Jump to content
luowilliam

ISP says my IP is sending out spam

15 posts in this topic Last Reply

Recommended Posts

My ISP called/emailed me and said my IP is used for sending out tons of spams. I scanned all my computers except for the unraid box. ISP still reporting spams. Last night, I shut down my unraid box and today ISP said they haven't seen any spam since.

What can I do at this point to pin point what happened on the unraid box?

Any help is welcome.

Thanks in advance.

William

  • Upvote 1

Share this post


Link to post

Are there any rules in your router referencing your unraid box?

 

Attach the diagnostics zip file here and someone will have a look.

Share this post


Link to post

Sorry what do you mean by rules? Other then forwarding ports for torrents in Transmission there's nothing particular I put in.

I will upload the diagnostic zip tonight.

Thanks.

Share this post


Link to post
17 minutes ago, luowilliam said:

Sorry what do you mean by rules? Other then forwarding ports for torrents in Transmission there's nothing particular I put in.

That's what Jonathanm was referring to, what ports on the router-firewall have been opened up and forwarded to your Unraid machine and it's hosted services (such Docker containers, virtual machines, and anything else).    As an example, you mentioned your Transmission service.

Share this post


Link to post

I will have to look at the machine for detail. What I remember now is the Transmission and Plex media server.

Share this post


Link to post

Attached is my diagnostics. I used netstat to look at all the established connection can't see anything weird.

