September 11, 20187 yr Author Does anyone know if this constitutes a valid login from an ip address? Sep 11 10:37:35 Balrog vsftpd[20048]: connect from 172.105.218.213 (172.105.218.213)
September 11, 20187 yr 1 hour ago, brianbrifri said: Does anyone know if this constitutes a valid login from an ip address? Sep 11 10:37:35 Balrog vsftpd[20048]: connect from 172.105.218.213 (172.105.218.213) they connected so technically its valid if you do a who is on the ip is from Linode, they sell VPS. Source: whois.arin.net IP Address: 172.105.218.213 Name: LINODE-US Handle: NET-172-104-0-0-1 Registration Date: 6/19/15 Range: 172.104.0.0-172.105.255.255 Org: Linode Org Handle: LINOD Address: 329 E. Jimmie Leeds Road Suite A City: Galloway State/Province: NJ Postal Code: 08205 Country: United States
September 19, 20187 yr Author This is a little embarassing...So I found out most likely why/how I got hacked. So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. Anyway, lesson learned! My router is not compromised. I am lol
September 19, 20187 yr 1 minute ago, brianbrifri said: This is a little embarassing...So I found out most likely why/how I got hacked. So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. Anyway, lesson learned! My router is not compromised. I am lol Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy. Mine are too numerous to count but I'm most "proud" of running rm -rf / which led me to receive an error message rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe So then I ran..... rm -rf / --no-preserve-root Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity. In my head, at the time, I was in a subdirectory and wanted to delete everything in it......
September 19, 20187 yr Author 2 minutes ago, CHBMB said: Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy. Mine are too numerous to count but I'm most "proud" of running rm -rf / which led me to receive an error message rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe So then I ran..... rm -rf / --no-preserve-root Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity. In my head, at the time, I was in a subdirectory and wanted to delete everything in it...... Oh man. That is up there on the list of things to not do haha. I'm currently in the middle of nuking everything since I can't be certain if anything isn't compromised. Fresh start ftw!
September 19, 20187 yr 34 minutes ago, brianbrifri said: This is a little embarassing...So I found out most likely why/how I got hacked. So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. Anyway, lesson learned! My router is not compromised. I am lol Me too was new to this whole thing and did the same thing within hours unRAID was reporting 100's of logins fortunately I had absolutely no data on the drives yet and folks here new what I did wrong! Could not fathom how quickly it all took place.
September 19, 20187 yr Author 1 minute ago, mrbilky said: Me too was new to this whole thing and did the same thing within hours unRAID was reporting 100's of logins fortunately I had absolutely no data on the drives yet and folks here new what I did wrong! Could not fathom how quickly it all took place. I'm not the only one to do this?? Well you got more lucky than I did
September 19, 20187 yr Just now, brianbrifri said: I'm not the only one to do this?? Well you got more lucky than I did haha yeah I thought you wouldn't mind me stealing some of your thunder😀
September 19, 20187 yr Author 10 minutes ago, mrbilky said: haha yeah I thought you wouldn't mind me stealing some of your thunder😀 Not at all!
September 20, 20187 yr I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internetpfSense for the WIN!Sent from my BND-L34 using Tapatalk
February 17, 20197 yr On 9/19/2018 at 8:27 PM, ijuarez said: I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internet pfSense for the WIN! I read this entire thread for 4 reasons. 1. To see if OP recovered data 2. To ask why unRAID was facing the internet (appears to be an accident) 3. How/Why hack happened answers #2 4. To make sure someone tells OP to run pfSense. LOL Also OP, the unRAID box was facing the internet, how did they guess the password and actually ssh into the box? Was it an easy password? Does it appear in the logs that they just brute forced (1000's of logins)? Shouldn't unRAID have locked down after several failed attempts?
