romainhc Posted January 10, 2021 Share Posted January 10, 2021 Hi all ! I have discovered recently that 2 VMs on my Unraid server were used for IPTV service. One of my windows VM has also been renamed "iptv". Today, a new docker was also running : "elastic_ishizaka". I think I've been hacked or a virus maybe. The VM's and this docker are booting by themselves too. I may have a script running somewhere. Does anyone knows what is happening and how I can monitor what is going on ? Thank you ! Quote Link to comment
ChatNoir Posted January 10, 2021 Share Posted January 10, 2021 Hi, the best way to have some details would be to attach your diagnostics to your next post (Tools / Diagnostics). Also, since you think that something is not right, I would make sure that this server is OFF the internet. Quote Link to comment
romainhc Posted January 10, 2021 Author Share Posted January 10, 2021 Yeah, I'm taking some security options for the moment. I'll post the diag, thanx ! Quote Link to comment
romainhc Posted January 10, 2021 Author Share Posted January 10, 2021 Here's the diag. The server was running Krusader, qbittorrent, duckdns, zerotier and Filezilla dockers only. I've a proFTPd running also. No VM's were running while diagnosis. nasl42-diagnostics-20210110-1405.zip Quote Link to comment
ChatNoir Posted January 10, 2021 Share Posted January 10, 2021 I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...) 1 Quote Link to comment
T0a Posted January 10, 2021 Share Posted January 10, 2021 (edited) 25 minutes ago, romainhc said: I've a proFTPd running also Was that one internet facing too? Latest version or is that one vuln to a known exploit? Default credentials or too simple credentials? Anonymous login possible? Did those services run with dedicated users? Otherwise, the attacker might got a privileged user. Check the ftp directory and /tmp for odd files like reverse shells. You can also check the user accounts and ssh keys etc. because the attacker might tried to persist his access. Make sure you change all passwords on accounts that may use an exact password or an alternation (password, password123, p@ssword, etc. ) of it, because the attacker might extracted passwords and hashes from that box. I wouldn't trust that box any more and isolate it from your network. However, in case another host is already compromised that wouldn't help. It would be nice to find out how the attacker got access to the box. Otherwise, you will be compromised again. Edited January 10, 2021 by T0a Quote Link to comment
romainhc Posted January 10, 2021 Author Share Posted January 10, 2021 3 minutes ago, ChatNoir said: I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...) WOW .... no, I dont think so. It's only for our clients. I'll check the diag, I dont know if I'll be able to analyze it. Quote Link to comment
ChatNoir Posted January 10, 2021 Share Posted January 10, 2021 just search for proftp and check the ip location with maxmind or other services. Quote Link to comment
T0a Posted January 10, 2021 Share Posted January 10, 2021 1 minute ago, romainhc said: I see a lot of connections to ProFTP from all over the world, is that expected ? (Seychelles, USA, France, Belgium, UK, Japan, ...) What you see there might be bots scanning for vuln ProFTP services. Quote Link to comment
romainhc Posted January 10, 2021 Author Share Posted January 10, 2021 Yeah, a lot suspicious ProFTPd connections !!! I stop the service for now, and I'll delete the VM's. I think I've a security issues with the ProFTPd settings. Thanx for your help ! I'll look to the diag first next time. If anyone has a way to make a secure FTP on Unraid, I'll try it. Quote Link to comment
T0a Posted January 10, 2021 Share Posted January 10, 2021 (edited) Be cautious what you delete. From a forensics and threat hunting perspective it might be wise to have that stuff in order to figure out how the attacker got in and what he did to your network. Quote If anyone has a way to make a secure FTP on Unraid, I'll try it. Don't use FTP. If you really need something like this internet facing then use sFTP with key only auth at least, disable anonymous login, etc. Edited January 10, 2021 by T0a Quote Link to comment
romainhc Posted January 10, 2021 Author Share Posted January 10, 2021 (edited) Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began. It contains php and js files ... what do you think about it ???? ConfEdit.tar.gz Edited January 10, 2021 by romainhc Quote Link to comment
T0a Posted January 10, 2021 Share Posted January 10, 2021 49 minutes ago, romainhc said: Here's a compressed file that I've found on the boot/config/plugins/ProFTPd folder, and it looks very suspicious. The modification date correspond roughly to the moment it began. It contains php and js files ... what do you think about it ???? ConfEdit.tar.gz 37.07 kB · 2 downloads Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance? Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env. Quote Link to comment
romainhc Posted January 10, 2021 Author Share Posted January 10, 2021 9 minutes ago, T0a said: Looks fine to me. Did you expose any configuration files from ProFTPd via a web server by any chance? Warning: Do not download random possibly malicious stuff to your working machine. Always inspect these kind of things in a safe env. I dont have exposed anything no. But obviously someone had an access ... i'm investigating, and will keep inform if I managed to know what happened. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.