Solution: Synology NAS fails to upgrade DSM after been hijacked as bitcoin miner

Synology is one of the best and reliable NAS I have ever used so far -- OK, mostly because of its user experience and gorgeous UI. However, 2014 was an embarrassing year to Synology for its security vulnerabilities. One of them was targeted by hackers and then the system would be hijacked as Bitcoin miner. The symptoms of an infected system include (not an exhausted list):
  • Slow response and occasion disconnections.
  • Unable to upgrade DSM. You always read "Your DSM version is up-to-date." when checking the system version even you know there's a new one already. And you can't upgrade it manually.
  • Unable to log in to the admin interface from time to time.
  • When connecting via SSH, on the shell you get the error message like: "ERROR: object '/lolz/' from LD_PRELOAD cannot be preloaded: ignored." There might be error messages whenever you type a Linux command -- an evidence of been hijacked.
There are certain ways to solve the problem. One thing for sure was that it's nearly impossible to remove the malware because its complication. Most of the solutions were to bypass the prying eyes of the malware and re-install the DSM, such as: replace clean new HDDs to force re-install latest DSM then replace the original HDDs back (If you forget the order of the HDDs... ouch!) or reset the NAS to factory configuration to re-install DSM but you lost most of your parameters (Enjoy the feeling of owning a new machine... ouch! BTW data would be safe). Desperate cures for desperate diseases.

Fortunately I've found a thread ( with tons of valuable information and a relatively simple solution. We need to use the glory command line interface (CLI) to save your NAS.

Sign in to your Synology NAS via SSH as root (use the same password as admin):

$ ssh

You may still see the error message. Don't worry about it. Now make sure your are at the home directory of root:

$ cd

Rename the .profile, adjust its permission, then log out:

$ mv .profile .profile_bak
$ chmod a+w .profile_bak
$ exit

Log back in to the NAS via SSH. The error message should be gone:

$ ssh

Edit the renamed .profile using vi. If you're not familiar with vi, check the basic commands with Linux vi editor on the Synology Forum:

$ vi .profile_bak

Remove all lines having (marked as red), and clean up the setting of PATH. For example:

export PATH=/opt/bin:/opt/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin 
export PATH=/opt/bin:/opt/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin
export LD_PRELOAD=/lolz/
export PATH=/opt/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin

After cleaning, it looks like this:

export PATH=/opt/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin

Save the file. Rename it back to .profile and restore its permissions. Log out.

$ mv .profile_bak .profile
$ chmod go-w .profile
$ exit

Log back in your NAS via SSH. Now everything should back to normal. And you're ready to upgrade your DSM, manually -- in real manual style.

$ ssh

Download the latest DSM system for this particular model of NAS (and save in the directory /volume1/@autoupdate):

$ synoupgrade --fetch-all

You may confirm the downloaded file is in the right place:

$ ls /volume1/@autoupdate

Start upgrade the system:

$ synoupgrade --patch /volume1/@autoupdate/DSM_DSxxxx_xxxx.pat

The system will reboot after the upgrade is completed. You may enjoy the beautiful GUI of DSM 5.x now.

Wait! Let'e make sure everything is happy and safe. Please follow the instructions in the Security Advisor wizard (a new feature in DSM 5.1) to tweak your system for better security (Main menu > Security Advisor). Recommended settings:
  • Force stronger password for all users, especially the admin (Control Panel > User > Advanced tab > Apply password strength rules).
  • Change the default port numbers for SSH, Telnet (Control Panel > Terminal & SNMP > Terminal tab) and FTP (Control Panel > File services > FTP tab) if you use them.
  • Change the default port number for DSM interface (Control Panel > Network > DSM Settings).
  • Enable automatic update for DSM (Control Panel > Update & Restore > DSM Update > Update Settings).
Live long and prosper.