nobatko Posted March 28 Share Posted March 28 Hi guys. I've been trying to figure out since this morning if anyone has gotten into Unraid. I looked at the log at night and saw a lot of IPv6 entries similar to this post. I started stressing about what it was and if someone had hacked me. I almost didn't sleep until morning. I woke up in the morning and immediately went to dig into the server. I found out that there was an update for Unraid, so I updated it. I started going through the files through MC and found some files that worried me. I found a folder /usr/X11R6/share/cracklib which contained a file with several million passwords. I don't know how it got there. I'm not very advanced in linux and I don't know which files are typical for it. So I'm sitting at my computer, going through various forums and googling what I'm stressing about, what should I do about it. At the moment I have the server up, but I don't have the array mounted. Any help is welcome. Quote Link to comment
itimpi Posted March 28 Share Posted March 28 18 minutes ago, nobatko said: Hi guys. I've been trying to figure out since this morning if anyone has gotten into Unraid. I looked at the log at night and saw a lot of IPv6 entries similar to this post. I started stressing about what it was and if someone had hacked me. I almost didn't sleep until morning. I woke up in the morning and immediately went to dig into the server. I found out that there was an update for Unraid, so I updated it. I started going through the files through MC and found some files that worried me. I found a folder /usr/X11R6/share/cracklib which contained a file with several million passwords. I don't know how it got there. I'm not very advanced in linux and I don't know which files are typical for it. So I'm sitting at my computer, going through various forums and googling what I'm stressing about, what should I do about it. At the moment I have the server up, but I don't have the array mounted. Any help is welcome. Good chance rebooting will clear that as the location is in RAM, but you should post your diagnostics to let us give more informed feedback. Is you sever exposed to the internet? Unraid is not hardened enough to be directly exposed to the internet. Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 55 minutes ago, itimpi said: Good chance rebooting will clear that as the location is in RAM, but you should post your diagnostics to let us give more informed feedback. Is you sever exposed to the internet? Unraid is not hardened enough to be directly exposed to the internet. In ifconfig I found tunl0 I have got no idea what it is, I definitely didn't create that. I have a few ports forwarded to the server, plex, minecraft servers and unraid itself, I don't use UPnP. It's tunred off in router settings. DMZ is turned off as well. whonnock-diagnostics-20240328-1106.zip Quote Link to comment
Kilrah Posted March 28 Share Posted March 28 (edited) 29 minutes ago, nobatko said: and unraid itself Unraid itself should never be exposed. 29 minutes ago, nobatko said: In ifconfig I found tunl0 I have got no idea what it is, I definitely didn't create that. Are you using wireguard? If not check that there isn't anything set there/remove what's in the /config/wireguard folder on the flash drive. Edited March 28 by Kilrah Quote Link to comment
itimpi Posted March 28 Share Posted March 28 28 minutes ago, nobatko said: and unraid itself, You must never forward the Unraid GUI directly as you will almost certainly get hacked.. You should only do it either via Unraid Connect or using the built-in WireGuard VPN server. Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 11 minutes ago, Kilrah said: Unraid itself should never be exposed. Are you using wireguard? If not check that there isn't anything set there/remove what's in the /config/wireguard folder on the flash drive. I am not using wireguard, there are no files in the directory and yet, in the GUI there seems to be a tunnel that I cannot delete. Only plex is now forwarded I removed all the others. Quote Link to comment
itimpi Posted March 28 Share Posted March 28 Have you rebooted yet? That should be the first step. I would recommend posting a copy of your diagnostics after doing that to see if we can spot anything. Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 (edited) 45 minutes ago, itimpi said: Have you rebooted yet? That should be the first step. I would recommend posting a copy of your diagnostics after doing that to see if we can spot anything. I did, this is the diagnostics after rebootingwhonnock-diagnostics-20240328-1301.zip Edit: I added diagnostics after starting the array whonnock-diagnostics-20240328-1314.zip Edited March 28 by nobatko More info Quote Link to comment