February 17, 20197 yr Author 1 hour ago, squirrelslikenuts said: I read this entire thread for 4 reasons. 1. To see if OP recovered data 2. To ask why unRAID was facing the internet (appears to be an accident) 3. How/Why hack happened answers #2 4. To make sure someone tells OP to run pfSense. LOL Also OP, the unRAID box was facing the internet, how did they guess the password and actually ssh into the box? Was it an easy password? Does it appear in the logs that they just brute forced (1000's of logins)? Shouldn't unRAID have locked down after several failed attempts? Lol! 1. I did not recover my data 2. Definitely an accident 3. Put unraid ip in the dmz like an idiot 4. Haven't setup pfsense yet It was not an easy password. It was either brute forced or there is some security flaw in SSH they exploited. I kept turning SSH off in unraid but they were able to keep turning it back on somehow. I don't think unraid blocks further SSH attempts after several failed ones?
February 17, 20197 yr 2 hours ago, brianbrifri said: Lol! 1. I did not recover my data 2. Definitely an accident 3. Put unraid ip in the dmz like an idiot 4. Haven't setup pfsense yet It was not an easy password. It was either brute forced or there is some security flaw in SSH they exploited. I kept turning SSH off in unraid but they were able to keep turning it back on somehow. I don't think unraid blocks further SSH attempts after several failed ones? Thanks for the response! Questions 1-3/4 were pretty much answered. I was just recounting my interest. Defiantly look at pfSense and known blocklists... Almost anything in china/russia isn't needed for daily use. Was the data encrypted or uploaded as you speculated earlier?
February 17, 20197 yr Author 1 minute ago, squirrelslikenuts said: Thanks for the response! Questions 1-3/4 were pretty much answered. I was just recounting my interest. Defiantly look at pfSense and known blocklists... Almost anything in china/russia isn't needed for daily use. Was the data encrypted or uploaded as you speculated earlier? No problem! It was definitely uploaded (or erased and they lied). Symmetrical Gigabit Internet problems haha
February 17, 20197 yr 1 minute ago, brianbrifri said: No problem! It was definitely uploaded (or erased and they lied). Symmetrical Gigabit Internet problems haha haha 1st world internet problems.. lol ! so they "took" the data , deleted and requested ransom? What was the fee?
February 18, 20197 yr On 9/19/2018 at 10:14 PM, CHBMB said: Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy. Mine are too numerous to count but I'm most "proud" of running rm -rf / which led me to receive an error message rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe So then I ran..... rm -rf / --no-preserve-root Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity. In my head, at the time, I was in a subdirectory and wanted to delete everything in it...... Have you seen the Linux Sucks series by Bryan Lunduke. They're really well done. The CEO of RedHat actually did the same thing so don't feel so bad
February 18, 20197 yr 3 hours ago, yusuflimz said: Have you seen the Linux Sucks series by Bryan Lunduke. They're really well done. The CEO of RedHat actually did the same thing so don't feel so bad We all got to learn someday ...
February 18, 20197 yr 9 minutes ago, ijuarez said: We all got to learn someday ... Exactly! I once ran a SQL update query without a WHERE clause and updated all the selling prices for all the items in a Live store to $1.00. It was weird when someone brought a chain saw to the cashier and it scanned with that price. The cashier looked at me and I looked back and I knew i darn f$%*d up. Never made that mistake again
February 18, 20197 yr Author 20 hours ago, squirrelslikenuts said: haha 1st world internet problems.. lol ! so they "took" the data , deleted and requested ransom? What was the fee? Yup. .06 Bitcoin, or about $500 at the time, just when it spiked lol I did buy the Bitcoin but never paid the ransom... Now I'm down to half the value it was when I bought it
February 18, 20197 yr brian, thank you for your persistence through that loss and following through with the detective work! it helped me relax after reading the title of your thread. and possibly help prevent me from making a similar mistake. ps: i still dont have personal data on my unraid as i am still learning the ins and outs of the os... but threads like this help me error proof my setup! Edited February 18, 20197 yr by nasforthemass Ps: section
February 18, 20197 yr Author 7 minutes ago, nasforthemass said: brian, thank you for your persistence through that loss and following through with the detective work! it helped me relax after reading the title of your thread. and possibly help prevent me from making a similar mistake. ps: i still dont have personal data on my unraid as i am still learning the ins and outs of the os... but threads like this help me error proof my setup! You're welcome!
Archived
This topic is now archived and is closed to further replies.