Xiphos Posted October 16, 2022 Share Posted October 16, 2022 Please see my IPS logs: https://ibb.co/6RD2wXV I'm quite worried as I know how severe log4j is, but what concerns me even more is the source of these attempted attacks is coming internally from my network and not the public WAN IP so does that mean I've already been compromised? I have an Unraid server on 192.168.1.20 with a few docker containers and my only containers that have port forwards on them is Plex and qBittorent. My USG is the 192.168.1.1 IP address My IPS is turned right up to the max and it's the first time I've seen any of these types of threats, I did allow P2P category under threat management for seeding torrents but that's it. Would appreciate absolutely any advice and I'm hoping that these are false positives but how can I tell if they are or not? Thanks guys I've gone through IPS logs over last 2 months and the 15th October is the first time I've started getting these IPS events. More IPS logs where the source is my USG? The coloured out IPs in blue is my WAN IP - https://ibb.co/LC6JdkF I did have Nessus container on but I hadn't played with it for months/can't remember setting a schedule up for it to do vulnerabiltiy scanning, plus these IPS logs say the attacks were spread over a period of 1 hour so I doubt it's that Since then I've deleted all my port forwards and I've shut down the entire Unraid box, my plan was to isolate it on a separate VLAN and block inbound/outbound traffic and run Clam AV on it maybe? I've got about 32TB of data on it so backing it up somewhere else will be a pain and restoring again. I'm really praying these are false positives in my USG but can never take a chance, I don't have much linux experience either, so what else should I do guys to make sure my entire Unraid box is not compromised? I have a VM on it but it had a differnt IP which was 192.168.1.170 I'm a bit scared to turn the box back on again, but I want to at least formulate an action plan and if you guys could assist me I would greatly apppreciate it! I had the docker auto update applications plugin as well installed every night updating my containers? I just don't understand how Plex and qBittorent were the only containers that had port forwards on it and they are apparently not succeptible to log4j Should I just keep it offline and plug in a monitor and keyboard into the Unraid and go through the logs that way if I can? Or can I post support logs here? Sorry guys I was actually sick in my stomach last night after seeing this and shaking so bad. Hope it's false positives.. Cheers, Xiphos Quote Link to comment
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.