kodyorris Posted March 16, 2021 Share Posted March 16, 2021 Hello everyone, I am in desperate need of help. The permissions on my folders keep changing so I cant access them. My log is filled with the network activity below. The more I read about the activity I am seeing the more sure I am someone is sniffing my NIC. Any solutions to stop this? I need this server for work. all dockers have been off and i do have a windows VM that backups up online. Unraid version: 6.8.3 Quote Link to comment
F3nris Posted March 16, 2021 Share Posted March 16, 2021 Not much to go on with the screen shots. NIC's going into promiscuous is normal behavior with docker/vms. Do you have any dockers running, scripts, VM's or machines that are connected to your shares? Maybe get a diagnostics log uploaded? Quote Link to comment
kodyorris Posted March 16, 2021 Author Share Posted March 16, 2021 hello, i didn't have any dockers running at the time. i just installed ClamAV this morning to see if that catches anything. I do run a Windows VM to backup online. I turned the VM off before making this diagnostic file. I have two mac computers and one windows computer hooked to this server. jarvis-diagnostics-20210316-0811.zip Quote Link to comment
jonp Posted March 22, 2021 Share Posted March 22, 2021 Does your server have a root password set? Is your server directly exposed to the internet (is your server in the DMZ or do you have port 80/443 forwarded to your server's IP)? If the answer to question 1 is yes and the answer to question 2 is no, then I doubt someone has hacked your server. Without the root password or network access to the server, there is just no way someone can "sniff a NIC" (whatever that means) and gain access to your system. I also don't see any events in your logs that point to a hacker. Atypically we would see a lot of SSH connection attempts which all get flagged and I don't see any in your logs. That being said, if you don't use usernames/passwords for share security (meaning anyone on your network can browse the files on the server), then ANOTHER machine on your network could have been compromised and used to attack the Unraid box. What I would suggest is to slowly re-enable docker containers one by one. Maybe one per day if you can afford to wait that long. Start with the server running with no containers and see if permissions change again randomly. If not, move on to the next container and start that one. Perhaps one of those containers is doing something to the permissions causing the issue. In addition, I would also suggest booting into safe mode so you can eliminate any plugins from the equation. Quote Link to comment
97WaterPolo Posted April 6, 2023 Share Posted April 6, 2023 @kodyorris Did you ever figure out what happened with your UnraidOS box. I just started having those logs in console today and I have no clue what's happening. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.