(Hacked?): avahi-daemon logs, nginx socket open and high array I/O: 'top' reports 'gzip' and 'tar'

[Kazino43]

Hi,

 

I have constant, but small I/O on one drive of the array. Unfortunately 'iotop' isn't available in 6.12 because of the missing nerd pack, therefore just made a screenshot with 'top'.

 

As you can see, it seems like gzip and tar are using the CPU heavily. Can I somehow see which apllication/folder they are accessing? I could think of the Appdata-Backup, because I had compression on, but the IO/CPU load is now constant for longer time.

 

 

Any help is really appreciated!

 

Edit: In combination with this thread:

 

I now got really worried: 

 

I get those 'nginx open socket alerts' in combination with avahi-daemon entries:

 

 

 

Really don't know how to start with this one, it seems kind of weird and scary, when you don't really understand what the log is mentioning. 

 

Edit2:

 

It gets even scarier, I wanted to stop the array, but it is refusing to, see the log:

 

 

 

What to do in the first step now?

 

Edit3: //deleted

 

 

Edit 4: As it seems, some docker what just really miss configured and therfore these entries pop'ed up.  The only thing I am unsure is to why gzip and tar was being used. The only explanmation would be because of Appdata-Backup plugin running with the compress-option=true, will monitor with disabled compress-function

Edited April 22, 2023 by Kazino43

[Kazino43]

This is the log from the start of Unraid, after ca. 5 minutes some avahi logs appear about open port and then the Unraid server runs crazy, exactly after this two entries:

 

Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: *2619 open socket #11 left in connection 7
Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: *2621 open socket #17 left in connection 8
Apr 22 11:32:05 Tower nginx: 2023/04/22 11:32:05 [alert] 19732#19732: aborting

 

There is no DNS-service and nginx docker running on this server, so I don't get it.

 

 

 

Edited April 22, 2023 by Kazino43

[giveitago]

The first log lines where docker is creating and bringing down network interfaces in quick succession looks like a badly configured docker instance to me with auto-start. In those logs I would interpret avahi-daemon is normally responding to the creation of removal of network interfaces.

 

If you want to diagnose I would disable autostart on all your docker containers, reboot the box, then go through one at a time and start a container and monitor logs for 3 - 4 mins. Then you can see which is the dodgy docker container

 

[marco_yang]

There's a plug-in called file activity which monitors the file moving. I am not sure if it can help but worth a try.

[Kazino43]

Docker service and VM Manager are disabled, but I still get this one in frequent manner (every 2-8 minutes):

 

Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137972 open socket #4 left in connection 9
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137976 open socket #13 left in connection 10
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137978 open socket #14 left in connection 11
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137980 open socket #25 left in connection 12
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137982 open socket #26 left in connection 13
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: *137984 open socket #29 left in connection 14
Apr 22 18:01:26 Tower nginx: 2023/04/22 18:01:26 [alert] 29181#29181: aborting

 

Nginx was never downloaded by myself actively, nor did I run a nginx reverse proxy manager. It is poping up although docker services are disabled as mentioned. 

[BRiT]

AFAIK, Nginx is what the base web ui uses.

[Kazino43]

That would make sense, since I was watching the log and was connected. When I left, no additional nginx logs were made. Never noticed that one.

 

Next problem that appeared: I cannot stop the array.

 

 

I am already in safe mode.

 

I don't know why this all started from today.

 

I tried:

 

 

and:

 

 

Why is it now not even unmounting the array? I am not accessing anything. 

 

 

Could please just someone help me. Don't tell my I lost all my Unraid system and don't know if it was "hacked" + eventuall data loss.

 

What is going on today?? :(((

 

[remotevisitor]

Is the current directory for your shell in a user share?   If so this would prevent the user shares from being stopped.

[Kazino43]

It was „mover“. It didn‘t finish gracefully, thats why it has been stuck. 
 

Can someone for the sake of peace post me your result running this first: 

 

ls /etc/passw*

Possibly you should also have a backup.conf which is called „passwd-„

 

Are there any differences running: 

 

diff /etc/passwd{,-}

In mine, all ‚x‘ are substituted with a ‚!‘ instead. Is this normal? Besides this change of one character, everything is the same.

Edited April 23, 2023 by Kazino43