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:1967            0.0.0.0:*               LISTEN      8608/Plex DLNA Serv
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN      1562/rpcbind
tcp        0      0 0.0.0.0:32400           0.0.0.0:*               LISTEN      8503/./Plex Media S
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      4822/nginx: master
tcp        0      0 NAS1:32401              0.0.0.0:*               LISTEN      8503/./Plex Media S
tcp        0      0 0.0.0.0:41361           0.0.0.0:*               LISTEN      1567/rpc.statd
tcp        0      0 0.0.0.0:32469           0.0.0.0:*               LISTEN      8608/Plex DLNA Serv
tcp        0      0 192.168.122.1:domain    0.0.0.0:*               LISTEN      7000/dnsmasq
tcp        0      0 0.0.0.0:ftp             0.0.0.0:*               LISTEN      4726/inetd
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      4688/sshd
tcp        0      0 0.0.0.0:telnet          0.0.0.0:*               LISTEN      4726/inetd
tcp        0      0 NAS1:32600              0.0.0.0:*               LISTEN      8610/Plex Tuner Ser
tcp        0      0 NAS1:34009              0.0.0.0:*               LISTEN      8543/Plex Plug-in [
tcp        0      0 NAS1:41339              0.0.0.0:*               LISTEN      8669/Plex Plug-in [
tcp        0      0 NAS1:16509              0.0.0.0:*               LISTEN      6533/libvirtd
tcp        0      0 0.0.0.0:microsoft-ds    0.0.0.0:*               LISTEN      1632/smbd
tcp        0      0 0.0.0.0:6789            0.0.0.0:*               LISTEN      7309/nzbget
tcp        0      0 0.0.0.0:netbios-ssn     0.0.0.0:*               LISTEN      1632/smbd
tcp        0    101 192.168.1.100:34378     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:42758     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0    101 192.168.1.100:42778     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0     85 192.168.1.100:34342     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:42802     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:42798     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      172.17.0.3:42748        TIME_WAIT   -
tcp        0      0 192.168.1.100:34334     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        1      0 192.168.1.100:56608     ec2-52-208-155-135:http CLOSE_WAIT  8608/Plex DLNA Serv
tcp        0      0 192.168.1.100:42770     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:42774     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      172.17.0.3:42756        TIME_WAIT   -
tcp        0      0 192.168.1.100:34322     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:http      192.168.1.76:59168      ESTABLISHED 4823/nginx: worker
tcp        0      0 192.168.1.100:ssh       customer.worldstre:2494 ESTABLISHED 4871/sshd: adm [pri
tcp        0      0 192.168.1.100:6789      172.17.0.4:33332        TIME_WAIT   -
tcp        0      0 192.168.1.100:6789      172.17.0.3:42760        TIME_WAIT   -
tcp        0    320 192.168.1.100:ssh       192.168.1.90:64131      ESTABLISHED 23142/sshd: root@pt
tcp        0      0 192.168.1.100:34346     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      172.17.0.3:42750        TIME_WAIT   -
tcp        0      0 192.168.1.100:34360     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0    101 192.168.1.100:42754     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      192.168.1.76:59421      ESTABLISHED 7309/nzbget
tcp        1      0 NAS1:57568              NAS1:34009              CLOSE_WAIT  8608/Plex DLNA Serv
tcp        0      0 192.168.1.100:6789      172.17.0.3:42746        TIME_WAIT   -
tcp        0      0 192.168.1.100:34318     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      192.168.1.76:59420      ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      172.17.0.4:33330        TIME_WAIT   -
tcp        0      0 192.168.1.100:http      192.168.1.76:59606      ESTABLISHED 4823/nginx: worker
tcp        0      0 192.168.1.100:6789      192.168.1.76:59396      TIME_WAIT   -
tcp        0      0 192.168.1.100:6789      192.168.1.76:59423      ESTABLISHED 7309/nzbget
tcp       64      0 192.168.1.100:42750     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:44246     184.105.148.98:https    ESTABLISHED 8503/./Plex Media S
tcp        0      0 192.168.1.100:42782     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      192.168.1.76:59397      TIME_WAIT   -
tcp        0    101 192.168.1.100:34362     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      192.168.1.76:59422      ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      172.17.0.4:33328        TIME_WAIT   -
tcp        0      0 192.168.1.100:34370     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:34366     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:34338     news.iad.usenetser:8080 ESTABLISHED 7309/nzbget
tcp        0      0 192.168.1.100:6789      172.17.0.3:42758        TIME_WAIT   -
tcp        0      0 192.168.1.100:http      192.168.1.76:58751      ESTABLISHED 4823/nginx: worker
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN      1562/rpcbind
tcp6       0      0 [::]:http               [::]:*                  LISTEN      4822/nginx: master
tcp6       0      0 [::]:51413              [::]:*                  LISTEN      8156/docker-proxy
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      4688/sshd
tcp6       0      0 [::]:60599              [::]:*                  LISTEN      1567/rpc.statd
tcp6       0      0 [::]:8989               [::]:*                  LISTEN      7817/docker-proxy
tcp6       0      0 [::]:9117               [::]:*                  LISTEN      6561/docker-proxy
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN      1632/smbd
tcp6       0      0 [::]:9091               [::]:*                  LISTEN      8169/docker-proxy
tcp6       0      0 [::]:7878               [::]:*                  LISTEN      7459/docker-proxy
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN      1632/smbd
tcp6       0      0 192.168.1.100:9091      172.17.0.4:55036        TIME_WAIT   -

 

nas1-diagnostics-20181102-2314.zip

Share this post


Link to post

Not the real expert here, but it appears that your server is facing the internet, as you have a ton of connections from 194.88.107.164 (Netherlands)  Is this your IP address?  Have you forwarded SSH ports, or popped the server into a DMZ?  

  • Upvote 1

Share this post


Link to post

Interesting, how did you see those connections? I guess it is kinda facing the internet because of the forwarded port for transmission and plex and SSH. How would I find out where the spam bot is and get rid of it?

 

Share this post


Link to post

Your box is likely compromised from your SSH server. Here are all the FAILED attempts from your server to port 25, which is SMTP (email) servers from your SSH daemon. This does not include successful connections to SMTP.

 

As SQUID pointed out, you have SSH user 'adm' connecting from 194.88.107.164 . This is logged in your syslog file.

 

STEP 1, remove your server from the internet.

