Unraid box has been hacked- My websites are now vulnerable


MikeyRaa

Recommended Posts

Hi community,

 

My Unraid box is sat in my lan and I am using nginx reverse proxy and an open port on my firewall to self host a bunch of services. Most of them are running as dockers but I have a few VMs too. For example- bitwarden, nextcloud, organizr, plex just to name some of them.

 

When using bitwarden from outside my lan, Chrome identified my domain as being unsafe with the 'Deceptive Site Ahead' warning.

 

I also had difficulty logging into the Unraid box from inside my lan. A search online advises me to scan the affected website and clear the vulnerability & malware but I have no idea how to do this on my Unraid box. Each of the services are accessible via a specific sub domain I've set in nginx and cloudflare. For example plex.mydomain.com forwards to the plex docker container. However, checking mydomain.com comes up as compromised by Google. So I don't know which site/sites are affected.

 

I've shut down the unit but I'd like to run a malware and vulnerability scan and removal on the Unraid box but I don't know how to go about this? I'm desperate to get back up and running. Can someone please help and advise me on how to remedy this?

 

Thanks in advanced,

Mikey

 

Link to comment

@Comfuzio Thanks for reply.

 

I do not have a static external IP. I'm using cloudflare for dynamic DNS.

I was using a port forward to send 443 to the local IP of my nginx proxy manager. I've disabled this off for now just in case.

Not sure how to answer the third question. But-

 

When visiting the IP of my Unraid dashboard I get 'This site can not be reached'

 

And with the port forward enabled I am not able to reach any of the sites. Something to do with SSL cert(s) on the Unraid box. I really havent got much of a clue.

 

However, I can SSH to the Unraid box and some of my web services can be accessed via their associated local IP and port number.

 

 

Screenshot 2022-10-05 at 23.06.04.png

Screenshot 2022-10-05 at 23.05.23.png

Edited by MikeyRaa
Link to comment
  • 1 month later...

Following this topic, as I'm encountering the same problem with my sites too. I can't recall when this started for me, but from Oct sounds about right.

I also use NPM. Using Let's Encrypt, with or without a DNS Challenge and/or a scheme of http or https, has the same outcome of a "Deceptive site ahead".

Could it be something to do with Let's Encrypt? Or perhaps DuckDNS?

 

I am not sure how to create the Custom Certificate, so perhaps that's an avenue to explore?

 

Cheers,

gwl

Link to comment
  • 5 months later...

Same here.  Just started happening recently. See attached image of Chrome's red warning screen. My first thought was a bad certificate but it's not that (cert is valid).  Google has decided the site is unsafe for some reason.  It's interesting there are two of us reporting this in one day when thread has been quiet for almost 6 months.  It could be the Chrome/Google rolled out a stronger rule or policy.  But I'm also worried that somehow my box has been hacked. For now I've reported it as incorrectly flagging my <domain>.com site at this "Report Incorrect Phishing Warning" page.  

 

Does anyone know how secure the "NginxProxyManager" docker is?  Forwarding ports 80 and 443 to it certainly exposes it to the open internet where it could be compromised. 

 

 

google warning.png

Link to comment
  • 4 months later...
  • 1 month later...

I had this issue a few months ago, reported it, and it cleared eventually.  But it made me gun shy to turn it back on and used VPN for a while.  I recently turned it back on and haven't yet had problems.  One thing that occurs to me is to use more cryptic sub-domains.  So instead of nzbget.mydomain.com use something much harder to guess (in place of nzbget in that example).  Does anyone know enough about what causes the problems to know if that would help?

Link to comment

There are two parts to this issue:

 

1. Google Chrome is really becoming a pain in the ass when it comes to security vs obscurity -> switch to Firefox for more sane Defaults, heck even Edge is better nowadays ...

They're (Google) at a point in regards to blocking ad blockers (YouTube), masking search results and blocking various "potential" unwanted subdomains ... yes, its sucks but that's just Google nowadays - prepare for the migration rather sooner then later ...
 

2. I would never advise to open up a port to expose Unraid or its Docker-Containers / VMs to the Internet. Its just not architected for this. As soon as a port is open you open up a can of worms - there's a shit ton to consider and prevent that the usual cluseless home-user cannot and will not see ... its really time consuming and super risky.

 

Use Wireguard VPN or Tailscale to establish a trusted VPN-Network is litterally the only thing you should ever do.

 

Tailscale is a lot simpler to setup mind you ...

Edited by jit-010101
Link to comment
14 hours ago, jit-010101 said:

prepare for the migration rather sooner then later

Thank you.  What kind of "migration" are you referring to?  To get off of Chrome?

 

On your other point about not opening ports, do you think using cloudflare for their proxying (or even their argo tunnel, which I don't do) helps?  My understanding is that even is someone is hammering your domain name, they don't know your real IP address when you go through cloudflare.  Thanks!

Link to comment
12 hours ago, defcon said:

 What kind of "migration" are you referring to?  To get off of Chrome?

 

Yep - towards Firefox or Edge, at least as a second browser to fall back to

 

12 hours ago, defcon said:

do you think using cloudflare for their proxying (or even their argo tunnel, which I don't do) helps?

 

Yea well it could - Wireguard is included with Unraid via Settings -> VPN Manager ... if you want that even easier there is also a Tailscale plugin which basically a Peer 2 Peer Wireguard Network spanning accross your "tailscaled" devices ... I find the later one really usefull for example if I have to take care of maintenance of my parents devices.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.