IPTV hacked ???


Recommended Posts

Hi all !

 

I have discovered recently that 2 VMs on my Unraid server were used for IPTV service. One of my windows VM has also been renamed "iptv".

Today, a new docker was also running : "elastic_ishizaka". I think I've been hacked or a virus maybe. The VM's and this docker are booting by themselves too. I may have a script running somewhere.

 

Does anyone knows what is happening and how I can monitor what is going on ?

 

Thank you !

Link to comment
25 minutes ago, romainhc said:

I've a proFTPd running also

Was that one internet facing too? Latest version or is that one vuln to a known exploit? Default credentials or too simple credentials? Anonymous login possible? Did those services run with dedicated users? Otherwise, the attacker might got a privileged user.  Check the ftp directory and /tmp for odd files like reverse shells.

 

You can also check the user accounts and ssh keys etc. because the attacker might tried to persist his access. Make sure you change all passwords on accounts that may use an exact password or an alternation (password, password123, p@ssword, etc. ) of it, because the attacker might extracted passwords and hashes from that box.

 

I wouldn't trust that box any more and isolate it from your network. However, in case another host is already compromised that wouldn't help.  It would be nice to find out how the attacker got access to the box. Otherwise, you will be compromised again.

Edited by T0a
Link to comment
3 minutes ago, ChatNoir said:

I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...)

WOW .... no, I dont think so. It's only for our clients. I'll check the diag, I dont know if I'll be able to analyze it.

Link to comment

Yeah, a lot suspicious ProFTPd connections !!! I stop the service for now, and I'll delete the VM's.

 

I think I've a security issues with the ProFTPd settings.

 

Thanx for your help ! I'll look to the diag first next time.

 

If anyone has a way to make a secure FTP on Unraid,  I'll try it.

Link to comment

Be cautious what you delete. From a forensics and threat hunting perspective it might be wise to have that stuff in order to figure out how the attacker got in and what he did to your network.

 

Quote

If anyone has a way to make a secure FTP on Unraid,  I'll try it.

 

Don't use FTP. If you really need something like this internet facing then use sFTP with key only auth at least, disable anonymous login, etc.

Edited by T0a
Link to comment
49 minutes ago, romainhc said:

Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began.

 

It contains php and js files ... what do you think about it ????

 

 

ConfEdit.tar.gz 37.07 kB · 2 downloads

 

Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance?

 

Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env.

Link to comment
9 minutes ago, T0a said:

 

Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance?

 

Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env.

I dont have exposed anything no. But obviously someone had an access ... i'm investigating, and will keep inform if I managed to know what happened.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.