 


Nov  2 23:06:29 NAS1 sshd[16314]: error: connect_to 67.195.228.141 port 25: failed.
Nov  2 23:07:00 NAS1 sshd[16656]: error: connect_to 104.47.124.33 port 25: failed.
Nov  2 23:07:11 NAS1 sshd[17634]: error: connect_to 64.233.167.26 port 25: failed.
Nov  2 23:07:22 NAS1 sshd[17977]: error: connect_to 104.47.126.33 port 25: failed.
Nov  2 23:07:36 NAS1 sshd[18363]: error: connect_to 104.47.126.33 port 25: failed.
Nov  2 23:07:50 NAS1 sshd[18761]: error: connect_to 104.47.126.33 port 25: failed.
Nov  2 23:08:03 NAS1 sshd[19127]: error: connect_to 104.47.126.33 port 25: failed.
Nov  2 23:08:16 NAS1 sshd[19562]: error: connect_to 104.47.48.33 port 25: failed.
Nov  2 23:08:30 NAS1 sshd[19931]: error: connect_to 104.47.48.33 port 25: failed.

 

 


Nov  2 22:56:44 NAS1 sshd[4871]: SSH: Server;Ltype: Version;Remote: 89.38.96.13-2494;Protocol: 2.0;Client: WinSCP_release_5.1.3
Nov  2 22:56:44 NAS1 sshd[4871]: SSH: Server;Ltype: Kex;Remote: 89.38.96.13-2494;Enc: aes128-ctr;MAC: hmac-sha2-256;Comp: none [preauth]
Nov  2 22:56:45 NAS1 sshd[4871]: SSH: Server;Ltype: Authname;Remote: 89.38.96.13-2494;Name: adm [preauth]
Nov  2 22:56:45 NAS1 sshd[4871]: Accepted none for adm from 89.38.96.13 port 2494 ssh2

 


Nov  2 22:56:45 NAS1 sshd[4871]: SSH: Server;Ltype: Authname;Remote: 89.38.96.13-2494;Name: adm [preauth]
Nov  2 22:56:45 NAS1 sshd[4871]: Accepted none for adm from 89.38.96.13 port 2494 ssh2
Nov  2 23:03:38 NAS1 sshd[11159]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-64656;Name: adm [preauth]
Nov  2 23:03:38 NAS1 sshd[11159]: Accepted none for adm from 194.88.107.164 port 64656 ssh2
Nov  2 23:06:20 NAS1 sshd[16300]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-59160;Name: adm [preauth]
Nov  2 23:06:20 NAS1 sshd[16300]: Accepted none for adm from 194.88.107.164 port 59160 ssh2
Nov  2 23:06:30 NAS1 sshd[16314]: Disconnecting user adm 194.88.107.164 port 59160: oclose packet referred to nonexistent channel 0
Nov  2 23:06:31 NAS1 sshd[16619]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-63134;Name: adm [preauth]
Nov  2 23:06:31 NAS1 sshd[16619]: Accepted none for adm from 194.88.107.164 port 63134 ssh2
Nov  2 23:07:00 NAS1 sshd[16656]: Disconnecting user adm 194.88.107.164 port 63134: oclose packet referred to nonexistent channel 0
Nov  2 23:07:01 NAS1 sshd[17597]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-57867;Name: adm [preauth]
Nov  2 23:07:01 NAS1 sshd[17597]: Accepted none for adm from 194.88.107.164 port 57867 ssh2
Nov  2 23:07:11 NAS1 sshd[17634]: Disconnecting user adm 194.88.107.164 port 57867: oclose packet referred to nonexistent channel 0
Nov  2 23:07:12 NAS1 sshd[17948]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-61714;Name: adm [preauth]
Nov  2 23:07:12 NAS1 sshd[17948]: Accepted none for adm from 194.88.107.164 port 61714 ssh2
Nov  2 23:07:22 NAS1 sshd[17977]: Disconnecting user adm 194.88.107.164 port 61714: oclose packet referred to nonexistent channel 0
Nov  2 23:07:23 NAS1 sshd[18334]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-49173;Name: adm [preauth]
Nov  2 23:07:23 NAS1 sshd[18334]: Accepted none for adm from 194.88.107.164 port 49173 ssh2
Nov  2 23:07:36 NAS1 sshd[18363]: Disconnecting user adm 194.88.107.164 port 49173: oclose packet referred to nonexistent channel 0
Nov  2 23:07:37 NAS1 sshd[18734]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-54070;Name: adm [preauth]
Nov  2 23:07:37 NAS1 sshd[18734]: Accepted none for adm from 194.88.107.164 port 54070 ssh2
Nov  2 23:07:50 NAS1 sshd[18761]: Disconnecting user adm 194.88.107.164 port 54070: oclose packet referred to nonexistent channel 0
Nov  2 23:07:51 NAS1 sshd[19120]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-58885;Name: adm [preauth]
Nov  2 23:07:51 NAS1 sshd[19120]: Accepted none for adm from 194.88.107.164 port 58885 ssh2
Nov  2 23:08:03 NAS1 sshd[19127]: Disconnecting user adm 194.88.107.164 port 58885: oclose packet referred to nonexistent channel 0
Nov  2 23:08:04 NAS1 sshd[19531]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-63248;Name: adm [preauth]
Nov  2 23:08:04 NAS1 sshd[19531]: Accepted none for adm from 194.88.107.164 port 63248 ssh2
Nov  2 23:08:16 NAS1 sshd[19562]: Disconnecting user adm 194.88.107.164 port 63248: oclose packet referred to nonexistent channel 0
Nov  2 23:08:17 NAS1 sshd[19908]: SSH: Server;Ltype: Authname;Remote: 194.88.107.164-51137;Name: adm [preauth]
Nov  2 23:08:17 NAS1 sshd[19908]: Accepted none for adm from 194.88.107.164 port 51137 ssh2
Nov  2 23:08:30 NAS1 sshd[19931]: Disconnecting user adm 194.88.107.164 port 51137: oclose packet referred to nonexistent channel 0

