March 12, 20215 yr Hi, I noticed CPU activity at 100% this morning and "xmrig" was running. A quick search and there are a couple of other threads of this happening to others who have opened some of their ports. I've had reverse proxy set up for a good while but I don't think I have any ports open directly to the server. I've attached my diagnosis file if anyone can see anything suspicious that would be much appreciated. ridcully-diagnostics-20210312-0812.zip
March 12, 20215 yr Author Quote 1 HTTP 80 85 192.168.0.5 2 Letsencrypt 443 448 192.168.0.5 3 Usenet 8888 8888 192.168.0.5 4 Wireguard 51820 51820 192.168.0.5 These are the port forwarding rules I have. The miner was running under the user "nobody" which I use for applications.
March 12, 20215 yr Community Expert If you have port 80 open to the internet, you're doing it wrong™️
March 12, 20215 yr Author Is that what that forwarding rule does? I've always had a blindspot for network configuration... I set that 80 > 85 port forward up as letsencrypt runs on port 85 (and 448)
March 12, 20215 yr Community Expert And that's the rule you have set in your firewall/router, too? As in: WAN 80 to LAN 192.168.0.5:85
March 12, 20215 yr Community Expert and you don't have any other ports directly exposed, and you haven't set a reverse proxy to your admin panel?
March 12, 20215 yr Author That's the full list. 1&2 - Letsencrypt 3 - Sabnzbd 4 - Deluge 5 - Another torrent docker I dont use anymore 6 - Wireguard I've since deleted the torrent entries. Does leaving a FWD entry to a port that isnt in use on the internal side create a security risk?
March 12, 20215 yr Author Hmm. So without something dodgy installed I should have been safe? That’s a worry then.
March 14, 20215 yr Author Just to update, I think this has originated from a malicious Deluge plugin. -rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg
March 15, 20215 yr Community Expert 20 hours ago, upthetoon said: Just to update, I think this has originated from a malicious Deluge plugin. -rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg Did you have webui enabled?
March 15, 20215 yr Author 3 hours ago, Michael_P said: Did you have webui enabled? I think an old port fwd rule I had in exposed it. I was using a weak password on the deluge front end too. I’ve since removed the forwarding rule and changed to a more complex password too.
Archived
This topic is now archived and is closed to further replies.