Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

xmrig running - hacked or open?

Featured Replies

Hi,

 

I noticed CPU activity at 100% this morning and "xmrig" was running.  A quick search and there are a couple of other threads of this happening to others who have opened some of their ports.

 

I've had reverse proxy set up for a good while but I don't think I have any ports open directly to the server.

 

I've attached my diagnosis file if anyone can see anything suspicious that would be much appreciated.

 

 

ridcully-diagnostics-20210312-0812.zip

  • Author
Quote

    1    HTTP               80        85        192.168.0.5
    2    Letsencrypt    443        448        192.168.0.5
    3    Usenet            8888    8888    192.168.0.5
    4    Wireguard        51820    51820    192.168.0.5

 

These are the port forwarding rules I have.

 

The miner was running under the user "nobody" which I use for applications.

  • Community Expert

If you have port 80 open to the internet, you're doing it wrong™️

  • Author

Is that what that forwarding rule does?  I've always had a blindspot for network configuration...

 

I set that 80 > 85 port forward up as letsencrypt runs on port 85 (and 448)

  • Community Expert

And that's the rule you have set in your firewall/router, too?

 

As in:

WAN 80 to LAN 192.168.0.5:85

  • Author

image.thumb.png.eb099a8676b8fd1355a8239dace2a5ea.png

 

I think so?

  • Community Expert

and you don't have any other ports directly exposed, and you haven't set a reverse proxy to your admin panel?

  • Author

image.thumb.png.6765569db3af60fd897d64711b084041.png

 

That's the full list. 

 

1&2 - Letsencrypt

3 - Sabnzbd

4 - Deluge

5 - Another torrent docker I dont use anymore

6 - Wireguard

 

I've since deleted the torrent entries.  Does leaving a FWD entry to a port that isnt in use on the internal side create a security risk?

  • Community Expert

Only if something is listening on that port

  • Author

Hmm. So without something dodgy installed I should have been safe? That’s a worry then. 

  • Community Expert

Your log is too fresh for me to see anything that jumps out

  • Author

Ok, thanks. 
 

I’d only restarted a day or two ago when the .1 came out. 

  • Author

Just to update, I think this has originated from a malicious Deluge plugin.

 

-rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg
 

  • Community Expert
20 hours ago, upthetoon said:

Just to update, I think this has originated from a malicious Deluge plugin.

 

-rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg
 

 

Did you have webui enabled?

  • Author
3 hours ago, Michael_P said:

 

Did you have webui enabled?


I think an old port fwd rule I had in exposed it. I was using a weak password on the deluge front end too. 
 

I’ve since removed the forwarding rule and changed to a more complex password too. 

  • Community Expert

That'd do it, glad you got it figured out

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.