February 21, 20251 yr I don't know when it started but recently my server randomly spins up to 100% cpu usage and just runs and runs and runs. it stops when i turn a handful of dockers off. I don't know which one though because it is such a delayed response from the server, so i can turn some off and like 10 minutes later the server comes back to normal. Anyways i have a diagnostics report downloaded to show my logs and everything, im assuming the malware is in my "homeassistant in a box", my firefox, or maybe my immich docker. i deleted home assistant in a box, and firefox just now. Then i turned off immich docker. The server is calm as could be right now. What is the best way to remove the malware on an unraid server? and if i remove the dockers will it go away? also i do not want to get rid of my immich docker (backup photos docker). tower-diagnostics-20250221-0744.zip
February 21, 20251 yr Community Expert Bit hard to find out where it could be stuck (from our point of view), but if its a docker, you can enable "Advanced View" in the top right and it will display the cpu usage by the containers. alternatively you could look where that file is located (if its not stored in a docker image itself) "find /mnt/user/appdata -iname kdevtmpfsi" to search from inside docker containers, just use "find / -iname kdevtmpfsi" Edited February 21, 20251 yr by Mainfrezzer
February 21, 20251 yr Author Thanks. when I get home from work today I'm gonna turn back on immich, and toggle advanced view (i don't know why this wasn't toggled on already). Thanks for the advice, I'll try to give an update with possibly more logs. I'm assuming something on my server is open to the internet via home assistant, (i hope its not one of my IOT devices in my house >< )
February 21, 20251 yr Community Expert After reading it a bit up, i suspect either immich or the PostgreSQL_Immich container to be the culprit(i never ran any of them, so i have no clue how they work). It seems to be attracted to redis, from what i read ( a case for postgresql is also to be found https://github.com/docker-library/postgres/issues/1054) Edited February 21, 20251 yr by Mainfrezzer
February 21, 20251 yr Author all i know about them is that immich is for photo backups, and im using the spaceinvader one version, which has the postgresssql container attached to it. Then i run immich through a cloudflare tunnel from my couldflare site, and its protected by a password that is 12 characters long, so i dont know how that would be hacked. I may just get rid of immich/post gres altogether, and then just go download the normal immich docker from unraid. I dont know.
February 21, 20251 yr Community Expert 16 minutes ago, cushman3742 said: all i know about them is that immich is for photo backups, and im using the spaceinvader one version, which has the postgresssql container attached to it. Then i run immich through a cloudflare tunnel from my couldflare site, and its protected by a password that is 12 characters long, so i dont know how that would be hacked. I may just get rid of immich/post gres altogether, and then just go download the normal immich docker from unraid. I dont know. When it's running, try this from the command prompt then post the ps.txt file (sanitize any usernames or passwords) ps auxf > ps.txt
February 22, 20251 yr Author thankyou so much for responding. i may not be able to get around to doing this until later in the weekend. but i will for sure get back to you @Michael_P and also thanks @Mainfrezzer
March 4, 20251 yr Author i ended up not figuring out how to do the ps stuff.. so i just deleted both apps, and removed every file with it. hopefully that's enough to get rid of the malware. Might go with seafile as a backup system. really all i wanted to do is backup my pictures and anything else to my server
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.