XMRIG Running - Hacked?

radaradam · January 9, 2022

Hi,

A couple of days ago I discovered that my cpu usage was at 100% on all cores. I started to investigating what was wrong but couldn't find anything going on with my dockers or VM.

When i ran htop in the terminal i discovered that xmrig was running and using 100% CPU. I understand that this is somkind of software used in mining crypto. And since I'm not doing it, im guessing that someone else is doing it on my server. In other words - I have been hacked.

I run the following docker containers:

CUPS

Deconz

Deluge

Grafana

Influxdb

NZBget

Plex

Radarr

Shinobipro

Sonarr

Unifi-controller

VM:

Homeassistant

All containers are in bridge mode and has a dedicated static IP on my LAN. Homeassistant VM is on it's own VLAN that can't communicate with my LAN. I'm not a pro, but to my understanding I don't have any ports open directly to my server. My Unraid-server is on 192.168.1.5. And this is all my open ports in my router.

I have looked through all the logs but i can't find anything suspicious.

I woud like to find out how this hacker got in (my guess through some docker container). And how do i stop it?

I can kill the process, or restart the server. But xmrig automatically starts up after a couple hours.

Thanks in advance!

tower-diagnostics-20220108-1653.zip

Squid · January 9, 2022

root     23800  0.0  0.0 113444 13224 ?        Sl   Jan04   0:09 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 69dc22ffcf880cc58192919a087e663e53b6ad94256650a3439663c6d199ab05 -address /var/run/docker/containerd/containerd.sock
root     23849  0.0  0.0    204     4 ?        Ss   Jan04   0:00  \_ s6-svscan -t0 /var/run/s6/services
nobody   28495  360  9.8 2872804 2408628 ?     Sl   16:30  83:21      \_ xmrig                                                                                                                                                                                                                                                           --library-path stak stak/xmrig -o 5.39.217.212:54 -k
root     24209  0.0  0.0    204     4 ?        S    Jan04   0:00      \_ s6-supervise s6-fdholderd
root     24481  0.0  0.0    204     4 ?        S    Jan04   0:00      \_ s6-supervise unifi
nobody   24483  0.3  3.8 4714016 950712 ?      Ssl  Jan04  20:39      |   \_ java -Xmx1024M -jar /usr/lib/unifi/lib/ace.jar start
nobody   24863  0.3 13.4 4165376 3295428 ?     Sl   Jan04  19:56      |       \_ bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1
nobody   28356  0.0  0.0  26456  6908 ?        S    16:30   0:00      \_ /usr/local/apache/bin/httpd -DSSL

It appears that it's coming via the unifi container. Is this from the Apps tab? Have you installed anything extra into it? Is this container accessible from outside the network? If you stop the container does xmrig disappear in the processes.....

radaradam · January 9, 2022

4 minutes ago, Squid said:

root     23800  0.0  0.0 113444 13224 ?        Sl   Jan04   0:09 /usr/bin/containerd-shim-runc-v2 -namespace moby -id 69dc22ffcf880cc58192919a087e663e53b6ad94256650a3439663c6d199ab05 -address /var/run/docker/containerd/containerd.sock
root     23849  0.0  0.0    204     4 ?        Ss   Jan04   0:00  \_ s6-svscan -t0 /var/run/s6/services
nobody   28495  360  9.8 2872804 2408628 ?     Sl   16:30  83:21      \_ xmrig                                                                                                                                                                                                                                                           --library-path stak stak/xmrig -o 5.39.217.212:54 -k
root     24209  0.0  0.0    204     4 ?        S    Jan04   0:00      \_ s6-supervise s6-fdholderd
root     24481  0.0  0.0    204     4 ?        S    Jan04   0:00      \_ s6-supervise unifi
nobody   24483  0.3  3.8 4714016 950712 ?      Ssl  Jan04  20:39      |   \_ java -Xmx1024M -jar /usr/lib/unifi/lib/ace.jar start
nobody   24863  0.3 13.4 4165376 3295428 ?     Sl   Jan04  19:56      |       \_ bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --unixSocketPrefix /usr/lib/unifi/run --logRotate reopen --logappend --logpath /usr/lib/unifi/logs/mongod.log --pidfilepath /usr/lib/unifi/run/mongod.pid --bind_ip 127.0.0.1
nobody   28356  0.0  0.0  26456  6908 ?        S    16:30   0:00      \_ /usr/local/apache/bin/httpd -DSSL

It appears that it's coming via the unifi container. Is this from the Apps tab? Have you installed anything extra into it? Is this container accessible from outside the network?

Good find! The Unifi-container is from community applications. The Linuxserver.io-version. No extra into it.

Yes, i can access it outside the network. All my containers that I have open ports to are accessible otuside the network.

I have no need to access the outside the network. So, stupid question - I somehow thougt that i had to open those ports for the container to function.

Squid · January 9, 2022

@Roxedus @saarg Can you guys offer any insight?

itimpi · January 9, 2022

2 minutes ago, radaradam said:

have no need to access the outside the network. So, stupid question - I somehow thougt that i had to open those ports for the container to function.

I would not open ANY ports to a container unless you NEED to access it from outside your network.

Squid · January 9, 2022

@radaradam I chatted up the guys at linuxserver and they would like you to talk to them directly on their discord https://discord.gg/YWrKVTn

radaradam · January 9, 2022

1 minute ago, itimpi said:

I would not open ANY ports to a container unless you NEED to access it from outside your network.

I'm closing all ports right now. I don't need access to them (and if I'm going that route in the future I'll look into VPN).

But I guess the damage has already been done, and that I'm atleast has to reinstall the Unifi-container.

radaradam · January 9, 2022

Just now, Squid said:

@radaradam I chatted up the guys at linuxserver and they would like you to talk to them directly on their discord https://discord.gg/YWrKVTn

Thanks, will do!

itimpi · January 9, 2022

8 minutes ago, radaradam said:

But I guess the damage has already been done, and that I'm atleast has to reinstall the Unifi-container.

One good thing about Unraid is that as it effectively reinstalls itself from the flash drive archives on every boot it is relatively easy to get back to a clean state.

radaradam · January 9, 2022

26 minutes ago, itimpi said:

One good thing about Unraid is that as it effectively reinstalls itself from the flash drive archives on every boot it is relatively easy to get back to a clean state.

Good to know!

So far i have closed all ports in the router and killed the xmrig-process. Sometimes it takes a couple of hours before it starts after it has been killed.

I'll let you know how it goes.

Thanks in the meantime!

radaradam · January 11, 2022

Two days later, still all good!

From my understanding this was the cause of it all:

https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207

Closed all ports to the container and updated to 6.5.55.

Edited January 11, 2022 by radaradam

Squid · January 11, 2022

Good stuff. Just once I saw "xmrig", and a container that it was running in, everything gets dropped for the investigation.

radaradam · January 11, 2022

6 minutes ago, Squid said:

Good stuff. Just once I saw "xmrig", and a container that it was running in, everything gets dropped for the investigation.

Thank's for the help!

XMRIG Running - Hacked?

Recommended Posts

radaradam

Link to comment

Squid

Link to comment

radaradam

Link to comment

Squid

Link to comment

itimpi

Link to comment

Squid

Link to comment

radaradam

Link to comment

radaradam

Link to comment

itimpi

Link to comment

radaradam

Link to comment

radaradam

Link to comment

Squid

Link to comment

radaradam

Link to comment

Join the conversation