Has anyone successfully gotten their unraid back after Ransomware?


Recommended Posts

1 hour ago, brianbrifri said:

Does anyone know if this constitutes a valid login from an ip address?


Sep 11 10:37:35 Balrog vsftpd[20048]: connect from 172.105.218.213 (172.105.218.213)

 

they connected so technically its valid if you do a who is on the ip is from Linode, they sell VPS.

Source:  whois.arin.net
IP Address:  172.105.218.213
Name:  LINODE-US
Handle:  NET-172-104-0-0-1
Registration Date:  6/19/15
Range:  172.104.0.0-172.105.255.255
Org:  Linode
Org Handle:  LINOD
Address:  329 E. Jimmie Leeds Road
Suite A
City:  Galloway
State/Province:  NJ
Postal Code:  08205
Country:  United States
 
Link to comment
  • 2 weeks later...

This is a little embarassing...So I found out most likely why/how I got hacked. 

 

So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. 

 

Anyway, lesson learned! My router is not compromised. I am lol

Link to comment
1 minute ago, brianbrifri said:

This is a little embarassing...So I found out most likely why/how I got hacked. 

 

So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. 

 

Anyway, lesson learned! My router is not compromised. I am lol

 

Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy.  

 

 

Mine are too numerous to count but I'm most "proud" of running

rm -rf /

which led me to receive an error message

rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe

So then I ran.....

rm -rf / --no-preserve-root

Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity.

 

In my head, at the time, I was in a subdirectory and wanted to delete everything in it......

 

Link to comment
2 minutes ago, CHBMB said:

 

Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy.  

 

 

Mine are too numerous to count but I'm most "proud" of running


rm -rf /

which led me to receive an error message


rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe

So then I ran.....


rm -rf / --no-preserve-root

Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity.

 

In my head, at the time, I was in a subdirectory and wanted to delete everything in it......

 

 

Oh man. That is up there on the list of things to not do haha. I'm currently in the middle of nuking everything since I can't be certain if anything isn't compromised. Fresh start ftw!

Link to comment
34 minutes ago, brianbrifri said:

This is a little embarassing...So I found out most likely why/how I got hacked. 

 

So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. 

 

Anyway, lesson learned! My router is not compromised. I am lol

Me too was new to this whole thing and did the same thing within hours unRAID was reporting 100's of logins fortunately I had absolutely no data on the drives yet and folks here new what I did wrong! Could not fathom how quickly it all took place.

Link to comment
1 minute ago, mrbilky said:

Me too was new to this whole thing and did the same thing within hours unRAID was reporting 100's of logins fortunately I had absolutely no data on the drives yet and folks here new what I did wrong! Could not fathom how quickly it all took place.

I'm not the only one to do this?? Well you got more lucky than I did

Link to comment
  • 4 months later...
On 9/19/2018 at 8:27 PM, ijuarez said:

I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internet

pfSense for the WIN!
 

I read this entire thread for 4 reasons.

 

1. To see if OP recovered data

2. To ask why unRAID was facing the internet (appears to be an accident)

3. How/Why hack happened answers #2

4. To make sure someone tells OP to run pfSense.

 

LOL

 

Also OP, the unRAID box was facing the internet, how did they guess the password and actually ssh into the box? Was it an easy password? Does it appear in the logs that they just brute forced (1000's of logins)? Shouldn't unRAID have locked down after several failed attempts?

Link to comment
1 hour ago, squirrelslikenuts said:

I read this entire thread for 4 reasons.

 

1. To see if OP recovered data

2. To ask why unRAID was facing the internet (appears to be an accident)

3. How/Why hack happened answers #2

4. To make sure someone tells OP to run pfSense.

 

LOL

 

Also OP, the unRAID box was facing the internet, how did they guess the password and actually ssh into the box? Was it an easy password? Does it appear in the logs that they just brute forced (1000's of logins)? Shouldn't unRAID have locked down after several failed attempts?

Lol! 

1. I did not recover my data

2. Definitely an accident 

3. Put unraid ip in the dmz like an idiot 

4. Haven't setup pfsense yet 

 

It was not an easy password. It was either brute forced or there is some security flaw in SSH they exploited. I kept turning SSH off in unraid but they were able to keep turning it back on somehow. I don't think unraid blocks further SSH attempts after several failed ones? 

Link to comment
2 hours ago, brianbrifri said:

Lol! 

1. I did not recover my data

2. Definitely an accident 

3. Put unraid ip in the dmz like an idiot 

4. Haven't setup pfsense yet 

 

It was not an easy password. It was either brute forced or there is some security flaw in SSH they exploited. I kept turning SSH off in unraid but they were able to keep turning it back on somehow. I don't think unraid blocks further SSH attempts after several failed ones? 

Thanks for the response! Questions 1-3/4 were pretty much answered. I was just recounting my interest. 

 

Defiantly look at pfSense and known blocklists... Almost anything in china/russia isn't needed for daily use.

 

Was the data encrypted or uploaded as you speculated earlier?

Link to comment
1 minute ago, squirrelslikenuts said:

Thanks for the response! Questions 1-3/4 were pretty much answered. I was just recounting my interest. 

 

Defiantly look at pfSense and known blocklists... Almost anything in china/russia isn't needed for daily use.

 

Was the data encrypted or uploaded as you speculated earlier?

No problem! 

It was definitely uploaded (or erased and they lied). Symmetrical Gigabit Internet problems haha 

Link to comment
On 9/19/2018 at 10:14 PM, CHBMB said:

 

Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy.  

 

 

Mine are too numerous to count but I'm most "proud" of running


rm -rf /

which led me to receive an error message


rm: it is dangerous to operate recursively on '/'
rm: use --no-preserve-root to override this failsafe

So then I ran.....


rm -rf / --no-preserve-root

Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity.

 

In my head, at the time, I was in a subdirectory and wanted to delete everything in it......

 

Have you seen the Linux Sucks series by Bryan Lunduke. They're really well done. The CEO of RedHat actually did the same thing so don't feel so bad :)

 

Link to comment
9 minutes ago, ijuarez said:

We all got to learn someday ...

Exactly! I once ran a SQL update query without a WHERE clause and updated all the selling prices for all the items in a Live store to $1.00.

 

It was weird when someone brought a chain saw to the cashier and it scanned with that price. The cashier looked at me and I looked back and I knew i darn f$%*d up.

 

Never made that mistake again :)
 

Link to comment
20 hours ago, squirrelslikenuts said:

haha 1st world internet problems.. lol !

 

so they "took" the data , deleted and requested ransom? What was the fee?

Yup.  .06 Bitcoin, or about $500 at the time, just when it spiked lol I did buy the Bitcoin but never paid the ransom... Now I'm down to half the value it was when I bought it :(

Link to comment

brian, thank you for your persistence through that loss and following through with the detective work! it helped me relax after reading the title of your thread. and possibly help prevent me from making a similar mistake.

 ps:
i still dont have personal data on my unraid as i am still learning the ins and outs of the os... but threads like this help me error proof my setup!

 

Edited by nasforthemass
Ps: section
Link to comment
7 minutes ago, nasforthemass said:

brian, thank you for your persistence through that loss and following through with the detective work! it helped me relax after reading the title of your thread. and possibly help prevent me from making a similar mistake.

 ps:
i still dont have personal data on my unraid as i am still learning the ins and outs of the os... but threads like this help me error proof my setup!

 

You're welcome!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.