Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

BPFDoor Malware – False Positive?

Featured Replies

I run a Unifi UDM Pro as my firewall at home and a few weeks ago, I received a notification from my router describing an intrusion prevention and providing a signature for “ET MALWARE BPFDoor CnC Domain in DNS Lookup”. I took down all my servers (e.g. Ubuntu, Proxmox and Unraid) and researched the issue. I found a scrip on Github (https://github.com/rapid7/Rapid7-Labs/tree/main/BPFDoor) that helps detecting this malware. The script “found” traces of the malware on most of my servers, except one, which runs Ubuntu 24.04.4 LTS. I also tested my Unraid installation and it found traces of the malware, so it took me a few days but I wiped every disc (HHDs, USB, NVMEs) in the server and re-installed a fresh install of Unraid. After the server was back up and running, the first thing I did was to re-run the script and it found traces of the malware again! This is why I am wondering if this is not a false positive. The log file created by the script is attached, with a number of "CRITICAL" warnings, similar to what was found before the re-install. Any insight would be appreciated. Thank you.

bpfdoor_report_NewServer_2026-06-23_19-41-30.log

Solved by Lazaros Chalkidis

  • Community Expert
  • Solution

I read through your log and your description carefully. In my opinion this is a false positive, and I'll explain why.

The tell is that it survived a full wipe and clean install. Nothing malicious comes back byte-identical from the stock Unraid image, but the OS does, and the OS is all it's flagging. Every CRITICAL is the same process, emhttpd (Unraid's own daemon), plus its normal libraries.

The only thing worth a look is your original UDM alert: check which LAN device did that DNS lookup. The domains are sinkholed anyway.

If you want a second opinion from something more reliable than that heuristic script, run a signature-based scanner. THOR Lite uses curated YARA/IOC rules instead of guesswork and won't light up on stock libraries the way this one did. It's free.

1. Get THOR Lite + license > https://www.nextron-systems.com/thor-lite/

Download the Linux package.

2. Drop the zip and the license.txt onto the appdata share over SMB, i.e. \appdata\thor-lite\.

Then SSH:

cd /mnt/user/appdata/thor-lite

unzip thor-lite-linux_10.7.30.zip #the name of zip

./thor-lite-util update

Then:

./thor-lite-linux-64 --soft \

-p /usr -p /bin -p /sbin -p /lib -p /lib64 \

-p /etc -p /opt -p /root -p /tmp -p /dev/shm -p /var -p /boot \

--htmlfile /mnt/user/appdata/thor-lite/thor_report.html

When it finishes it writes thor_report.html. If you see an Alert/Warning with a real rule name (e.g. a BPFDoor YARA rule), that's worth a closer look.

Based on everything in your log, expect a clean result.

No uninstallation needed, just delete the folder /thor-lite

  • Author

@Lazaros Chalkidis Thank you very much for the feedback. Makes sense. After I have ran THOR lite, I will let you know about the results. Thank you again.

  • Author

@Lazaros Chalkidis I ran the THOR lite scanner on a brand new install using the cmd prompt you recommended, and attached is an extract of the log. Bottom line, I got 3 warnings but I believe they can be ignored. Again, thank you for the assistance.

Jun 30 20 34 55 THOR.txt

  • Community Expert
5 minutes ago, AlainB said:

@Lazaros Chalkidis I ran the THOR lite scanner on a brand new install using the cmd prompt you recommended, and attached is an extract of the log. Bottom line, I got 3 warnings but I believe they can be ignored. Again, thank you for the assistance.

Jun 30 20 34 55 THOR.txt

Correct, ignore all three. They're stock Unraid GUI files (Feedback.php, FileSystemStatus.php, LanguageReset.php) and the webshell rule just trips because they legitimately call exec/shell_exec. I got byte-identical hashes on my own clean box, and THOR (which carries BPFDoor signatures and scans memory) reported zero alerts. You're clean :)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.