Corrupted system -- Possible Hacking

[huladaddy]

I just recently updated to the latest 6.9.1 (from 6.8.something), and after I rebooted, the webGUI was no longer available. Luckily, I am able to ssh into the server. Based on the diagnostics, I was told I may have been hacked. I had Port 22 forwarded for a brief while.

 

At this point, I don't know what to do. How can I figure out what has happened and get my system up and running again. Would greatly appreciate some kind soul helping me out.

diagnostics-20210316-1437.zip

[JorgeB]

3 minutes ago, huladaddy said:

I had Port 22 forwarded for a brief while.

Assuming this is fixed reboot and post new diags with the array started.

[huladaddy]

Yes, Port 22 is now closed. Can I start the array from the command line?

[JorgeB]

You don't have GUI access after rebooting?

[huladaddy]

I don't have a monitor. I have always just used the webGUI from a networked machine. At one point I did have a monitor, but after boot, it only displayed a command line. It didn't have a GUI.

 

Can I fix my issues without a monitor (i.e. can I do everything from ssh), or do I need to get a monitor?

Edited March 20, 2021 by huladaddy

[JorgeB]

1 hour ago, huladaddy said:

I have always just used the webGUI from a networked machine

Yes, that was what I was asking, if you can't get to the wegGUI after a reboot, if you can't grab new diags over SSH.

[huladaddy]

Those diags were made after the problems arose. I got those over ssh. I don't think grabbing new diags would yield anything new.

diagnostics-20210320-1408.zip

 

Some questions I have after perusing the filesystem:

1. There is an empty file called /run/xtables.lock  Should that be there?

2. Some files in /etc/rc.d are not executable. Should they all be executable?

3. In order to determine if certain files should not be present, can I look at last modified date for clues?

Edited March 21, 2021 by huladaddy

[JorgeB]

11 hours ago, huladaddy said:

1. There is an empty file called /run/xtables.lock  Should that be there?

I also have it so yes.

 

If there are doubts about hacking I would backup current flash, recreat it then restore only super.dat (disk assignments) and the key, boot the server and start array and make sure all data is there, then reconfigure the server.

 

 

 

[huladaddy]

Yeah. That sounds like a good idea. Should I use a new flash drive? Could the stick be compromised? Boot sector, etc.?

 

Geez, it has been so long since I first created the flash boot... I have to read up on everything all over again. I don't remember how it's done.

 

So recreate the boot disk, and restore /boot/config/super.dat and /boot/config/Plus.key? That will get my system booted and array working. What about plugins and dockers? How can I restore those? Are all the config files stored in /boot/config? Would there be any harm in restoring my entire config directory? Or maybe just the .cfgs?

 

I would like to avoid as much manual re-installation and configuring as possible. What are your recommendations?

[JorgeB]

12 minutes ago, huladaddy said:

Could the stick be compromised? Boot sector, etc.?

Unlikely, and re-creating the flash your fix it anyway, use the USB tool.

 

13 minutes ago, huladaddy said:

What about plugins and dockers?

Yes, but first get the server booting.

[huladaddy]

OK. Got it up and running. But I noticed something strange. After booting with the new image, I was still unable to access the GUI. I tried to access the GUI from a different machine, and this time I was able to, and I noticed that if I tried to connect using https, it was a no go, but http worked just fine. I confirmed this by trying it from first machine, and lo and behold, if I used http instead of https, I was able to load the GUI.

 

So the question is, did something change upon updating to 6.9.1 that prevented me from loading the GUI through http? Was that my only issue?

 

Now that I have it running, I could try using the backup I made of the flash and see if I can access the GUI using http, but I kinda like the fact that I am starting fresh, just in case there is some remnant of being hacked.

 

So, how can I restore all of my plugins, dockers and all other configurations I may have forgotten about?

Edited March 22, 2021 by huladaddy

[trurl]

Do you have a backup of flash from before you were hacked?

[huladaddy]

2 hours ago, trurl said:

Do you have a backup of flash from before you were hacked?

Actually I do (thanks to the Backup app I installed and forgot about). Unfortunately, there is only one backup (maybe that's how it works) and it is a week old. Can't be sure whether or not I was hacked before or after that.

 

What about looking at modification dates? Can I confidently use files that I think are sufficiently old enough as to not have been hacked? If so, which files should I restore?

Edited March 22, 2021 by huladaddy

[huladaddy]

OK. Restoring dockers looks simple. I have restored the .xmls from /config/plugins/docker/dockerMan/templates-user. However, after they start, I don't see a way to get to their GUIs. The option that used to be there when clicking their icon on the docker page is no longer there. Does it have something to do with me accessing the unraid webGUI through My Servers? -- The reason the webUI was not accessible had to do with not having the correct network type specified for use with swag. I had not restored that docker yet.

 

Now, how about plugins? What is the best way to restore plugins and keep all of my old settings?

Edited March 22, 2021 by huladaddy

[JorgeB]

You should be able to restore the plugins from the the backup, restore only the ones you need.