Someone got in my back door... giggity


iamgadgetman

Recommended Posts

I was working on containers today when I noticed one that I didn't recognize.   A little digging revealed that someone recently created a container on my server without my knowledge and it was mining bitcoin and sending the data back to the hacker.  I have cut off the traffic on my firewall, but I'm really curious to know as to how the heck they got in.  Any ideas?  To be fair, I did have a non-standard port opened on the firewall for access to the admin page.

hacker.png

Link to comment
32 minutes ago, iamgadgetman said:

I did have a non-standard port opened on the firewall for access to the admin page.

 

32 minutes ago, iamgadgetman said:

how the heck they got in.

I believe you answered your own question. Once they have access to the Unraid GUI, they have complete control. You must secure any access with a VPN tunnel or something similar, i.e. teamviewer or other secure remote access through another machine on the LAN

  • Like 1
  • Haha 1
Link to comment

@jonathanm I agree.  I had honestly forgotten that it was there lol.

@tjb_altf4 the only thing is that I didn't set up anything at that time, that I know of.  It won't even let me look at the console.

image.png.35787daa721e6398aaf573bb878680b2.png

It's also oddly set up.

image.thumb.png.505cc9d5edd8029243e7795dd52f6a30.png

Take a look at the logs.  I eventually blocked the outbound TCP port, so I could keep the container without worrying about it getting out.

 

admiring_noyce.log.txt

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.