radaradam Posted January 9, 2022 Share Posted January 9, 2022 Hi, A couple of days ago I discovered that my cpu usage was at 100% on all cores. I started to investigating what was wrong but couldn't find anything going on with my dockers or VM. When i ran htop in the terminal i discovered that xmrig was running and using 100% CPU. I understand that this is somkind of software used in mining crypto. And since I'm not doing it, im guessing that someone else is doing it on my server. In other words - I have been hacked. I run the following docker containers: CUPS Deconz Deluge Grafana Influxdb NZBget Plex Radarr Shinobipro Sonarr Unifi-controller VM: Homeassistant All containers are in bridge mode and has a dedicated static IP on my LAN. Homeassistant VM is on it's own VLAN that can't communicate with my LAN. I'm not a pro, but to my understanding I don't have any ports open directly to my server. My Unraid-server is on 192.168.1.5. And this is all my open ports in my router. I have looked through all the logs but i can't find anything suspicious. I woud like to find out how this hacker got in (my guess through some docker container). And how do i stop it? I can kill the process, or restart the server. But xmrig automatically starts up after a couple hours. Thanks in advance! tower-diagnostics-20220108-1653.zip Quote Link to comment
Squid Posted January 9, 2022 Share Posted January 9, 2022 root 23800 0.0 0.0 113444 13224 ? Sl Jan04 0:09 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 69dc22ffcf880cc58192919a087e663e53b6ad94256650a3439663c6d199ab05 -address /var/run/docker/containerd/containerd.sock root 23849 0.0 0.0 204 4 ? Ss Jan04 0:00 \_ s6-svscan -t0 /var/run/s6/services nobody 28495 360 9.8 2872804 2408628 ? Sl 16:30 83:21 \_ xmrig --library-path stak stak/xmrig -o 5.39.217.212:54 -k root 24209 0.0 0.0 204 4 ? S Jan04 0:00 \_ s6-supervise s6-fdholderd root 24481 0.0 0.0 204 4 ? S Jan04 0:00 \_ s6-supervise unifi nobody 24483 0.3 3.8 4714016 950712 ? Ssl Jan04 20:39 | \_ java -Xmx1024M -jar /usr/lib/unifi/lib/ace.jar start nobody 24863 0.3 13.4 4165376 3295428 ? Sl Jan04 19:56 | \_ bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1 nobody 28356 0.0 0.0 26456 6908 ? S 16:30 0:00 \_ /usr/local/apache/bin/httpd -DSSL It appears that it's coming via the unifi container. Is this from the Apps tab? Have you installed anything extra into it? Is this container accessible from outside the network? If you stop the container does xmrig disappear in the processes..... Quote Link to comment
radaradam Posted January 9, 2022 Author Share Posted January 9, 2022 4 minutes ago, Squid said: root 23800 0.0 0.0 113444 13224 ? Sl Jan04 0:09 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 69dc22ffcf880cc58192919a087e663e53b6ad94256650a3439663c6d199ab05 -address /var/run/docker/containerd/containerd.sock root 23849 0.0 0.0 204 4 ? Ss Jan04 0:00 \_ s6-svscan -t0 /var/run/s6/services nobody 28495 360 9.8 2872804 2408628 ? Sl 16:30 83:21 \_ xmrig --library-path stak stak/xmrig -o 5.39.217.212:54 -k root 24209 0.0 0.0 204 4 ? S Jan04 0:00 \_ s6-supervise s6-fdholderd root 24481 0.0 0.0 204 4 ? S Jan04 0:00 \_ s6-supervise unifi nobody 24483 0.3 3.8 4714016 950712 ? Ssl Jan04 20:39 | \_ java -Xmx1024M -jar /usr/lib/unifi/lib/ace.jar start nobody 24863 0.3 13.4 4165376 3295428 ? Sl Jan04 19:56 | \_ bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1 nobody 28356 0.0 0.0 26456 6908 ? S 16:30 0:00 \_ /usr/local/apache/bin/httpd -DSSL It appears that it's coming via the unifi container. Is this from the Apps tab? Have you installed anything extra into it? Is this container accessible from outside the network? Good find! The Unifi-container is from community applications. The Linuxserver.io-version. No extra into it. Yes, i can access it outside the network. All my containers that I have open ports to are accessible otuside the network. I have no need to access the outside the network. So, stupid question - I somehow thougt that i had to open those ports for the container to function. Quote Link to comment
Squid Posted January 9, 2022 Share Posted January 9, 2022 @Roxedus @saarg Can you guys offer any insight? Quote Link to comment
itimpi Posted January 9, 2022 Share Posted January 9, 2022 2 minutes ago, radaradam said: have no need to access the outside the network. So, stupid question - I somehow thougt that i had to open those ports for the container to function. I would not open ANY ports to a container unless you NEED to access it from outside your network. Quote Link to comment
Squid Posted January 9, 2022 Share Posted January 9, 2022 @radaradam I chatted up the guys at linuxserver and they would like you to talk to them directly on their discord https://discord.gg/YWrKVTn Quote Link to comment
radaradam Posted January 9, 2022 Author Share Posted January 9, 2022 1 minute ago, itimpi said: I would not open ANY ports to a container unless you NEED to access it from outside your network. I'm closing all ports right now. I don't need access to them (and if I'm going that route in the future I'll look into VPN). But I guess the damage has already been done, and that I'm atleast has to reinstall the Unifi-container. Quote Link to comment
radaradam Posted January 9, 2022 Author Share Posted January 9, 2022 Just now, Squid said: @radaradam I chatted up the guys at linuxserver and they would like you to talk to them directly on their discord https://discord.gg/YWrKVTn Thanks, will do! Quote Link to comment
itimpi Posted January 9, 2022 Share Posted January 9, 2022 8 minutes ago, radaradam said: But I guess the damage has already been done, and that I'm atleast has to reinstall the Unifi-container. One good thing about Unraid is that as it effectively reinstalls itself from the flash drive archives on every boot it is relatively easy to get back to a clean state. Quote Link to comment
radaradam Posted January 9, 2022 Author Share Posted January 9, 2022 26 minutes ago, itimpi said: One good thing about Unraid is that as it effectively reinstalls itself from the flash drive archives on every boot it is relatively easy to get back to a clean state. Good to know! So far i have closed all ports in the router and killed the xmrig-process. Sometimes it takes a couple of hours before it starts after it has been killed. I'll let you know how it goes. Thanks in the meantime! Quote Link to comment
radaradam Posted January 11, 2022 Author Share Posted January 11, 2022 (edited) Two days later, still all good! From my understanding this was the cause of it all: https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207 Closed all ports to the container and updated to 6.5.55. Edited January 11, 2022 by radaradam Quote Link to comment
Squid Posted January 11, 2022 Share Posted January 11, 2022 Good stuff. Just once I saw "xmrig", and a container that it was running in, everything gets dropped for the investigation. Quote Link to comment
radaradam Posted January 11, 2022 Author Share Posted January 11, 2022 6 minutes ago, Squid said: Good stuff. Just once I saw "xmrig", and a container that it was running in, everything gets dropped for the investigation. Thank's for the help! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.