How to know if my Unraid server has been compromised?


Recommended Posts

Please see my IPS logs:

I'm quite worried as I know how severe log4j is, but what concerns me even more is the source of these attempted attacks is coming internally from my network and not the public WAN IP so does that mean I've already been compromised?

I have an Unraid server on with a few docker containers and my only containers that have port forwards on them is Plex and qBittorent. 

My USG is the IP address

My IPS is turned right up to the max and it's the first time I've seen any of these types of threats, I did allow P2P category under threat management for seeding torrents but that's it.

Would appreciate absolutely any advice and I'm hoping that these are false positives but how can I tell if they are or not?

Thanks guys

I've gone through IPS logs over last 2 months and the 15th October is the first time I've started getting these IPS events.

More IPS logs where the source is my USG? The coloured out IPs in blue is my WAN IP -


I did have  Nessus container on but I hadn't played with it for months/can't remember setting a schedule up for it to do vulnerabiltiy scanning, plus these IPS logs say the attacks were spread over a period of 1 hour so I doubt it's that


Since then I've deleted all my port forwards and I've shut down the entire Unraid box, my plan was to isolate it on a separate VLAN and block inbound/outbound traffic and run Clam AV on it maybe? I've got about 32TB of data on it so backing it up somewhere else will be a pain and restoring again.


I'm really praying these are false positives in my USG but can never take a chance, I don't have much linux experience either, so what else should I do guys to make sure my entire Unraid box is not compromised? I have a VM on it but it had a differnt IP which was


I'm a bit scared to turn the box back on again, but I want to at least formulate an action plan and if you guys could assist me I would greatly apppreciate it!


I had the docker auto update applications plugin as well installed every night updating my containers? I just don't understand how Plex and qBittorent were the only containers that had port forwards on it and they are apparently not succeptible to log4j


Should I just keep it offline and plug in a monitor and keyboard into the Unraid and go through the logs that way if I can? Or can I post support logs here?


Sorry guys I was actually sick in my stomach last night after seeing this and shaking so bad.


Hope it's false positives..


Cheers, Xiphos



Link to comment

One thing I can tell you on the IPS UDMPro SE that sometimes the signatures that get updated cause some major false positives.  When they see there is an issue with and entry in a IPS signature file they are fairly quick to fix. 2 weeks at most.  I would check you logs for the last IPS signature update and put it online again to see if the alerts are now suppressed.


Also do a search for one or 2 of those alerts and check for recent posts in the Unify forums.  Thats what I do when something new pops up and all of the times it was a signature issue that was known.


Good luck and I hope your interna network isn't comp.



Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.