PerformCPU Posted February 5, 2021 Share Posted February 5, 2021 So today I noticed 4 of the 8 threads on my UnRaid server was running pinned at 100%. At first I thought it was one of my VMs running screwy, but instead I found a docker container I'd never seen before. It was named gallant_snyder and it was running xmrig which appears to be a crypto-miner. The really odd thing is that I've haven't installed any new docker containers or community apps in years, just updated the ones I started with. So I'm really worried now wondering how it got installed in the first place. Docker Containers: NoIp iPXE-buildweb Apps: Community Apps CA Fix Common Problems Dynamix Local Master Dynamix SSD Trim Disable Security Mitigations Dynamix System Info Preclear Disk Wake On Lan Any ideas how this may have happened? Any steps I should take to prevent this? Quote Link to comment
trurl Posted February 5, 2021 Share Posted February 5, 2021 Do you allow access to your server from the internet? Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread. Quote Link to comment
PerformCPU Posted February 5, 2021 Author Share Posted February 5, 2021 Hmm, I do have a random high port number forwarded through my firewall for remote access to the web admin. Requested diagnostic attached. server-diagnostics-20210205-1558.zip Quote Link to comment
itimpi Posted February 5, 2021 Share Posted February 5, 2021 1 hour ago, PerformCPU said: Hmm, I do have a random high port number forwarded through my firewall for remote access to the web admin. That is not normally a good idea - robots are good for scanning for ports. the only secure way to access unRaid from the internet is to use a VPN and since unRAID has the WireGuard VPN software built in it is the recommended way to set up secure access to your server for remote admin. Quote Link to comment
trurl Posted February 6, 2021 Share Posted February 6, 2021 HACKED!!! Dec 30 09:05:20 SERVER nginx: 2020/12/30 09:05:20 [error] 8506#8506: *8967102 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 178.128.163.10, server: , request: "GET /system_api.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "107.179.228.5:8006" ... Jan 20 07:26:44 SERVER nginx: 2021/01/20 07:26:44 [error] 8506#8506: *12742830 open() "/usr/local/emhttp/c/version.js" failed (2: No such file or directory), client: 167.99.241.151, server: , request: "GET /c/version.js HTTP/1.1", host: "107.179.228.5:8006" ... Jan 27 12:34:37 SERVER nginx: 2021/01/27 12:34:37 [error] 8506#8506: *13851431 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 64.227.97.101, server: , request: "GET /system_api.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "107.179.228.5:8006" ... https://www.abuseipdb.com/check/178.128.163.10 UK https://www.abuseipdb.com/check/167.99.241.151 Germany https://www.abuseipdb.com/check/64.227.97.101 USA Also looks like you have a problem with cache disk. Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 UNKNOWN(0x2003) Result: hostbyte=0x00 driverbyte=0x08 Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 Sense Key : 0x5 [current] Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 ASC=0x21 ASCQ=0x0 Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 CDB: opcode=0x42 42 00 00 00 00 00 00 00 18 00 Feb 4 09:03:08 SERVER kernel: print_req_error: critical target error, dev sdg, sector 1953277894 Feb 4 09:03:08 SERVER kernel: BTRFS warning (device sdg1): failed to trim 1 device(s), last error -121 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.