reset the DNS and setup again after v2.06 was applied?
Firmware has been released. This or any firmware will NOT recover encrypted files
Rev A1 / A2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVA/DNS-320_REVA_FIRMWARE_v2.06B01.zip)
Rev B1 / B2 - ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip (ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DNS-320/REVB/DNS-320_REVB_FIRMWARE_v1.03B01.zip)
WARNING!!!!!! These fixes DO NOT COVER the bug! Today I was attached from Cr1pT0r ransomware and a lot of my files went distrupted, until I powered off the NAS!!! My 320 has v2.06 firmware!!
The big problem is that the ransomware is in active in the operating system, loaded form disk! Now my Nas is stand alone and criptography starts again as I power on the NAS. If I remove disks form it and install a new disk, virus do not start again, if I put back infected disk in the nas, virus start again.
How can I stop infection and save my files?
Thanks
carlo
-
Hi,
I've installed 2.06 version on 12 May, see my post in this discussion, when noticed on this forum, so I was confident to be protected against this ransomeware, and I never made a factory reset. In August I formatted volumes because some "disk full" and "power loss" events damaged the file system structure.
My DNS was exposed on Internet since some year and I've DynDNS service configured. Infection starts yasterday.
I've mounted one of two NAS disks on Windows (using an externa USB docking box and R-Studio utility) and I can see al files on it. In root, there is a directory called NAS_Prog, with two dirs inside: _install and cr1ptt0r. Install is empty, cr1ptt0r contains virus code (a lot of files .sh and some other directories.
Since I've shutdown NAS as I saw the infection, on disk there are still a lot of file not encripted but I cannot access them because R-Studio (in demo mode) don't allow me to save files on windows disk. I cannot also delete files on volume (R-Studio do not ever allow to delete files, nor in the registered version), so I don't known how to remove virus form system.
I there a way to boot NAS without load virus, to access files without buy a R-Studio licence, or you known another free utility to access files directly in Windows? My configuration is two 3TB disks in Raid1 with two volumes (JODB).
Thanks
Carlo Spigoli
-
I would remove the DNS from ANY internet or WAN side access.
I recommend that you phone contact your regional D-Link support office and ask for help and information regarding this.
Link> Tech Support Contact Information (http://forums.dlink.com/index.php?board=635.0)
We find that phone contact has better immediate results over using email.
Let us know how it goes please.
-
Ransomware can sit on your drive(s) and not infect your data, even after firmware updates. It can launch whenever the hacker wants it to. The firmware is to prevent it getting on your drives, but if it was already on your drives before the firmware update there is nothing you can do unfortunately.
You will need to reformat the hard drives if you cannot restore any of your files.
-
@FurryNutz: Pls note this:
from https://www.dlink.com/en/security-bulletin/nas-ransomware
Model H/W Version Latest F/W Version Actions to take
DNS-320 Ax 2.06 Disable the Internet connection to NAS
In this page, dated 11/11/19, dlink declare that FW 2.06 is not secured against this vulnerability.
If dlink sent email to all his client instead publish a brief page on its site, my data won't be destroied..... I'm really unhqppy for this.
I'l try to call local support...
p.s. virus directory has 13/12/2019 as date creation, attach was 4 days later.
@GreenBay42: virus is on the disk and NAS load and execute it at boot. I've seen virus log increase under my eyes after reboot... :( :( :(
Carlo
p.s. now I wil buy a new DNS, but SURE not a Dlink....
-
This was posted back in February or was made known by then:
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10110 (https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10110)
irmware updates are often directed to addressing security vulnerabilities in the devices that may be exploited by Internet attacks such as a ransomware attack. However, once the device is infected by the virus, firmware updates will not restore your data. Antivirus companies have created new tools to address past ransomware attacks and may develop decrypting tools to address the Cr1ptT0r Ransomware in the future. Until that time, to better protect your devices from Internet viruses, malware and ransomware:
1. Do not connect these devices directly to the Internet and/or port-forward services directly from the Internet.
2. Keep device firmware up-to-date.
3. Any computer accessing information on these devices should have appropriate antivirus protection and malware protection enabled.
4. Regular back-ups of stored information on these devices should occur in case a disaster recovery is needed.
And FYI, D-Link doesn't produce NAS anymore. So good luck on your next NAS. Be sure it's safe as well.
-
Jumping in to unfortunately confirm that I have also just fallen victim to Cr1pT0r ransomware attack on my DNS 320. I had updated to 2.06 roughly three months ago. I had DNS setup for remote access using FTPS and STRONG passwords.
I will note that while the log shows many files are encrypted, I'm still able to stream video library without issue, sadly however I'm not able to do the same for my MP3 library. It seems that some files are too large to be encrypted this way.
I hope someone from D-Link will contact me about this but I'm not holding my breath.
Falling victim to a well known vulnerability *after* said vuln was expressly advised by D-Link as *fixed* according to this forum post is simply unacceptable in today's world. I will use my wallet to express this sentiment when I purchase my next upgrade as I'm sure you will too.
-
I'll have D-Link review this.
It's recommended for user to NOT allow any form of external or remote connections to any NAS on there network.
Users are encouraged to have backups of there files that are important to them.
And FYI, D-Link doesn't produce NAS anymore. So good luck on your next NAS. Be sure it's safe as well.
-
I'll have D-Link review this.
A reputable company would have been proactive on such an important issue. Not D-Link though, clearly.
It's recommended for user to NOT allow any form of external or remote connections to any NAS on there network.
Yes, of course I know that *now*, just saying it would have been nice to see a stickied post in all caps warning of the same thing.
Users are encouraged to have backups of there files that are important to them.
Well this goes without saying. Can't have too many back ups - but this doesn't excuse D-Link's failures on their part.
And FYI, D-Link doesn't produce NAS anymore. So good luck on your next NAS. Be sure it's safe as well.
Yes, I was aware already. My next NAS, in fact my next *anything*, will NOT be a D-Link, that is for sure.
-
These was posted back in Feb of 2019, almost a year ago.
http://forums.dlink.com/index.php?topic=74596.0. (http://forums.dlink.com/index.php?topic=74596.0.)
http://forums.dlink.com/index.php?topic=74600.0 (http://forums.dlink.com/index.php?topic=74600.0)
I should have posted this in all locations in forums and apologize for that. However, I was one of the first to make D-Link aware of it back then and they did take action so I would not say that D-Link hasn't been proactive on this. I would also think that it would be hard to test the fix as well with out actually knowing someone with the nefarious code to attack a test unit to see if D-Links fixed actually worked. A wise user would probably not have there NAS on the internet with high priority or sensitive data for external users to try and attack anyways.
I just bought my last DNS-345. Love this model. Wish D-Link hadn't stopped making them.
At any rate, D-Link is looking into this. For now, keep your NAS OFF the internet and BLOCK ALL connections to your NAS from the WAN side!!!