Anyone recognize these Dockers?


runamuk

Recommended Posts

Didn't really see your small screenshot earlier since I was on my phone and not wearing my glasses.

 

If you didn't install those dockers yourself then it seems possible you have been hacked. Is your server on the internet? Have you opened ports on your router?

 

If possible before rebooting and preferably with the array started
Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.

 

 

Link to comment

It appears the watchtower and psclient AutoStart every time the array is started even with it off.

If I click on them there is no information such as support

 

image.thumb.png.2955f29523332cd4a1b15b7737c5a340.png

 

I did locate "watchtower" on the apps page however It is not installed though apps.

 

Still can not locate anything with "psclient "

My firewall is active. this Unraid is part of my main network.

I have attached the requested diagnostics.

 

I have attached screenshot of all my installed apps

 

image.thumb.png.818faef693d4373a439a4dc36bcbdd60.png

 

tower-diagnostics-20210111-1715.zip

Link to comment
33 minutes ago, runamuk said:

No ports forwarded.

In that case, I believe you have a compromised device on your network. It appears someone logged in to your unraid and using the command line installed the packetstream container along with watchtower to automatically keep the packetstream container updated and running.

 

If not you, somebody else is apparently making money from your bandwidth.

Link to comment
21 minutes ago, jonathanm said:

In that case, I believe you have a compromised device on your network. It appears someone logged in to your unraid and using the command line installed the packetstream container along with watchtower to automatically keep the packetstream container updated and running.

 

If not you, somebody else is apparently making money from your bandwidth.

Is that all they did? I noticed that the docker under /mnt/user/system/docker  the docker.img is like 20gigs.

Link to comment
49 minutes ago, runamuk said:

I noticed that the docker under /mnt/user/system/docker  the docker.img is like 20gigs.

That is normal and you can see that setting in Settings - Docker.

 

These are not normal:

 

Jan  7 09:42:30 Tower nginx: 2021/01/07 09:42:30 [error] 5184#5184: *52523 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 89.248.162.235, server: , request: "GET /pma/scripts/setup.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "50.88.226.86"

Jan  8 00:31:21 Tower nginx: 2021/01/08 00:31:21 [error] 5184#5184: *131246 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 45.155.205.108, server: , request: "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "50.88.226.86:80"

Jan  8 12:36:41 Tower nginx: 2021/01/08 12:36:41 [error] 5184#5184: *219010 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 81.71.120.65, server: , request: "GET /TP/public/index.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "50.88.226.86"

Jan  8 13:31:36 Tower nginx: 2021/01/08 13:31:36 [error] 5184#5184: *223356 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 185.128.41.50, server: , request: "GET /public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo() HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "50.88.226.86"

Jan  8 23:41:44 Tower nginx: 2021/01/08 23:41:44 [error] 5184#5184: *269577 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 41.175.155.78, server: , request: "POST /Admin56e25832/Login.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "50.88.226.86"

Jan  9 03:14:54 Tower nginx: 2021/01/09 03:14:54 [error] 5184#5184: *283323 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 36.27.208.157, server: , request: "GET /TP/public/index.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "50.88.226.86"

https://www.abuseipdb.com/check/89.248.162.235  Netherlands

https://www.abuseipdb.com/check/45.155.205.108  Germany

https://www.abuseipdb.com/check/81.71.120.65  China

https://www.abuseipdb.com/check/185.128.41.50 Switzerland

https://www.abuseipdb.com/check/41.175.155.78 South Africa

https://www.abuseipdb.com/check/36.27.208.157 China

 

and more like that

 

Definitely being hacked.

 

I also notice you have an SSD in the parity array. These are not recommended because they can't be trimmed, can't be written faster than parity, and there is some question whether some models might invalidate parity.

 

 

 

 

Link to comment
Just now, trurl said:

Definitely being hacked.

 

I also notice you have an SSD in the parity array. These are not recommended because they can't be trimmed, can't be written faster than parity, and there is some question whether some models might invalidate parity.

 

 

 

 

I have how the array currently setup attached below. Let me know if this is correct (The SSD was more of a test).

 

I attempted to reinstall Unraid, however the docker was still on their after a fresh install. I manually removed them.

I have added an admin password for the unraid  and updated my router. Let me know if you have any other recommendations. 

 

 Capture.thumb.PNG.25061f947852eff313632cdf2343ad30.PNG

 

Edited by runamuk
Link to comment
8 hours ago, runamuk said:

I attempted to reinstall Unraid

Not sure what you mean by that.

 

The only things on the Unraid flash are the archives of the OS and the settings you make in the Unraid webUI. Unraid reinstalls itself fresh from those archives into RAM each time it boots and the OS runs completely in RAM.

 

8 hours ago, runamuk said:

the docker was still on their after a fresh install

Because the docker.img, which contains the executables of all your dockers was still on other disks in your system.

 

8 hours ago, runamuk said:

I have added an admin password for the unraid  and updated my router. Let me know if you have any other recommendations.

Since I don't know what you did to allow this to happen I can't know how to fix it for sure.

 

I assume by "admin password" you mean you set a password for the "root" account. That is important of course and may help if the password is good enough.

 

What did you change with your router? That is going to be the most important thing to keep this from happening again.

 

All the things I posted I found in your syslog. Post new diagnostics if you want us to take another look.

 

 

 

Link to comment

trul, first and foremost I want to thank you for taking time to respond to these. You are a life saver.

 

8 hours ago, trurl said:

The only things on the Unraid flash are the archives of the OS and the settings you make in the Unraid webUI. Unraid reinstalls itself fresh from those archives into RAM each time it boots and the OS runs completely in RAM.

 

I realized this after I re-flashed my unraid usb drive thinking it would give me a "clean" install. 

8 hours ago, trurl said:

Because the docker.img, which contains the executables of all your dockers was still on other disks in your system.

Should i completely delete my docker.img to attempt to get a fresh start or was deleting these rouge items them under the dockers tab good enough

 

8 hours ago, trurl said:

Since I don't know what you did to allow this to happen I can't know how to fix it for sure.

I did not do anything special, only installed a few apps though the community applications.

 

8 hours ago, trurl said:

I assume by "admin password" you mean you set a password for the "root" account. That is important of course and may help if the password is good enough.

Yes the root password.

 

8 hours ago, trurl said:

What did you change with your router? That is going to be the most important thing to keep this from happening again.

Updated the firmware. changed all logins to something more complicated and ensured ddos and the firewall were running.

 

I uploaded a new diagnostic. I will say when I first started up this unraid those dockers were still on the system and I removed them approx. 5 minutes into setting everything up.

 

 

tower-diagnostics-20210112-1801.zip

Link to comment

That seems OK but I still wonder how this happened in the first place.

52 minutes ago, runamuk said:

changed all logins to something more complicated

Are you talking about logins to your router? Why do you even have more than one login to your router?

 

Are you allowing any remote access to your LAN?

Link to comment
2 hours ago, trurl said:

That seems OK but I still wonder how this happened in the first place.

Are you talking about logins to your router? Why do you even have more than one login to your router?

 

Are you allowing any remote access to your LAN?

 

One login for router, however I also changed wifi and any other passwords that were on my local network just in case.

 

Do not allow any remote access to my LAN and do not have anything setup to do that.

 

I'm not sure how this happen ether. I had unraid installed for around a week the only apps I installed were though community applications.(the same ones shown above). is it possible one of the community apps I downloaded had something in it?

 

I just find it amazing that this happen in such a short period of time. 

Edited by runamuk
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.