jmwilsoND

Oh and btw, I understand what you are saying about the IPs, but I did not change my router. I simply added another router between my modem and my current router which forces a new public ip from the modem.

Thanks for the input yall, I think that's spot on. Thing is, I only connect to RDP through the vpn on my router that establishes a local connection, so with the VPN running separately on the router, I think I should be able to just delete the port forward that RDP had me open on setup. My main concern was that my system wasn't compromised since my router logs clearly showed attempts by a remote ip on the one port that was forwarded (not to help my paranoia, tracing the ip leads to a uk security firm with that has a huge banner on their website saying we have been compromised by hackers, please talk to UK fraud division etc etc... way to get my heart beating). Since the VM was shut down at the time and the errors you mentioned are totally separate, I think I will do what yall said and can hopefully be confident nothing was compromised. BTW, the cabling and parity drive issues make a lot of sense. I just swapped the parity drive for smart errors, and pulling the hd cage out always leaves a mess (cable management not on point). Going back in and securing all that now. Thanks for all your help.

Attached are the logs w files manually removed. tower-diagnostics-20180218-2126.zip

Oh ok, that's even better, that's probably why these showed up. I will do so and post asap.

Ok, I understand. Unfortunately, since I stopped much of the access to my files that would be backed up automatically by the VM, I did a manual copy to a different share and all the file names that were copied showed in the syslog, so I can say it definitely is not anonymous. I do appreciate your attention and will do my best to get you the entirety that I can by deleting any reference to those files. It should just take me a few minutes. Thanks for your patience

Yes I understand it is not the complete log. The complete log had sensitive information displayed because a backup of business files where the customers' names are displayed in the titles occurred. However, I am confident that it was not compromised at the time because my router logs showed no remote access. I'm sorry for not being able to post the entirety, but I can say with certainty that the logs posted included the entirety of the time that there were remote access attempts. I do not want my server to have a public IP. I have one port forwarded for the IP for the windows 10 vm that was added as a part of the RDP install process. Now, I'm not sure that the port needs to be forwarded since as I noted, I use a VPN to acces it remotely with a local IP. Should I just delete that port forward? It's interesting because those cabling errors only show up at the time that my router logs show remote access attempts. I am thinking it was a brute force attempt at accessing the VM that shouldn't have been successful since the VM was shut down due to the update. Would this be a rational conclusion? The libvert and docker logs do not have any activity during these times as well. Thanks for looking at everything. I do appreciate it.

A little background, I noticed an attempted WHOIS on an IRC chat that revealed my public IP (I know stupid me, has since been resolved by routing through tor), but I immediately went to my router logs and noticed an attempted port scan happening. I disconnected my modem immediately, and put another router in between the router that was port scanned thus giving me a new public IP. There were no more remote attempts for 2 weeks while the intermediary router was in place. Figuring my ip reservation expired (have attempted this before and received a new ip in 7 days) I disconnected the intermediary router after the 2 weeks and went back to the original configuration. Immediately, I saw no more port scanning being attempted but instead just a steady remote access attempt on the ip and port for my remote desktop. I put the intermediary router in between again and it all stopped. So I downloaded syslog and attached it for the time that the remote access attempts were made on the VM. The VM is only used for remote access to files but is only done through a VPN run through the router that logs in locally, so would not show a remote access. The IP used belonged to a UK security firm who has a big banner on the front of their page saying that hackers have used their IP and to contact UKs fraud division, so ya ugh. This VM is also used to run a nightly sync between the router's NAS and a versioned backup on unraid. However, the VM showed no usage because it was shut down due to W10 having initiated an update a few days earlier and logging, in I was greeted by the update installing. Oh and I should add that when I put the config back, my internet connection slowed to a crawl due to bandwidth being consumed by whatever happened (back to normal after putting the other router back in between). So is what is compromised? What should my next course of action be? I really appreciate anyone spending the time to read through this and give me your input. Thanks. syslog.txt