brianbrifri Posted September 11, 2018 Author Share Posted September 11, 2018 Does anyone know if this constitutes a valid login from an ip address? Sep 11 10:37:35 Balrog vsftpd[20048]: connect from 172.105.218.213 (172.105.218.213) Quote Link to comment
ijuarez Posted September 11, 2018 Share Posted September 11, 2018 1 hour ago, brianbrifri said: Does anyone know if this constitutes a valid login from an ip address? Sep 11 10:37:35 Balrog vsftpd[20048]: connect from 172.105.218.213 (172.105.218.213) they connected so technically its valid if you do a who is on the ip is from Linode, they sell VPS. Source: whois.arin.net IP Address: 172.105.218.213 Name: LINODE-US Handle: NET-172-104-0-0-1 Registration Date: 6/19/15 Range: 172.104.0.0-172.105.255.255 Org: Linode Org Handle: LINOD Address: 329 E. Jimmie Leeds Road Suite A City: Galloway State/Province: NJ Postal Code: 08205 Country: United States Quote Link to comment
brianbrifri Posted September 19, 2018 Author Share Posted September 19, 2018 This is a little embarassing...So I found out most likely why/how I got hacked. So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. Anyway, lesson learned! My router is not compromised. I am lol Quote Link to comment
CHBMB Posted September 19, 2018 Share Posted September 19, 2018 1 minute ago, brianbrifri said: This is a little embarassing...So I found out most likely why/how I got hacked. So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. Anyway, lesson learned! My router is not compromised. I am lol Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy. Mine are too numerous to count but I'm most "proud" of running rm -rf / which led me to receive an error message rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe So then I ran..... rm -rf / --no-preserve-root Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity. In my head, at the time, I was in a subdirectory and wanted to delete everything in it...... Quote Link to comment
brianbrifri Posted September 19, 2018 Author Share Posted September 19, 2018 2 minutes ago, CHBMB said: Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy. Mine are too numerous to count but I'm most "proud" of running rm -rf / which led me to receive an error message rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe So then I ran..... rm -rf / --no-preserve-root Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity. In my head, at the time, I was in a subdirectory and wanted to delete everything in it...... Oh man. That is up there on the list of things to not do haha. I'm currently in the middle of nuking everything since I can't be certain if anything isn't compromised. Fresh start ftw! Quote Link to comment
mrbilky Posted September 19, 2018 Share Posted September 19, 2018 34 minutes ago, brianbrifri said: This is a little embarassing...So I found out most likely why/how I got hacked. So, in my quest a while ago to get hairpin NAT working on my router, I put my server's IP address in the DMZ for my router. I had no idea what that was, probably came across some stupid recommendation to put my ip address in there as it "redirects all traffic there". Sounded great at the time. Guess I forgot to remove it from there after I realized that didn't solve my issue. Days later...hacked. Fast forward to yesterday when I was going through my router's settings, saw the ip address of my router there, did more research into the DMZ, then my palm met my forehead BIG TIME. Anyway, lesson learned! My router is not compromised. I am lol Me too was new to this whole thing and did the same thing within hours unRAID was reporting 100's of logins fortunately I had absolutely no data on the drives yet and folks here new what I did wrong! Could not fathom how quickly it all took place. Quote Link to comment
brianbrifri Posted September 19, 2018 Author Share Posted September 19, 2018 1 minute ago, mrbilky said: Me too was new to this whole thing and did the same thing within hours unRAID was reporting 100's of logins fortunately I had absolutely no data on the drives yet and folks here new what I did wrong! Could not fathom how quickly it all took place. I'm not the only one to do this?? Well you got more lucky than I did Quote Link to comment
mrbilky Posted September 19, 2018 Share Posted September 19, 2018 Just now, brianbrifri said: I'm not the only one to do this?? Well you got more lucky than I did haha yeah I thought you wouldn't mind me stealing some of your thunder😀 Quote Link to comment
brianbrifri Posted September 19, 2018 Author Share Posted September 19, 2018 10 minutes ago, mrbilky said: haha yeah I thought you wouldn't mind me stealing some of your thunder😀 Not at all! Quote Link to comment
ijuarez Posted September 20, 2018 Share Posted September 20, 2018 I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internetpfSense for the WIN!Sent from my BND-L34 using Tapatalk 1 Quote Link to comment
squirrelslikenuts Posted February 17, 2019 Share Posted February 17, 2019 On 9/19/2018 at 8:27 PM, ijuarez said: I posted my IP once and within hours my router had locked up. Not unraid but pfsense did a great job after some several hundred tries it just shut down the internet pfSense for the WIN! I read this entire thread for 4 reasons. 1. To see if OP recovered data 2. To ask why unRAID was facing the internet (appears to be an accident) 3. How/Why hack happened answers #2 4. To make sure someone tells OP to run pfSense. LOL Also OP, the unRAID box was facing the internet, how did they guess the password and actually ssh into the box? Was it an easy password? Does it appear in the logs that they just brute forced (1000's of logins)? Shouldn't unRAID have locked down after several failed attempts? Quote Link to comment
