January 10, 20215 yr Hi all ! I have discovered recently that 2 VMs on my Unraid server were used for IPTV service. One of my windows VM has also been renamed "iptv". Today, a new docker was also running : "elastic_ishizaka". I think I've been hacked or a virus maybe. The VM's and this docker are booting by themselves too. I may have a script running somewhere. Does anyone knows what is happening and how I can monitor what is going on ? Thank you !
January 10, 20215 yr Hi, the best way to have some details would be to attach your diagnostics to your next post (Tools / Diagnostics). Also, since you think that something is not right, I would make sure that this server is OFF the internet.
January 10, 20215 yr Author Yeah, I'm taking some security options for the moment. I'll post the diag, thanx !
January 10, 20215 yr Author Here's the diag. The server was running Krusader, qbittorrent, duckdns, zerotier and Filezilla dockers only. I've a proFTPd running also. No VM's were running while diagnosis. nasl42-diagnostics-20210110-1405.zip
January 10, 20215 yr I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...)
January 10, 20215 yr 25 minutes ago, romainhc said: I've a proFTPd running also Was that one internet facing too? Latest version or is that one vuln to a known exploit? Default credentials or too simple credentials? Anonymous login possible? Did those services run with dedicated users? Otherwise, the attacker might got a privileged user. Check the ftp directory and /tmp for odd files like reverse shells. You can also check the user accounts and ssh keys etc. because the attacker might tried to persist his access. Make sure you change all passwords on accounts that may use an exact password or an alternation (password, password123, p@ssword, etc. ) of it, because the attacker might extracted passwords and hashes from that box. I wouldn't trust that box any more and isolate it from your network. However, in case another host is already compromised that wouldn't help. It would be nice to find out how the attacker got access to the box. Otherwise, you will be compromised again. Edited January 10, 20215 yr by T0a
January 10, 20215 yr Author 3 minutes ago, ChatNoir said: I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...) WOW .... no, I dont think so. It's only for our clients. I'll check the diag, I dont know if I'll be able to analyze it.
January 10, 20215 yr just search for proftp and check the ip location with maxmind or other services.
January 10, 20215 yr 1 minute ago, romainhc said: I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...) What you see there might be bots scanning for vuln ProFTP services.
January 10, 20215 yr Author Yeah, a lot suspicious ProFTPd connections !!! I stop the service for now, and I'll delete the VM's. I think I've a security issues with the ProFTPd settings. Thanx for your help ! I'll look to the diag first next time. If anyone has a way to make a secure FTP on Unraid, I'll try it.
January 10, 20215 yr Be cautious what you delete. From a forensics and threat hunting perspective it might be wise to have that stuff in order to figure out how the attacker got in and what he did to your network. Quote If anyone has a way to make a secure FTP on Unraid, I'll try it. Don't use FTP. If you really need something like this internet facing then use sFTP with key only auth at least, disable anonymous login, etc. Edited January 10, 20215 yr by T0a
January 10, 20215 yr Author Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began. It contains php and js files ... what do you think about it ???? ConfEdit.tar.gz Edited January 10, 20215 yr by romainhc
January 10, 20215 yr 49 minutes ago, romainhc said: Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began. It contains php and js files ... what do you think about it ???? ConfEdit.tar.gz 37.07 kB · 2 downloads Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance? Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env.
January 10, 20215 yr Author 9 minutes ago, T0a said: Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance? Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env. I dont have exposed anything no. But obviously someone had an access ... i'm investigating, and will keep inform if I managed to know what happened.
Archived
This topic is now archived and is closed to further replies.