Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Steps taken after finding crypto miner on your server

Featured Replies

Yesterday when I logged into my dashboard I saw my CPU running at 100% on all cores.

I checked running processes and found xmrig running.

So I shut down the server, pulled the USB and checked the config/go file and looked for the extras folder that were mentioned in other threads a few years back.

Both seemed okay.

I boot the server back up and once my docker containers spun up xmrig started running again.

Next I shut down all the containers and brought them up one at a time until I found the one that caused xmrig to run, my book library Calibre.

I restarted it a few times to verify that it was the cause, then forced an update on it.

I haven't seen it run since updating that container, though last night I still shut the container down until I know what I should do next.

I used to have several containers available through Nginx Reverse Proxy with router forwarded ports, though I removed all that in favor of using Tailscale early last month.

My thought is that while I had some of my server exposed, something was able to breach it and somehow install something into this Calibre (though Calibre was not one of the proxied containers).

I had only proxied my media applications like Jellyfin and Jellyseer, etc.

The weird thing is that this showed up after all my port forwards and proxies were removed from the server.

Perhaps when I restarted the server to apply the 7.2.4 update this triggered something that had been downloaded previously?

---

I'm not sure what I should do now. This server is primarily a media server for my family (the reason anything was proxied in the first place) and I don't have a way to back up all the media separately to do a full wipe and start from scratch.

Is there a way to scan and verify that everything is good now? While I have been using Unraid and Linux for a few years now, I would hardly call myself more than an average user and don't have experience in malware detection.

I obviously made a mistake somewhere when configuring my proxy but am no longer using any of that. VPN or same network access only for me from now on. I just want to make sure I am not still compromised and a threat.

Does anyone have any experience cleaning this kind of thing up or verifying that things are back to normal?

  • Community Expert

Recommend recreating all the containers. Also, check your go file and extra folder on the flash drive, or post the diags, to see if something was added there.

  • Author

Thanks for the reply Jorge.

I did some port scans on my router and found that my server was set up for IP passthrough.

This was not intentional and has been disabled, but I am going to go the full wipe route because I don't want to risk anything at this point.

I've pulled out about 800GB of data that I can't deal with losing and I'll just have to start the long process of re-ripping my media.

I have a new USB drive I'll use and reformat all the HDD to make sure everything is clean.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.