Compromised system

[Ritzer]

Due to a firewall misconfiguration unraid System was exposed to the internet for few weeks, meaning no port was filtered/blocked so everything was open wide. 

 

This caused one of my Docker images (qBittorrent) to get a crypto miner (xmrig). I've found it out just because half of my cpu cores were running at 100%. Killed the xmrig process, it lived inside the qBittorrent's docker. Deleted qBittorrent's docker completely and set it up again together with the firewall.

 

Attached the logs as I cannot find how did the attacker do this. 

Another question is... what else could have been compromised?

unraid-diagnostics-20230409-1648.7z

[Ritzer]

I also have to mention that during the time Unraid was exposed to the internet, the router had IP-V6 DHCP enabled and if I reckon correctly I seen IP-V6 in both Unraid and all dockers. Currently routers IP-V6 DHCP is turned off and firewall blocking incoming connections. 

 

I've also seen a lot of these errors in syslog.txt, are these normal?
 

Apr  9 05:00:01 UNRAID  move: move_object: //..c/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..r/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..r/...
Apr  9 05:00:01 UNRAID  move: move_object: //..r/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..f/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..f/...
Apr  9 05:00:01 UNRAID  move: move_object: //..f/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..f/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..f/...
Apr  9 05:00:01 UNRAID  move: move_object: //..f/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..h/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..h/...
Apr  9 05:00:01 UNRAID  move: move_object: //..h/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..h/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..h/...
Apr  9 05:00:01 UNRAID  move: move_object: //..h/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..4/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..4/...
Apr  9 05:00:01 UNRAID  move: move_object: //..4/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..g/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..g/...
Apr  9 05:00:01 UNRAID  move: move_object: //..g/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..t/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..t/...
Apr  9 05:00:01 UNRAID  move: move_object: //..t/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..r/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..r/...
Apr  9 05:00:01 UNRAID  move: move_object: //..r/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..p/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..p/...
Apr  9 05:00:01 UNRAID  move: move_object: //..p/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..d/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..d/...
Apr  9 05:00:01 UNRAID  move: move_object: //..d/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..n/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..n/...
Apr  9 05:00:01 UNRAID  move: move_object: //..n/... No such file or directory
Apr  9 05:00:01 UNRAID root: Specified filename //..p/... does not exist.
Apr  9 05:00:01 UNRAID  move: file: //..p/...

 

[Ritzer]

Attached the log with today's logs.

unraid-diagnostics-20230410-2242.zip

[Ritzer]

Did anyone check it?