Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

IPTV hacked ???

Featured Replies

Hi all !

 

I have discovered recently that 2 VMs on my Unraid server were used for IPTV service. One of my windows VM has also been renamed "iptv".

Today, a new docker was also running : "elastic_ishizaka". I think I've been hacked or a virus maybe. The VM's and this docker are booting by themselves too. I may have a script running somewhere.

 

Does anyone knows what is happening and how I can monitor what is going on ?

 

Thank you !

Hi, the best way to have some details would be to attach your diagnostics to your next post (Tools / Diagnostics).

 

Also, since you think that something is not right, I would make sure that this server is OFF the internet.

  • Author

Yeah, I'm taking some security options for the moment. I'll post the diag, thanx !

  • Author

Here's the diag.

The server was running  Krusader, qbittorrent, duckdns, zerotier and Filezilla dockers only. I've a proFTPd running also. No VM's were running while diagnosis.

 

 

nasl42-diagnostics-20210110-1405.zip

I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...)

25 minutes ago, romainhc said:

I've a proFTPd running also

Was that one internet facing too? Latest version or is that one vuln to a known exploit? Default credentials or too simple credentials? Anonymous login possible? Did those services run with dedicated users? Otherwise, the attacker might got a privileged user.  Check the ftp directory and /tmp for odd files like reverse shells.

 

You can also check the user accounts and ssh keys etc. because the attacker might tried to persist his access. Make sure you change all passwords on accounts that may use an exact password or an alternation (password, password123, p@ssword, etc. ) of it, because the attacker might extracted passwords and hashes from that box.

 

I wouldn't trust that box any more and isolate it from your network. However, in case another host is already compromised that wouldn't help.  It would be nice to find out how the attacker got access to the box. Otherwise, you will be compromised again.

Edited by T0a

  • Author
3 minutes ago, ChatNoir said:

I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...)

WOW .... no, I dont think so. It's only for our clients. I'll check the diag, I dont know if I'll be able to analyze it.

just search for proftp and check the ip location with maxmind or other services.

1 minute ago, romainhc said:

I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...)

What you see there might be bots scanning for vuln ProFTP services.

  • Author

Yeah, a lot suspicious ProFTPd connections !!! I stop the service for now, and I'll delete the VM's.

 

I think I've a security issues with the ProFTPd settings.

 

Thanx for your help ! I'll look to the diag first next time.

 

If anyone has a way to make a secure FTP on Unraid,  I'll try it.

Be cautious what you delete. From a forensics and threat hunting perspective it might be wise to have that stuff in order to figure out how the attacker got in and what he did to your network.

 

Quote

If anyone has a way to make a secure FTP on Unraid,  I'll try it.

 

Don't use FTP. If you really need something like this internet facing then use sFTP with key only auth at least, disable anonymous login, etc.

Edited by T0a

  • Author

Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began.

 

It contains php and js files ... what do you think about it ????

 

 

ConfEdit.tar.gz

Edited by romainhc

49 minutes ago, romainhc said:

Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began.

 

It contains php and js files ... what do you think about it ????

 

 

ConfEdit.tar.gz 37.07 kB · 2 downloads

 

Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance?

 

Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env.

  • Author
9 minutes ago, T0a said:

 

Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance?

 

Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env.

I dont have exposed anything no. But obviously someone had an access ... i'm investigating, and will keep inform if I managed to know what happened.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.