xmrig running - hacked or open?

16 posts in this topic Last Reply

Recommended Posts



I noticed CPU activity at 100% this morning and "xmrig" was running.  A quick search and there are a couple of other threads of this happening to others who have opened some of their ports.


I've had reverse proxy set up for a good while but I don't think I have any ports open directly to the server.


I've attached my diagnosis file if anyone can see anything suspicious that would be much appreciated.




Link to post

    1    HTTP               80        85
    2    Letsencrypt    443        448
    3    Usenet            8888    8888
    4    Wireguard        51820    51820


These are the port forwarding rules I have.


The miner was running under the user "nobody" which I use for applications.

Link to post



That's the full list. 


1&2 - Letsencrypt

3 - Sabnzbd

4 - Deluge

5 - Another torrent docker I dont use anymore

6 - Wireguard


I've since deleted the torrent entries.  Does leaving a FWD entry to a port that isnt in use on the internal side create a security risk?

Link to post
20 hours ago, upthetoon said:

Just to update, I think this has originated from a malicious Deluge plugin.


-rw-rw-rw- 1 nobody users 22041 Dec 27 17:45 booster-0.2-py2.7.egg


Did you have webui enabled?

Link to post
3 hours ago, Michael_P said:


Did you have webui enabled?

I think an old port fwd rule I had in exposed it. I was using a weak password on the deluge front end too. 

I’ve since removed the forwarding rule and changed to a more complex password too. 

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.