 

Share this post


Link to post

So I have closed SSH port 22 on my router. Seems like the spamming stopped but do I need to worry about the box been compromised any other way?

Also, If I would like to get Plex working over internet. What's the proper and secure way of doing that?

Thanks for all the help.

Share this post


Link to post

I don't know how anyone was able to login as 'adm' as under standard unraid configuration that user has no password and can not login. Double check your password and shadow files on your USB drive [/boot/config/] and on the running system [/etc/]. The 'x' in passwd indicates the real data is in the shadow file. The '*' in the shadow file indicates no acceptable password.

 


# grep adm /boot/config/passwd /etc/passwd
/boot/config/passwd:adm:x:3:4:adm:/var/log:/bin/false
/etc/passwd:adm:x:3:4:adm:/var/log:/bin/false

 


# grep adm /boot/config/shadow /etc/shadow
/boot/config/shadow:adm:*:14824:0:99999:7:::
/etc/shadow:adm:*:14824:0:99999:7:::

Share this post


Link to post
58 minutes ago, BRiT said:

I don't know how anyone was able to login as 'adm' as under standard unraid configuration that user has no password and can not login. Double check your password and shadow files on your USB drive [/boot/config/] and on the running system [/etc/]. The 'x' in passwd indicates the real data is in the shadow file. The '*' in the shadow file indicates no acceptable password.

 

 


# grep adm /boot/config/passwd /etc/passwd
/boot/config/passwd:adm:x:3:4:adm:/var/log:/bin/false
/etc/passwd:adm:x:3:4:adm:/var/log:/bin/false

 

 

 


# grep adm /boot/config/shadow /etc/shadow
/boot/config/shadow:adm:*:14824:0:99999:7:::
/etc/shadow:adm:*:14824:0:99999:7:::

 

Sorry, can you provide a little more explanation for this? Like how is it there's an adm account left there for default and the commands you provided. When I typed those in it says there is no such file or direcotry.

Share this post


Link to post

The grep command searches for strings inside of files. In this situation since your syslog shows multiple logins for user adm for ssh, so you should make sure the user is prevented from logging in. We can do that using the 2 grep commands I provided.

 

The location /etc/ contains criticial configuration files for the running system in RAM. These files do NOT survive reboots and are replaced when the server reboots.

The location /boot/config/ contains SAVED ciritical configurations files that are copied into /etc/ when unraid first boots up. These files survive reboots.

 

The first grep command searches for all occurrences of adm in the file /boot/config/passwd and the file /etc/passwd.

The second grep command searches for all occurrences of adm in the file /boot/config/shadow and the file /etc/shadow

 

Try the following 2 commands at the unraid command prompt / terminal prompt.

