Touchy Posted March 31, 2021 Share Posted March 31, 2021 Yesterday I noticed my cpu was maxed out and found a docker that I had not added was running. "zealous_wu". I stopped and removed it and everything returned to normal. this morning i have another docker that appeared 2 hours ago called "fervent_roentgen". Is my system infected and what should I do? Quote Link to comment
trurl Posted March 31, 2021 Share Posted March 31, 2021 Have you allowed access to your server from outside your LAN? Go to Tools - Diagnostics and attach the complete Diagnostics ZIP file to your NEXT post in this thread. Quote Link to comment
Squid Posted March 31, 2021 Share Posted March 31, 2021 Review this: https://forums.unraid.net/topic/104669-warning-unraid-servers-exposed-to-the-internet-are-being-hacked/ Quote Link to comment
Touchy Posted March 31, 2021 Author Share Posted March 31, 2021 Thank you tower-diagnostics-20210331-1111.zip Quote Link to comment
trurl Posted March 31, 2021 Share Posted March 31, 2021 Not much to see in syslog since immediately after reboot. 1 hour ago, trurl said: Have you allowed access to your server from outside your LAN? Quote Link to comment
kizer Posted March 31, 2021 Share Posted March 31, 2021 @Touchy Have you put your server in the DMZ or have you allowed outside access to your machine? Quote Link to comment
sparklyballs Posted March 31, 2021 Share Posted March 31, 2021 Docker containers are titled with an adjective followed by a scientist by default if they are unnamed locally. Quote Link to comment
trurl Posted March 31, 2021 Share Posted March 31, 2021 2 minutes ago, sparklyballs said: Docker containers are titled with an adjective followed by a scientist by default if they are unnamed locally. I know docker created those names. We suspect someone has hacked the user and created a docker on their machine, likely crypto mining or some such. Other cases of that and even worse happening to new users lately, hence the link Squid posted above. Quote Link to comment
sparklyballs Posted March 31, 2021 Share Posted March 31, 2021 (edited) 12 minutes ago, trurl said: I know docker created those names. We suspect someone has hacked the user and created a docker on their machine, likely crypto mining or some such. Other cases of that and even worse happening to new users lately, hence the link Squid posted above. Need to run Quote docker ps -a to get the image name that the container is using and find out where the image is coming from and what it is. Edited March 31, 2021 by sparklyballs code block 1 Quote Link to comment
Touchy Posted March 31, 2021 Author Share Posted March 31, 2021 Thank you guys. I had port 8080 and 80 open since I was making some adjustments remotely. I've now removed those port forwards so we'll see how that goes. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.