Puppet Master Posted July 25, 2023 Share Posted July 25, 2023 frontierstwo-diagnostics-20230725-1551.zipmessage.txt I'm having an issue where even in safemode a process called XMRIG is starting itself from root. I have included the diagnostics and a list of services running, these were collected from a fresh safemode reboot before I killed the XMRIG process. Unfortunately, I 'think' the process is set to restart itself. Any and all help salvaging this system would be appreciated, thank you. Quote Link to comment
Solution itimpi Posted July 25, 2023 Solution Share Posted July 25, 2023 It is being started by an amended config/go file on the flash drive: yours reads #!/bin/bash # Start the Management Utility tor /usr/local/sbin/emhttp & /bin/bash /boot/config/wireguard/go while the standard default one issued with Unraid only contains #!/bin/bash # Start the Management Utility /usr/local/sbin/emhttp & if there are any files in the ‘extras’ folder on the flash drive they should also be removed. More concerning is how a bad actor gained access to your server in the first place to make these changes. Do you have your server exposed to the internet? Quote Link to comment
Puppet Master Posted July 25, 2023 Author Share Posted July 25, 2023 I have DuckDNS set up for easy access to Jellyfin. Since this happened I have disabled any forwarded ports on my router as that is likely how access was gained. (I think, I'm a novice at servers like this.) Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.