 

grep adm /boot/config/passwd /etc/passwd 

 

grep adm /boot/config/shadow /etc/shadow 

 

They should produce output similar to what I posted above and will post below again. It the numbers may be different, but the PASSWD files should contain an 'x' after the username and the SHADOW files should contain an '*' after the username.

 

If the two command do not produce files, then your system is likely majorly compromised and it would be wise reboot the system at least once and then try them again. If it still doesn't produce results then you should unplug it from the network until you start over from scratch with an entirely brand new USB drive from scratch so you can be certain no compromised configurations or scripts are reinstalling at reboot.

 

Output results from the 2 commands:

 


/boot/config/passwd:adm:x:3:4:adm:/var/log:/bin/false

/etc/passwd:adm:x:3:4:adm:/var/log:/bin/false

 


/boot/config/shadow:adm:*:14824:0:99999:7:::

/etc/shadow:adm:*:14824:0:99999:7:::

 

 

 

 

 

 

 

 

Edited by BRiT

Share this post


Link to post
On 11/3/2018 at 6:55 PM, BRiT said:

The grep command searches for strings inside of files. In this situation since your syslog shows multiple logins for user adm for ssh, so you should make sure the user is prevented from logging in. We can do that using the 2 grep commands I provided.

 

The location /etc/ contains criticial configuration files for the running system in RAM. These files do NOT survive reboots and are replaced when the server reboots.

The location /boot/config/ contains SAVED ciritical configurations files that are copied into /etc/ when unraid first boots up. These files survive reboots.

 

The first grep command searches for all occurrences of adm in the file /boot/config/passwd and the file /etc/passwd.

The second grep command searches for all occurrences of adm in the file /boot/config/shadow and the file /etc/shadow

 

Try the following 2 commands at the unraid command prompt / terminal prompt.

 


grep adm /boot/config/passwd /etc/passwd 

 


grep adm /boot/config/shadow /etc/shadow 

 

They should produce output similar to what I posted above and will post below again. It the numbers may be different, but the PASSWD files should contain an 'x' after the username and the SHADOW files should contain an '*' after the username.

 

If the two command do not produce files, then your system is likely majorly compromised and it would be wise reboot the system at least once and then try them again. If it still doesn't produce results then you should unplug it from the network until you start over from scratch with an entirely brand new USB drive from scratch so you can be certain no compromised configurations or scripts are reinstalling at reboot.

 

Output results from the 2 commands:

 


/boot/config/passwd:adm:x:3:4:adm:/var/log:/bin/false

/etc/passwd:adm:x:3:4:adm:/var/log:/bin/false

 


/boot/config/shadow:adm:*:14824:0:99999:7:::

/etc/shadow:adm:*:14824:0:99999:7:::

 

 

 

 

 

 

 

 

Thank you for the explanation. 

Here's what I got from the grep command:

grep: /boot/config/passwd: No such file or directory
/etc/passwd:_kadmin_admin:*:218:-2:Kerberos Admin Service:/var/empty:/usr/bin/false
/etc/passwd:_kadmin_changepw:*:219:-2:Kerberos Change Password Service:/var/empty:/usr/bin/false
/etc/passwd:_krb_kadmin:*:231:-2:Open Directory Kerberos Admin Service:/var/empty:/usr/bin/false
grep: /boot/config/shadow: No such file or directory
grep: /etc/shadow: No such file or directory

Doesn't look good I guess right?

So the next question is how would I restart from scratch and minimize the amount of work I have to do in the configuration?

Thanks.

Share this post


Link to post

You shoulnt face unraid to the internet. Its not build (hardended) for that.

 

If i were u, i would setup unraid from scratch bc its very hard to say what they exactly altered or if there are any other backdoors.

 

Why u had ssh open to internet? (thats like the worst idea)

 

If u want to open any other service like plex, i would change the standard port for that app, maybe something high like 61355. If there is a security hole in that app, they could still take over server, but its unlikly to happen. And just redirect that port to plex (unraid).

 

But ssh gets scanned like 12098392183 mrd times a second ;)

Edited by nuhll

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now