How to know if my Unraid server has been compromised?

[Xiphos]

Please see my IPS logs: https://ibb.co/6RD2wXV

I'm quite worried as I know how severe log4j is, but what concerns me even more is the source of these attempted attacks is coming internally from my network and not the public WAN IP so does that mean I've already been compromised?

I have an Unraid server on 192.168.1.20 with a few docker containers and my only containers that have port forwards on them is Plex and qBittorent. 

My USG is the 192.168.1.1 IP address

My IPS is turned right up to the max and it's the first time I've seen any of these types of threats, I did allow P2P category under threat management for seeding torrents but that's it.

Would appreciate absolutely any advice and I'm hoping that these are false positives but how can I tell if they are or not?

Thanks guys

I've gone through IPS logs over last 2 months and the 15th October is the first time I've started getting these IPS events.

More IPS logs where the source is my USG? The coloured out IPs in blue is my WAN IP - https://ibb.co/LC6JdkF

 

I did have  Nessus container on but I hadn't played with it for months/can't remember setting a schedule up for it to do vulnerabiltiy scanning, plus these IPS logs say the attacks were spread over a period of 1 hour so I doubt it's that

 

Since then I've deleted all my port forwards and I've shut down the entire Unraid box, my plan was to isolate it on a separate VLAN and block inbound/outbound traffic and run Clam AV on it maybe? I've got about 32TB of data on it so backing it up somewhere else will be a pain and restoring again.

 

I'm really praying these are false positives in my USG but can never take a chance, I don't have much linux experience either, so what else should I do guys to make sure my entire Unraid box is not compromised? I have a VM on it but it had a differnt IP which was 192.168.1.170

 

I'm a bit scared to turn the box back on again, but I want to at least formulate an action plan and if you guys could assist me I would greatly apppreciate it!

 

I had the docker auto update applications plugin as well installed every night updating my containers? I just don't understand how Plex and qBittorent were the only containers that had port forwards on it and they are apparently not succeptible to log4j

 

Should I just keep it offline and plug in a monitor and keyboard into the Unraid and go through the logs that way if I can? Or can I post support logs here?

 

Sorry guys I was actually sick in my stomach last night after seeing this and shaking so bad.

 

Hope it's false positives..

 

Cheers, Xiphos

 

 

[CablDeViL]

One thing I can tell you on the IPS UDMPro SE that sometimes the signatures that get updated cause some major false positives.  When they see there is an issue with and entry in a IPS signature file they are fairly quick to fix. 2 weeks at most.  I would check you logs for the last IPS signature update and put it online again to see if the alerts are now suppressed.

 

Also do a search for one or 2 of those alerts and check for recent posts in the Unify forums.  Thats what I do when something new pops up and all of the times it was a signature issue that was known.

 

Good luck and I hope your interna network isn't comp.

 

CD