February 5, 20215 yr So today I noticed 4 of the 8 threads on my UnRaid server was running pinned at 100%. At first I thought it was one of my VMs running screwy, but instead I found a docker container I'd never seen before. It was named gallant_snyder and it was running xmrig which appears to be a crypto-miner. The really odd thing is that I've haven't installed any new docker containers or community apps in years, just updated the ones I started with. So I'm really worried now wondering how it got installed in the first place. Docker Containers: NoIp iPXE-buildweb Apps: Community Apps CA Fix Common Problems Dynamix Local Master Dynamix SSD Trim Disable Security Mitigations Dynamix System Info Preclear Disk Wake On Lan Any ideas how this may have happened? Any steps I should take to prevent this?
February 5, 20215 yr Community Expert Do you allow access to your server from the internet? Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread.
February 5, 20215 yr Author Hmm, I do have a random high port number forwarded through my firewall for remote access to the web admin. Requested diagnostic attached. server-diagnostics-20210205-1558.zip
February 5, 20215 yr 1 hour ago, PerformCPU said: Hmm, I do have a random high port number forwarded through my firewall for remote access to the web admin. That is not normally a good idea - robots are good for scanning for ports. the only secure way to access unRaid from the internet is to use a VPN and since unRAID has the WireGuard VPN software built in it is the recommended way to set up secure access to your server for remote admin.
February 6, 20215 yr Community Expert HACKED!!! Dec 30 09:05:20 SERVER nginx: 2020/12/30 09:05:20 [error] 8506#8506: *8967102 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 178.128.163.10, server: , request: "GET /system_api.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "107.179.228.5:8006" ... Jan 20 07:26:44 SERVER nginx: 2021/01/20 07:26:44 [error] 8506#8506: *12742830 open() "/usr/local/emhttp/c/version.js" failed (2: No such file or directory), client: 167.99.241.151, server: , request: "GET /c/version.js HTTP/1.1", host: "107.179.228.5:8006" ... Jan 27 12:34:37 SERVER nginx: 2021/01/27 12:34:37 [error] 8506#8506: *13851431 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 64.227.97.101, server: , request: "GET /system_api.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "107.179.228.5:8006" ... https://www.abuseipdb.com/check/178.128.163.10 UK https://www.abuseipdb.com/check/167.99.241.151 Germany https://www.abuseipdb.com/check/64.227.97.101 USA Also looks like you have a problem with cache disk. Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 UNKNOWN(0x2003) Result: hostbyte=0x00 driverbyte=0x08 Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 Sense Key : 0x5 [current] Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 ASC=0x21 ASCQ=0x0 Feb 4 09:03:08 SERVER kernel: sd 1:0:5:0: [sdg] tag#537 CDB: opcode=0x42 42 00 00 00 00 00 00 00 18 00 Feb 4 09:03:08 SERVER kernel: print_req_error: critical target error, dev sdg, sector 1953277894 Feb 4 09:03:08 SERVER kernel: BTRFS warning (device sdg1): failed to trim 1 device(s), last error -121
Archived
This topic is now archived and is closed to further replies.