Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security Breach: How was my Unraid VM controlled even after losing internet? (OSLink / UltraViewer / Remote Desktop)

Featured Replies

Hi everyone,

I’m looking for technical insight into a recent security breach on my Unraid server. I work as an IT technician, but I have limited experience with networking and cybersecurity.

What happened: I had a Windows 10 VM running on Unraid to run BlueStacks. This morning, I found I was locked out of the Windows login (I didn't have a password set originally). I rolled back to a clean snapshot, but an hour later, I saw a hacker actively controlling the screen. They were logged into my Gmail and were trying to reset my Steam, Microsoft, Epic Games, and Bank accounts. Luckily, I have 2FA enabled.

The technical mystery: I forced the VM to power off. To isolate it, I changed the Network Model from 'virtio-net' to 'rtl8139' in the Unraid settings. When I turned it back on, Windows showed the "No Internet" icon (likely missing drivers). However, even with "No Internet" in Windows, the hacker continued to move the mouse and control the screen in real-time.

My Setup:

  • Server: Unraid (Host) and Proxmox (running on a separate node).

  • Router: Standard ISP Router (Skyworth GN630V). No OPNsense yet.

  • Port Forwarding: I only have Port 51820 (WireGuard) and Port 32400 (Plex) enabled.

  • Remote Tools: I had OSLink, UltraViewer installed and Remote Desktop enabled on the VM.

  • VPNs: I use Tailscale and a self-hosted WireGuard VPN on Proxmox.

My questions:

  1. Since the VM OS showed "No Internet" after the driver change, how did the hacker maintain control? Does this mean they were using the Unraid VNC console?

  2. Could this breach have "leaked" out and interrupted or compromised my WireGuard VPN or my Proxmox node? (Proxmox seems fine for now).

  3. How can I verify if my Unraid host/dashboard was actually accessed, or if the hacker was just "trapped" in that VM?

I have since deleted the VM and vdisk and rotated all passwords. I want to understand the entry point before I start a new VM. Thanks for the help!

  • 2 weeks later...
On 3/30/2026 at 8:12 AM, Hafizuddin_Fauzai said:

Hi everyone,

I’m looking for technical insight into a recent security breach on my Unraid server. I work as an IT technician, but I have limited experience with networking and cybersecurity.

What happened: I had a Windows 10 VM running on Unraid to run BlueStacks. This morning, I found I was locked out of the Windows login (I didn't have a password set originally). I rolled back to a clean snapshot, but an hour later, I saw a hacker actively controlling the screen. They were logged into my Gmail and were trying to reset my Steam, Microsoft, Epic Games, and Bank accounts. Luckily, I have 2FA enabled.

The technical mystery: I forced the VM to power off. To isolate it, I changed the Network Model from 'virtio-net' to 'rtl8139' in the Unraid settings. When I turned it back on, Windows showed the "No Internet" icon (likely missing drivers). However, even with "No Internet" in Windows, the hacker continued to move the mouse and control the screen in real-time.

My Setup:

  • Server: Unraid (Host) and Proxmox (running on a separate node).

  • Router: Standard ISP Router (Skyworth GN630V). No OPNsense yet.

  • Port Forwarding: I only have Port 51820 (WireGuard) and Port 32400 (Plex) enabled.

  • Remote Tools: I had OSLink, UltraViewer installed and Remote Desktop enabled on the VM.

  • VPNs: I use Tailscale and a self-hosted WireGuard VPN on Proxmox.

My questions:

  1. Since the VM OS showed "No Internet" after the driver change, how did the hacker maintain control? Does this mean they were using the Unraid VNC console?

  2. Could this breach have "leaked" out and interrupted or compromised my WireGuard VPN or my Proxmox node? (Proxmox seems fine for now).

  3. How can I verify if my Unraid host/dashboard was actually accessed, or if the hacker was just "trapped" in that VM?

I have since deleted the VM and vdisk and rotated all passwords. I want to understand the entry point before I start a new VM. Thanks for the help!

Most likely VNC access via unraid console.

could have used cached cookies after gaining access to hit the web vnc for the VM. Data would be seen in the URaid system log.

Edited by bmartino1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.