June 24Jun 24 I run a Unifi UDM Pro as my firewall at home and a few weeks ago, I received a notification from my router describing an intrusion prevention and providing a signature for “ET MALWARE BPFDoor CnC Domain in DNS Lookup”. I took down all my servers (e.g. Ubuntu, Proxmox and Unraid) and researched the issue. I found a scrip on Github (https://github.com/rapid7/Rapid7-Labs/tree/main/BPFDoor) that helps detecting this malware. The script “found” traces of the malware on most of my servers, except one, which runs Ubuntu 24.04.4 LTS. I also tested my Unraid installation and it found traces of the malware, so it took me a few days but I wiped every disc (HHDs, USB, NVMEs) in the server and re-installed a fresh install of Unraid. After the server was back up and running, the first thing I did was to re-run the script and it found traces of the malware again! This is why I am wondering if this is not a false positive. The log file created by the script is attached, with a number of "CRITICAL" warnings, similar to what was found before the re-install. Any insight would be appreciated. Thank you. bpfdoor_report_NewServer_2026-06-23_19-41-30.log
June 25Jun 25 Community Expert Solution I read through your log and your description carefully. In my opinion this is a false positive, and I'll explain why.The tell is that it survived a full wipe and clean install. Nothing malicious comes back byte-identical from the stock Unraid image, but the OS does, and the OS is all it's flagging. Every CRITICAL is the same process, emhttpd (Unraid's own daemon), plus its normal libraries.The only thing worth a look is your original UDM alert: check which LAN device did that DNS lookup. The domains are sinkholed anyway.If you want a second opinion from something more reliable than that heuristic script, run a signature-based scanner. THOR Lite uses curated YARA/IOC rules instead of guesswork and won't light up on stock libraries the way this one did. It's free.1. Get THOR Lite + license > https://www.nextron-systems.com/thor-lite/Download the Linux package.2. Drop the zip and the license.txt onto the appdata share over SMB, i.e. \appdata\thor-lite\.Then SSH:cd /mnt/user/appdata/thor-liteunzip thor-lite-linux_10.7.30.zip #the name of zip./thor-lite-util updateThen: ./thor-lite-linux-64 --soft \ -p /usr -p /bin -p /sbin -p /lib -p /lib64 \ -p /etc -p /opt -p /root -p /tmp -p /dev/shm -p /var -p /boot \ --htmlfile /mnt/user/appdata/thor-lite/thor_report.htmlWhen it finishes it writes thor_report.html. If you see an Alert/Warning with a real rule name (e.g. a BPFDoor YARA rule), that's worth a closer look. Based on everything in your log, expect a clean result.No uninstallation needed, just delete the folder /thor-lite
June 26Jun 26 Author @Lazaros Chalkidis Thank you very much for the feedback. Makes sense. After I have ran THOR lite, I will let you know about the results. Thank you again.
Wednesday at 04:15 PM5 days Author @Lazaros Chalkidis I ran the THOR lite scanner on a brand new install using the cmd prompt you recommended, and attached is an extract of the log. Bottom line, I got 3 warnings but I believe they can be ignored. Again, thank you for the assistance. Jun 30 20 34 55 THOR.txt
Wednesday at 04:22 PM5 days Community Expert 5 minutes ago, AlainB said:@Lazaros Chalkidis I ran the THOR lite scanner on a brand new install using the cmd prompt you recommended, and attached is an extract of the log. Bottom line, I got 3 warnings but I believe they can be ignored. Again, thank you for the assistance.Jun 30 20 34 55 THOR.txtCorrect, ignore all three. They're stock Unraid GUI files (Feedback.php, FileSystemStatus.php, LanguageReset.php) and the webshell rule just trips because they legitimately call exec/shell_exec. I got byte-identical hashes on my own clean box, and THOR (which carries BPFDoor signatures and scans memory) reported zero alerts. You're clean :)
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.