Jump to content

(Hacked?): avahi-daemon logs, nginx socket open and high array I/O: 'top' reports 'gzip' and 'tar'


Recommended Posts

Hi,

 

I have constant, but small I/O on one drive of the array. Unfortunately 'iotop' isn't available in 6.12 because of the missing nerd pack, therefore just made a screenshot with 'top'.

 

As you can see, it seems like gzip and tar are using the CPU heavily. Can I somehow see which apllication/folder they are accessing? I could think of the Appdata-Backup, because I had compression on, but the IO/CPU load is now constant for longer time.

 

gzip.thumb.JPG.e0ad3e09a6add66945a1587dc8e758fd.JPG

 

Any help is really appreciated! :)

 

Edit: In combination with this thread:

 

I now got really worried: 

 

I get those 'nginx open socket alerts' in combination with avahi-daemon entries:

 

nginx.thumb.JPG.5d2f8c29fcd3a95b0d6ca9b0358dd420.JPG

 

 

Really don't know how to start with this one, it seems kind of weird and scary, when you don't really understand what the log is mentioning. 

 

Edit2:

 

It gets even scarier, I wanted to stop the array, but it is refusing to, see the log:

 

error_unmounting.thumb.JPG.040dfcacddd414fd39c75d42ed35092d.JPG

 

 

What to do in the first step now?

 

Edit3: //deleted

 

 

Edit 4: As it seems, some docker what just really miss configured and therfore these entries pop'ed up.  The only thing I am unsure is to why gzip and tar was being used. The only explanmation would be because of Appdata-Backup plugin running with the compress-option=true, will monitor with disabled compress-function

Edited by Kazino43
Link to comment
  • Kazino43 changed the title to HACKED?: avahi-daemon logs and high array I/O: 'top' reports 'gzip' and 'tar'

This is the log from the start of Unraid, after ca. 5 minutes some avahi logs appear about open port and then the Unraid server runs crazy, exactly after this two entries:

 

Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: *2619 open socket #11 left in connection 7
Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: *2621 open socket #17 left in connection 8
Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: aborting

 

There is no DNS-service and nginx docker running on this server, so I don't get it.

 

 

 

Edited by Kazino43
Link to comment

The first log lines where docker is creating and bringing down network interfaces in quick succession looks like a badly configured docker instance to me with auto-start. In those logs I would interpret avahi-daemon is normally responding to the creation of removal of network interfaces.

 

If you want to diagnose I would disable autostart on all your docker containers, reboot the box, then go through one at a time and start a container and monitor logs for 3 - 4 mins. Then you can see which is the dodgy docker container

 

Link to comment

Docker service and VM Manager are disabled, but I still get this one in frequent manner (every 2-8 minutes):

 

Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137972 open socket #4 left in connection 9
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137976 open socket #13 left in connection 10
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137978 open socket #14 left in connection 11
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137980 open socket #25 left in connection 12
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137982 open socket #26 left in connection 13
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137984 open socket #29 left in connection 14
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: aborting

 

Nginx was never downloaded by myself actively, nor did I run a nginx reverse proxy manager. It is poping up although docker services are disabled as mentioned. 

Link to comment
  • Kazino43 changed the title to (Hacked?): avahi-daemon logs, nginx socket open and high array I/O: 'top' reports 'gzip' and 'tar'

That would make sense, since I was watching the log and was connected. When I left, no additional nginx logs were made. Never noticed that one.

 

Next problem that appeared: I cannot stop the array.

 

unmount.thumb.JPG.b36c0118d29bfb8418e3d920f8e9142a.JPG

 

I am already in safe mode.

 

I don't know why this all started from today.

 

I tried:

 

grep.thumb.JPG.7af3761a9c4cd528177b6dab7ab2940f.JPG

 

and:

fsuer.JPG.e2760b72ce89e5149d746ddc70830ef4.JPG

 

 

Why is it now not even unmounting the array? I am not accessing anything. 

 

 

Could please just someone help me. Don't tell my I lost all my Unraid system and don't know if it was "hacked" + eventuall data loss.

 

What is going on today?? :(((

 

Link to comment

It was „mover“. It didn‘t finish gracefully, thats why it has been stuck. 
 

Can someone for the sake of peace post me your result running this first: 

 

ls /etc/passw*

Possibly you should also have a backup.conf which is called „passwd-„

 

Are there any differences running: 

 

diff /etc/passwd{,-}


In mine, all ‚x‘ are substituted with a ‚!‘ instead. Is this normal? Besides this change of one character, everything is the same.

Edited by Kazino43
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...