Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

(Hacked?): avahi-daemon logs, nginx socket open and high array I/O: 'top' reports 'gzip' and 'tar'

Featured Replies

Hi,

 

I have constant, but small I/O on one drive of the array. Unfortunately 'iotop' isn't available in 6.12 because of the missing nerd pack, therefore just made a screenshot with 'top'.

 

As you can see, it seems like gzip and tar are using the CPU heavily. Can I somehow see which apllication/folder they are accessing? I could think of the Appdata-Backup, because I had compression on, but the IO/CPU load is now constant for longer time.

 

gzip.thumb.JPG.e0ad3e09a6add66945a1587dc8e758fd.JPG

 

Any help is really appreciated! :)

 

Edit: In combination with this thread:

 

I now got really worried: 

 

I get those 'nginx open socket alerts' in combination with avahi-daemon entries:

 

nginx.thumb.JPG.5d2f8c29fcd3a95b0d6ca9b0358dd420.JPG

 

 

Really don't know how to start with this one, it seems kind of weird and scary, when you don't really understand what the log is mentioning. 

 

Edit2:

 

It gets even scarier, I wanted to stop the array, but it is refusing to, see the log:

 

error_unmounting.thumb.JPG.040dfcacddd414fd39c75d42ed35092d.JPG

 

 

What to do in the first step now?

 

Edit3: //deleted

 

 

Edit 4: As it seems, some docker what just really miss configured and therfore these entries pop'ed up.  The only thing I am unsure is to why gzip and tar was being used. The only explanmation would be because of Appdata-Backup plugin running with the compress-option=true, will monitor with disabled compress-function

Edited by Kazino43

  • Kazino43 changed the title to HACKED?: avahi-daemon logs and high array I/O: 'top' reports 'gzip' and 'tar'
  • Author

This is the log from the start of Unraid, after ca. 5 minutes some avahi logs appear about open port and then the Unraid server runs crazy, exactly after this two entries:

 

Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: *2619 open socket #11 left in connection 7
Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: *2621 open socket #17 left in connection 8
Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: aborting

 

There is no DNS-service and nginx docker running on this server, so I don't get it.

 

 

 

Edited by Kazino43

The first log lines where docker is creating and bringing down network interfaces in quick succession looks like a badly configured docker instance to me with auto-start. In those logs I would interpret avahi-daemon is normally responding to the creation of removal of network interfaces.

 

If you want to diagnose I would disable autostart on all your docker containers, reboot the box, then go through one at a time and start a container and monitor logs for 3 - 4 mins. Then you can see which is the dodgy docker container

 

There's a plug-in called file activity which monitors the file moving. I am not sure if it can help but worth a try.

  • Author

Docker service and VM Manager are disabled, but I still get this one in frequent manner (every 2-8 minutes):

 

Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137972 open socket #4 left in connection 9
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137976 open socket #13 left in connection 10
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137978 open socket #14 left in connection 11
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137980 open socket #25 left in connection 12
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137982 open socket #26 left in connection 13
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137984 open socket #29 left in connection 14
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: aborting

 

Nginx was never downloaded by myself actively, nor did I run a nginx reverse proxy manager. It is poping up although docker services are disabled as mentioned. 

  • Kazino43 changed the title to (Hacked?): avahi-daemon logs, nginx socket open and high array I/O: 'top' reports 'gzip' and 'tar'

AFAIK, Nginx is what the base web ui uses.

  • Author

That would make sense, since I was watching the log and was connected. When I left, no additional nginx logs were made. Never noticed that one.

 

Next problem that appeared: I cannot stop the array.

 

unmount.thumb.JPG.b36c0118d29bfb8418e3d920f8e9142a.JPG

 

I am already in safe mode.

 

I don't know why this all started from today.

 

I tried:

 

grep.thumb.JPG.7af3761a9c4cd528177b6dab7ab2940f.JPG

 

and:

fsuer.JPG.e2760b72ce89e5149d746ddc70830ef4.JPG

 

 

Why is it now not even unmounting the array? I am not accessing anything. 

 

 

Could please just someone help me. Don't tell my I lost all my Unraid system and don't know if it was "hacked" + eventuall data loss.

 

What is going on today?? :(((

 

Is the current directory for your shell in a user share?   If so this would prevent the user shares from being stopped.

  • Author

It was „mover“. It didn‘t finish gracefully, thats why it has been stuck. 
 

Can someone for the sake of peace post me your result running this first: 

 

ls /etc/passw*

Possibly you should also have a backup.conf which is called „passwd-„

 

Are there any differences running: 

 

diff /etc/passwd{,-}


In mine, all ‚x‘ are substituted with a ‚!‘ instead. Is this normal? Besides this change of one character, everything is the same.

Edited by Kazino43

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.