ljm42 Posted March 28 Share Posted March 28 8 hours ago, nobatko said: I found a folder /usr/X11R6/share/cracklib which contained a file with several million passwords. I don't know how it got there. This is included in the standard Unraid distribution and is not an indicator of a hack Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 31 minutes ago, ljm42 said: This is included in the standard Unraid distribution and is not an indicator of a hack Okay, that makes me slightly less worried. Thanks for clearing that up. The last thing I would like someone to look at are these two screenshots. If there is anything out of the ordinary. Quote Link to comment
ljm42 Posted March 28 Share Posted March 28 /tmp/emhttp/smb.service is fine. The user "nobatko" is not included in Unraid by default, I'm guessing that is a user you added? It is not configured like a normal Unraid user in the current release of Unraid, did you follow a guide to do something special with it? Or perhaps an older version of Unraid used this format, not sure. I'd recommend going to Settings -> FTP Server, disabling the service and removing any users listed there. Then go to the users page and delete and recreate the nobatko user. When you are done I would expect the entry to look like this: nobatko:x:1000:100::/:/bin/false Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 12 minutes ago, ljm42 said: The user "nobatko" is not included in Unraid by default, I'm guessing that is a user you added? It is not configured like a normal Unraid user in the current release of Unraid, did you follow a guide to do something special with it? Or perhaps an older version of Unraid used this format, not sure. I'd recommend going to Settings -> FTP Server, disabling the service and removing any users listed there. Then go to the users page and delete and recreate the nobatko user. When you are done I would expect the entry to look like this: nobatko:x:1000:100::/:/bin/false Ok, I did that, it fixed it. Thank you. One more screenshot, is this normal? Should Avahi be used in the config? Quote Link to comment
ljm42 Posted March 28 Share Posted March 28 2 minutes ago, nobatko said: One more screenshot, is this normal? Should Avahi be used in the config? Yep that is all good. The diagnostics do show that you have an interface named tunl0@NONE which is currently down. I don't have that on my systems but Google suggests it is related to Docker. Do you have any Docker containers that provide VPN services or otherwise mess with the network? Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 23 minutes ago, ljm42 said: The diagnostics do show that you have an interface named tunl0@NONE which is currently down. I don't have that on my systems but Google suggests it is related to Docker. Do you have any Docker containers that provide VPN services or otherwise mess with the network? I use Deluge connected trough NordVPN. but I have never before noticed the tunl0@none Quote Link to comment
Solution ljm42 Posted March 28 Solution Share Posted March 28 11 minutes ago, nobatko said: I use Deluge connected trough NordVPN. but I have never before noticed the tunl0@none That is probably it. If you are concerned, you could fully delete that container and reboot, see if tunl0@none comes back. I don't see any proof of a hack in the comments in this thread or in the diagnostics. Not saying it is impossible, just saying I don't see anything that would lead me to that conclusion. Although I do see that your previous release was 6.11.5, which is about 1.5 years old, an eternity in Internet security terms. Even so, if the system is not exposed to the Internet the risks are minimal. Unraid is different from most operating systems in that it is loaded fresh into RAM with every reboot. A hacker would need to take special steps for the hack to persist, and those should be visible in diagnostics. So in general once you reboot you are good. Although IF a hack did occur you should take steps to prevent it from happening again, I'd suggest reviewing our Security Best Practices: https://unraid.net/blog/unraid-server-security-best-practices and resetting your root password and user passwords to be safe. (Note that if a Docker container was hacked, that would not be resolved by a reboot. To clean that up you would want to fully delete the affected container.) Quote Link to comment
nobatko Posted March 28 Author Share Posted March 28 18 minutes ago, ljm42 said: I'd suggest reviewing our Security Best Practices: https://unraid.net/blog/unraid-server-security-best-practices and resetting your root password and user passwords to be safe. Will do! 18 minutes ago, ljm42 said: (Note that if a Docker container was hacked, that would not be resolved by a reboot. To clean that up you would want to fully delete the affected container.) I will delete the Deluged docker and reinstall it just to be sure. Thanks for the help and your time. I feel relief knowing that there was probably no hack. I'm trying to keep educating myself on linux, but it's so vast that I'm still at the very beginning. I am glad for the help and willingness. 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.