Unraid box has been hacked- My websites are now vulnerable


MikeyRaa

Recommended Posts

Hi community,

 

My Unraid box is sat in my lan and I am using nginx reverse proxy and an open port on my firewall to self host a bunch of services. Most of them are running as dockers but I have a few VMs too. For example- bitwarden, nextcloud, organizr, plex just to name some of them.

 

When using bitwarden from outside my lan, Chrome identified my domain as being unsafe with the 'Deceptive Site Ahead' warning.

 

I also had difficulty logging into the Unraid box from inside my lan. A search online advises me to scan the affected website and clear the vulnerability & malware but I have no idea how to do this on my Unraid box. Each of the services are accessible via a specific sub domain I've set in nginx and cloudflare. For example plex.mydomain.com forwards to the plex docker container. However, checking mydomain.com comes up as compromised by Google. So I don't know which site/sites are affected.

 

I've shut down the unit but I'd like to run a malware and vulnerability scan and removal on the Unraid box but I don't know how to go about this? I'm desperate to get back up and running. Can someone please help and advise me on how to remedy this?

 

Thanks in advanced,

Mikey

 

Link to comment

Wait, this seems more like you haven't gotten signed certs for your server/sites than a hack!
Do you have a static external (true) IP?
Have you port forwarded 80 and 443 from your router to your unraid?
When you try to sign a cert, does it completes successful or do you get any error?

Link to comment

@Comfuzio Thanks for reply.

 

I do not have a static external IP. I'm using cloudflare for dynamic DNS.

I was using a port forward to send 443 to the local IP of my nginx proxy manager. I've disabled this off for now just in case.

Not sure how to answer the third question. But-

 

When visiting the IP of my Unraid dashboard I get 'This site can not be reached'

 

And with the port forward enabled I am not able to reach any of the sites. Something to do with SSL cert(s) on the Unraid box. I really havent got much of a clue.

 

However, I can SSH to the Unraid box and some of my web services can be accessed via their associated local IP and port number.

 

 

Screenshot 2022-10-05 at 23.06.04.png

Screenshot 2022-10-05 at 23.05.23.png

Edited by MikeyRaa
Link to comment
  • 1 month later...

Following this topic, as I'm encountering the same problem with my sites too. I can't recall when this started for me, but from Oct sounds about right.

I also use NPM. Using Let's Encrypt, with or without a DNS Challenge and/or a scheme of http or https, has the same outcome of a "Deceptive site ahead".

Could it be something to do with Let's Encrypt? Or perhaps DuckDNS?

 

I am not sure how to create the Custom Certificate, so perhaps that's an avenue to explore?

 

Cheers,

gwl

Link to comment
  • 5 months later...

Same here.  Just started happening recently. See attached image of Chrome's red warning screen. My first thought was a bad certificate but it's not that (cert is valid).  Google has decided the site is unsafe for some reason.  It's interesting there are two of us reporting this in one day when thread has been quiet for almost 6 months.  It could be the Chrome/Google rolled out a stronger rule or policy.  But I'm also worried that somehow my box has been hacked. For now I've reported it as incorrectly flagging my <domain>.com site at this "Report Incorrect Phishing Warning" page.  

 

Does anyone know how secure the "NginxProxyManager" docker is?  Forwarding ports 80 and 443 to it certainly exposes it to the open internet where it could be compromised. 

 

 

google warning.png

Link to comment
  • 4 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.