March 30Mar 30 Hi everyone,I’m looking for technical insight into a recent security breach on my Unraid server. I work as an IT technician, but I have limited experience with networking and cybersecurity.What happened: I had a Windows 10 VM running on Unraid to run BlueStacks. This morning, I found I was locked out of the Windows login (I didn't have a password set originally). I rolled back to a clean snapshot, but an hour later, I saw a hacker actively controlling the screen. They were logged into my Gmail and were trying to reset my Steam, Microsoft, Epic Games, and Bank accounts. Luckily, I have 2FA enabled.The technical mystery: I forced the VM to power off. To isolate it, I changed the Network Model from 'virtio-net' to 'rtl8139' in the Unraid settings. When I turned it back on, Windows showed the "No Internet" icon (likely missing drivers). However, even with "No Internet" in Windows, the hacker continued to move the mouse and control the screen in real-time.My Setup:Server: Unraid (Host) and Proxmox (running on a separate node).Router: Standard ISP Router (Skyworth GN630V). No OPNsense yet.Port Forwarding: I only have Port 51820 (WireGuard) and Port 32400 (Plex) enabled.Remote Tools: I had OSLink, UltraViewer installed and Remote Desktop enabled on the VM.VPNs: I use Tailscale and a self-hosted WireGuard VPN on Proxmox.My questions:Since the VM OS showed "No Internet" after the driver change, how did the hacker maintain control? Does this mean they were using the Unraid VNC console?Could this breach have "leaked" out and interrupted or compromised my WireGuard VPN or my Proxmox node? (Proxmox seems fine for now).How can I verify if my Unraid host/dashboard was actually accessed, or if the hacker was just "trapped" in that VM?I have since deleted the VM and vdisk and rotated all passwords. I want to understand the entry point before I start a new VM. Thanks for the help!
April 7Apr 7 On 3/30/2026 at 8:12 AM, Hafizuddin_Fauzai said:Hi everyone,I’m looking for technical insight into a recent security breach on my Unraid server. I work as an IT technician, but I have limited experience with networking and cybersecurity.What happened: I had a Windows 10 VM running on Unraid to run BlueStacks. This morning, I found I was locked out of the Windows login (I didn't have a password set originally). I rolled back to a clean snapshot, but an hour later, I saw a hacker actively controlling the screen. They were logged into my Gmail and were trying to reset my Steam, Microsoft, Epic Games, and Bank accounts. Luckily, I have 2FA enabled.The technical mystery: I forced the VM to power off. To isolate it, I changed the Network Model from 'virtio-net' to 'rtl8139' in the Unraid settings. When I turned it back on, Windows showed the "No Internet" icon (likely missing drivers). However, even with "No Internet" in Windows, the hacker continued to move the mouse and control the screen in real-time.My Setup:Server: Unraid (Host) and Proxmox (running on a separate node).Router: Standard ISP Router (Skyworth GN630V). No OPNsense yet.Port Forwarding: I only have Port 51820 (WireGuard) and Port 32400 (Plex) enabled.Remote Tools: I had OSLink, UltraViewer installed and Remote Desktop enabled on the VM.VPNs: I use Tailscale and a self-hosted WireGuard VPN on Proxmox.My questions:Since the VM OS showed "No Internet" after the driver change, how did the hacker maintain control? Does this mean they were using the Unraid VNC console?Could this breach have "leaked" out and interrupted or compromised my WireGuard VPN or my Proxmox node? (Proxmox seems fine for now).How can I verify if my Unraid host/dashboard was actually accessed, or if the hacker was just "trapped" in that VM?I have since deleted the VM and vdisk and rotated all passwords. I want to understand the entry point before I start a new VM. Thanks for the help!Most likely VNC access via unraid console.could have used cached cookies after gaining access to hit the web vnc for the VM. Data would be seen in the URaid system log. Edited April 7Apr 7 by bmartino1
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.