Fix common problems: "Possible Hack Attempt on Oct. 15" - PLEASE HELP

[ThatTallGuy21]

FML. So I could REALLY use some help from the forum here with this one. I received the following as part of the 'Fix common problems' plugin last night at about 11pm ET. Shortly after at about 11:30pm ET, I grabbed a diagnostic report and shut the whole server down. I could use some help making heads or tails of where to look in the report for future reference and what the group see's in terms of concerns.  

 

Additional details:

I only have 3 ports open (32400, 443, 80) and even then, all traffic is being fed through NIGINX. Not sure what's mentioned by placing a server within the routers DMZ technically means (so I could use some confirmation here), but as I've configured everything by following both SpaceInvaders and Ibracorp, and I have some basic networking and intermediate technical experience, I don't believe this is what I did. 

 

One thing I do want to point out.. Maybe within 1-2 hours before this error, I did follow this guide because my unraid sever wouldn't appear on my new laptop I'm setting up. Perhaps this triggered it?
https://mediaserver8.blogspot.com/2019/06/unraid-not-accessible-from-windows-10.html

t-800-diagnostics-20211015-2339.zip

[itimpi]

It looks like you have exposed the Unraid GUI to the internet (on ports 80 and 443)?  This is not a good idea as Unraid is not hardened enough against access.  It is recommended that if you want secure remote access from the internet you use a VPN (such as the WireGuard VPN that is built into Unraid) or alternatively the Remote Access features of the My Servers plugin.

 

Your syslog shows lots of attempts to connect from address 192.168.87.104 which is on your local LAN which is probably what triggered the warning.  Is that your PC?

[ThatTallGuy21]

27 minutes ago, itimpi said:

It looks like you have exposed the Unraid GUI to the internet (on ports 80 and 443)?  This is not a good idea as Unraid is not hardened enough against access.  It is recommended that if you want secure remote access from the internet you use a VPN (such as the WireGuard VPN that is built into Unraid) or alternatively the Remote Access features of the My Servers plugin.

 

Your syslog shows lots of attempts to connect from address 192.168.87.104 which is on your local LAN which is probably what triggered the warning.  Is that your PC?

 

Yes, that's my PC's IP address that I was setting up yesterday. When I checked this morning after 12am ET, AVG Antivirus and Wireless Network Watcher weren't coming back with anything abnormal. I didn't configure 'My Servers' to expose the Unraid GUI. In fact, I remember double checking when within the last couple months to ensure I wasn't. 

 

Edit 2:21pm ET. 

Attached MyServers screenshot.

 

I also just tried to access my unraid login screen from my phone while on my mobile network. As expected, it timed out and was unable to load. The second attachment is of the login screen while only connected to Wifi. As you can see, I only use the My Servers plugin to save a backup of my flash drive.

 

Any other thoughts on what may be going on?

[ThatTallGuy21]

Note: Just looked at the the results from "Fix Common Problems" and it no longer shows this potential hack attempt. I did a quick rescan and nothing came back as well. Currently running an extended test now. 

[ThatTallGuy21]

Extended test completed and found nothing. I'll wait a bit to see if something happens and then close this thread out. 

Edited October 16, 2021 by ThatTallGuy21

[ThatTallGuy21]

On 10/16/2021 at 4:23 PM, ThatTallGuy21 said:

Extended test completed and found nothing. I'll wait a bit to see if something happens and then close this thread out. 

 

HELP STILL NEEDED!!! I'm not sure what's going on still.

 

• I logged into my server a little bit ago this morning and saw there were still possible hacking attempts being made this past Saturday.
• I've attached my diagnostic report and then restarted my server again.
• To date, another user mentioned I may have my server available externally, which I don't see how it could be the case.
  • I've attempted to access my server from my mobile device and it does not load. The 'My Server' plugin is setup but not configured to allow for remote access.

 

The only parts of my server accessed externally are:

• Via Plex (which is routed through Cloudflare/NGINX/port 32400)
• Overseerr 
• Home Assistant (this is setup through an always on VM -- I use the Nabu Casa configuration though)

 

Please help!

t-800-diagnostics-20211018-0953.zip

Edited October 18, 2021 by ThatTallGuy21

[Michael_P]

If the "attacks" are still coming from your LAN PC (as it appears from your log), then you may have a network scanner installed (antivirus probably)

[ThatTallGuy21]

1 minute ago, Michael_P said:

If the "attacks" are still coming from your LAN PC (as it appears from your log), then you may have a network scanner installed (antivirus probably)

 

For the first time ever I actually just purchased a sub for AVG antivirus. Any idea why/when it would do this and how I could confirm it? 

[Michael_P]

Looks like they call it "Network Inspector". Run another scan and see if it shows up in your logs again

[ThatTallGuy21]

32 minutes ago, Michael_P said:

Looks like they call it "Network Inspector". Run another scan and see if it shows up in your logs again

 

I ran a "deep scan" using AVG anti-virus on my PC and then went to the unraid GUI on the same machine, refreshed the browser, and did a rescan within "Fix common problems" and I DID NOT see the same message appear of a hacking attempt. Nothing has appeared since my recent restart earlier today.  

 

I've attached the most recent diagnostic report.

 

See any difference in the logs? My struggle is that since I'm newer to this, I don't feel comfortable reading them. 

 

t-800-diagnostics-20211018-1425.zip

Edited October 18, 2021 by ThatTallGuy21

[Michael_P]

Looks like you rebooted - but entries like this are what you're looking for in the future

 

Oct 16 19:49:42 T-800 sshd[31255]: Invalid user 666666 from 192.168.87.104 port 54106
Oct 16 19:49:42 T-800 sshd[31255]: pam_unix(sshd:auth): check pass; user unknown
Oct 16 19:49:42 T-800 sshd[31255]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.87.104 
Oct 16 19:49:44 T-800 sshd[31255]: Failed password for invalid user 666666 from 192.168.87.104 port 54106 ssh2
Oct 16 19:49:44 T-800 sshd[31255]: Received disconnect from 192.168.87.104 port 54106:11:  [preauth]
Oct 16 19:49:44 T-800 sshd[31255]: Disconnected from invalid user 666666 192.168.87.104 port 54106 [preauth]
Oct 16 19:49:44 T-800 sshd[31340]: Connection from 192.168.87.104 port 59203 on 192.168.87.26 port 22 rdomain ""
Oct 16 19:49:44 T-800 sshd[31340]: Invalid user 888888 from 192.168.87.104 port 59203
Oct 16 19:49:44 T-800 sshd[31340]: pam_unix(sshd:auth): check pass; user unknown
Oct 16 19:49:44 T-800 sshd[31340]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.87.104 
Oct 16 19:49:47 T-800 sshd[31340]: Failed password for invalid user 888888 from 192.168.87.104 port 59203 ssh2
Oct 16 19:49:47 T-800 sshd[31340]: Received disconnect from 192.168.87.104 port 59203:11:  [preauth]
Oct 16 19:49:47 T-800 sshd[31340]: Disconnected from invalid user 888888 192.168.87.104 port 59203 [preauth]

 

It's pretty common to get these "security" scans from antivirus and other security software like Bitdefender (commonly found in Netgear routers these days, too).