brianbrifri Posted February 17, 2019 Author Share Posted February 17, 2019 1 hour ago, squirrelslikenuts said: I read this entire thread for 4 reasons. 1. To see if OP recovered data 2. To ask why unRAID was facing the internet (appears to be an accident) 3. How/Why hack happened answers #2 4. To make sure someone tells OP to run pfSense. LOL Also OP, the unRAID box was facing the internet, how did they guess the password and actually ssh into the box? Was it an easy password? Does it appear in the logs that they just brute forced (1000's of logins)? Shouldn't unRAID have locked down after several failed attempts? Lol! 1. I did not recover my data 2. Definitely an accident 3. Put unraid ip in the dmz like an idiot 4. Haven't setup pfsense yet It was not an easy password. It was either brute forced or there is some security flaw in SSH they exploited. I kept turning SSH off in unraid but they were able to keep turning it back on somehow. I don't think unraid blocks further SSH attempts after several failed ones? Quote Link to comment
squirrelslikenuts Posted February 17, 2019 Share Posted February 17, 2019 2 hours ago, brianbrifri said: Lol! 1. I did not recover my data 2. Definitely an accident 3. Put unraid ip in the dmz like an idiot 4. Haven't setup pfsense yet It was not an easy password. It was either brute forced or there is some security flaw in SSH they exploited. I kept turning SSH off in unraid but they were able to keep turning it back on somehow. I don't think unraid blocks further SSH attempts after several failed ones? Thanks for the response! Questions 1-3/4 were pretty much answered. I was just recounting my interest. Defiantly look at pfSense and known blocklists... Almost anything in china/russia isn't needed for daily use. Was the data encrypted or uploaded as you speculated earlier? Quote Link to comment
brianbrifri Posted February 17, 2019 Author Share Posted February 17, 2019 1 minute ago, squirrelslikenuts said: Thanks for the response! Questions 1-3/4 were pretty much answered. I was just recounting my interest. Defiantly look at pfSense and known blocklists... Almost anything in china/russia isn't needed for daily use. Was the data encrypted or uploaded as you speculated earlier? No problem! It was definitely uploaded (or erased and they lied). Symmetrical Gigabit Internet problems haha Quote Link to comment
squirrelslikenuts Posted February 17, 2019 Share Posted February 17, 2019 1 minute ago, brianbrifri said: No problem! It was definitely uploaded (or erased and they lied). Symmetrical Gigabit Internet problems haha haha 1st world internet problems.. lol ! so they "took" the data , deleted and requested ransom? What was the fee? Quote Link to comment
lotetreemedia Posted February 18, 2019 Share Posted February 18, 2019 On 9/19/2018 at 10:14 PM, CHBMB said: Well, I think you deserve credit for admitting it, we've all done stupid stuff at some point, but putting your hands up to it is not something many find easy. Mine are too numerous to count but I'm most "proud" of running rm -rf / which led me to receive an error message rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe So then I ran..... rm -rf / --no-preserve-root Then my laptop screen went a bit crazy and I hosed my install, with no backups, I was lucky there wasn't anything important removed except my dignity. In my head, at the time, I was in a subdirectory and wanted to delete everything in it...... Have you seen the Linux Sucks series by Bryan Lunduke. They're really well done. The CEO of RedHat actually did the same thing so don't feel so bad Quote Link to comment
ijuarez Posted February 18, 2019 Share Posted February 18, 2019 3 hours ago, yusuflimz said: Have you seen the Linux Sucks series by Bryan Lunduke. They're really well done. The CEO of RedHat actually did the same thing so don't feel so bad We all got to learn someday ... Quote Link to comment
lotetreemedia Posted February 18, 2019 Share Posted February 18, 2019 9 minutes ago, ijuarez said: We all got to learn someday ... Exactly! I once ran a SQL update query without a WHERE clause and updated all the selling prices for all the items in a Live store to $1.00. It was weird when someone brought a chain saw to the cashier and it scanned with that price. The cashier looked at me and I looked back and I knew i darn f$%*d up. Never made that mistake again Quote Link to comment
brianbrifri Posted February 18, 2019 Author Share Posted February 18, 2019 20 hours ago, squirrelslikenuts said: haha 1st world internet problems.. lol ! so they "took" the data , deleted and requested ransom? What was the fee? Yup. .06 Bitcoin, or about $500 at the time, just when it spiked lol I did buy the Bitcoin but never paid the ransom... Now I'm down to half the value it was when I bought it Quote Link to comment
nasforthemass Posted February 18, 2019 Share Posted February 18, 2019 (edited) brian, thank you for your persistence through that loss and following through with the detective work! it helped me relax after reading the title of your thread. and possibly help prevent me from making a similar mistake. ps: i still dont have personal data on my unraid as i am still learning the ins and outs of the os... but threads like this help me error proof my setup! Edited February 18, 2019 by nasforthemass Ps: section Quote Link to comment
brianbrifri Posted February 18, 2019 Author Share Posted February 18, 2019 7 minutes ago, nasforthemass said: brian, thank you for your persistence through that loss and following through with the detective work! it helped me relax after reading the title of your thread. and possibly help prevent me from making a similar mistake. ps: i still dont have personal data on my unraid as i am still learning the ins and outs of the os... but threads like this help me error proof my setup! You're welcome! Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.