[CronRAT and NginRAT malware]

I'm really appreciating all the replies here.  My main goal was to bring attention to this issue and have people check their servers to ensure they haven't been compromised.  I doubt I'm the only one who has this problem.  It's possible it started with the CRON file and when that event fired it infected NGINX.

[CronRAT and NginRAT malware]

I don't know.  I've been running jlesage/nginx-proxy-manager for years and haven't touched it since the initial configuration.  It may not even be related to that.  I've only noticed issues with the CRON files but dismissed them as being potentially file corruption and didn't think anything of it at that time.

 

I run the sudo grep -al LD_L1BRARY_PATH /proc/*/environ | grep -v self/ command on the host directly and not from within a container.  Every time I run it I receive a new process ID.  I don't know if the process is restarting itself or if every instance is a new attack on my server.  There is never more than one process returned by this command.

 

There's supposed to exist /dev/shm/php-shared but my /dev/shm folder is empty.  Not sure if this is normal for Unraid or not.

 

 

[CronRAT and NginRAT malware]

I don't post much but I feel this is important to those using NGINX on their servers.

 

Technical details are here:

https://www.bleepingcomputer.com/news/security/new-malware-hides-as-legit-nginx-process-on-e-commerce-servers/

or, more directly:

https://sansec.io/research/cronrat

https://sansec.io/research/nginrat

 

Summary:

A vulnerability in NGINX allows a threat actor to install a RAT running virtually undetectable on your server.  One of the options is for it to also hide in CRON with a date of Feb 31.

 

I mention this because I believe my server got hit and it's very likely others could be vulnerable as well.  In the past I have noticed what I thought was a corrupt cron.d/root file and I've manually cleaned that file in the past.  Where I'm stumped is on how to clean the NGINX infestation.  I can identify the malicious processes and their solution is to just terminate them, however, every time I check, the process ID is different.

 

If anyone else has detected this activity on their server, I would really like to find a way to permanently eradicate NginRAT from my server.  All I've done so far is block the payload IP address on my router.  I only discovered this issue today.

[File Naming Error]

I can confirm this issue, however, I can rename it using MC.  I can't rename it from Windows and when I browse the folder in Windows it shows a completely different name for the file.

 

I did find this: https://serverfault.com/questions/242110/which-common-charecters-are-illegal-in-unix-and-windows-filesystems

[Help Take the Fight to COVID-19 with BOINC and Folding@home]

Does anyone know if there's a way to download (cache) extra GPU work units to keep my video card busy?  Most of the time all my GPUs are idle.

[[Support] Linuxserver.io - Folding@home]

22 hours ago, J89eu said:

Can this run on AMD GPUs? I have a Vega 56 and it seems the Windows app does work with GPU but perhaps not on Linux?

I have 2 older AMD GPUs (5xxx, 6xxx) and neither of them has ever received a work unit which is disappointing because they would certainly be faster than any CPU I own.  My systems are running Windows.

[3x Slower transfer speeds over 5GHz WiFi compared to Gigabit ethernet]

Don't confuse GHz with Gbit.  The speeds you show look normal to me.

If you look at your network properties on the laptop you will see the "Link speed" showing the true speed of your WiFi connection.

[Recommended CPU and MB for my new build]

I built a server for someone with this board and a Ryzen 3600 w/32GB ECC.  Works great.  Best thing about this board, if you work with servers, is the BMC.  The AST2500 is much improved over the AST2300 in my current server.

[Disk Shelf with UNRAID]

Don't forget the trays for each drive

[PERC H700 Direct Replacment in Dell R510]

Dell servers are usually picky about 3rd party hardware.  Why do you want to replace it?  Do you just want an HBA card to replace the RAID card?

[Added new Ethernet, how do I make it work?]

41 minutes ago, NLS said:

(as 8139too)

8139 is only 100mbit.  Did you mean to say 8169?

[Gigabit connection connects @100 (only in unRAID)]

I have a similar board, not for Unraid, and every once in a while the onboard nic would stop working.  I had to shut down, unplug power, hold power button for good measure, then power back up.  Could be worth a shot.

[Windows issues with unRAID]

Something also happened to my server after upgrading to 6.6.

 

Server was named storage but was renamed to storagemain for testing.

Added DNS record so both storage and storagemain both point to the same IP.

 

"ping storage" - works fine

"ping storagemain" - works fine

\\storagemain - works fine

\\storage - FAILS

http://storage/ - works fine

http://storagemain/ - works fine

[Areca Contoller Configuration for unRAID]

It's exciting watching this thread progress.  I love these Areca cards and appreciate the support they are now getting in unRAID.

[Turn regular case into a JBOD/DAS case w/ SFF-8088 connection]

You ground the green wire.  There are plenty of instructions out there.  You just use the rocker switch on the power supply to control power.

[Turn regular case into a JBOD/DAS case w/ SFF-8088 connection]

I went the cheap route and modified a power supply to be always on.  The power supply powers all my drives and drive cooling fans separate from my server.

 

I can still see where there could be a use for this product though.

[unRAID® by country]

Does a customer who buys 2 keys count as one or two?