upthetoon Posted March 12, 2021 Share Posted March 12, 2021 Hi, I noticed CPU activity at 100% this morning and "xmrig" was running. A quick search and there are a couple of other threads of this happening to others who have opened some of their ports. I've had reverse proxy set up for a good while but I don't think I have any ports open directly to the server. I've attached my diagnosis file if anyone can see anything suspicious that would be much appreciated. ridcully-diagnostics-20210312-0812.zip Quote Link to comment
upthetoon Posted March 12, 2021 Author Share Posted March 12, 2021 Quote 1 HTTP 80 85 192.168.0.5 2 Letsencrypt 443 448 192.168.0.5 3 Usenet 8888 8888 192.168.0.5 4 Wireguard 51820 51820 192.168.0.5 These are the port forwarding rules I have. The miner was running under the user "nobody" which I use for applications. Quote Link to comment
Michael_P Posted March 12, 2021 Share Posted March 12, 2021 If you have port 80 open to the internet, you're doing it wrong™️ Quote Link to comment
upthetoon Posted March 12, 2021 Author Share Posted March 12, 2021 Is that what that forwarding rule does? I've always had a blindspot for network configuration... I set that 80 > 85 port forward up as letsencrypt runs on port 85 (and 448) Quote Link to comment
Michael_P Posted March 12, 2021 Share Posted March 12, 2021 And that's the rule you have set in your firewall/router, too? As in: WAN 80 to LAN 192.168.0.5:85 Quote Link to comment
Michael_P Posted March 12, 2021 Share Posted March 12, 2021 and you don't have any other ports directly exposed, and you haven't set a reverse proxy to your admin panel? Quote Link to comment
upthetoon Posted March 12, 2021 Author Share Posted March 12, 2021 That's the full list. 1&2 - Letsencrypt 3 - Sabnzbd 4 - Deluge 5 - Another torrent docker I dont use anymore 6 - Wireguard I've since deleted the torrent entries. Does leaving a FWD entry to a port that isnt in use on the internal side create a security risk? Quote Link to comment
Michael_P Posted March 12, 2021 Share Posted March 12, 2021 Only if something is listening on that port Quote Link to comment
upthetoon Posted March 12, 2021 Author Share Posted March 12, 2021 Hmm. So without something dodgy installed I should have been safe? That’s a worry then. Quote Link to comment
Michael_P Posted March 12, 2021 Share Posted March 12, 2021 Your log is too fresh for me to see anything that jumps out Quote Link to comment
upthetoon Posted March 12, 2021 Author Share Posted March 12, 2021 Ok, thanks. I’d only restarted a day or two ago when the .1 came out. Quote Link to comment
upthetoon Posted March 14, 2021 Author Share Posted March 14, 2021 Just to update, I think this has originated from a malicious Deluge plugin. -rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg Quote Link to comment
Michael_P Posted March 15, 2021 Share Posted March 15, 2021 20 hours ago, upthetoon said: Just to update, I think this has originated from a malicious Deluge plugin. -rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg Did you have webui enabled? Quote Link to comment
upthetoon Posted March 15, 2021 Author Share Posted March 15, 2021 3 hours ago, Michael_P said: Did you have webui enabled? I think an old port fwd rule I had in exposed it. I was using a weak password on the deluge front end too. I’ve since removed the forwarding rule and changed to a more complex password too. Quote Link to comment
Michael_P Posted March 15, 2021 Share Posted March 15, 2021 That'd do it, glad you got it figured out 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.