Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Brute Force?

Featured Replies

I'm seeing this in my system logs:

 

Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:34 Tower nginx: 2019/01/14 00:23:34 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:37 Tower nginx: 2019/01/14 00:23:37 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:40 Tower nginx: 2019/01/14 00:23:40 [error] 4984#4984: *1158278 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"

What's interesting is I'm 99% sure my unRAID box is not externally accessible.  So that concerns me.

 

Any ideas on this?

Either unraid is exposed.... or something else on your network is exploited.  That's russia buddy.... not good.

Edited by jordanmw

its an external ip, so that external ip can access your unraid box.

 

Remove port forwarding.

check your exposed ports:  https://www.grc.com/x/ne.dll?bh0bkyd2

 

If you don't find any- that means that something is exploited within your network.  Do you have a microtik or qnap device anywhere?  Those were exploited en masse recently by a russia hacking group.

If it would be out of his network, it would be an internal ip.

  • Author
36 minutes ago, jordanmw said:

check your exposed ports:  https://www.grc.com/x/ne.dll?bh0bkyd2

 

If you don't find any- that means that something is exploited within your network.  Do you have a microtik or qnap device anywhere?  Those were exploited en masse recently by a russia hacking group.

yes I do have a QNAP device actually.  I'll check that out I guess.  I've turned on geoblocking on my fw for the time being.

  • Community Expert
5 minutes ago, physikal said:

I've turned on geoblocking

If Russia can get in so can everyone else so you'd better block the whole world.

yep- I assure you it is your qnap- have quite a bit of experience with them. Go to control panel- security- and turn on the network access protection.  Also assume anything and everything on that qnap is compromised.  If they are trying to get into your unraid server- then they probably own every other device on your network- using the qnap as a relay.  

 

Make sure you update firmware and download the antivirus from the qnap app store.  Hope nothing important was on your qnap.

again, if the connection would come from the qnap, then the ip of the qnap would stand there.

 

Its a direct connection from outside into unraid.

 

maybe he wanted to open ports for qnap but opend port to unraid 

 

as far as i know u cant spoof tcp connections.

Edited by nuhll

9 minutes ago, physikal said:

yes I do have a QNAP device actually.  I'll check that out I guess.  I've turned on geoblocking on my fw for the time being.

Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target.  I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs.

  • Author
1 minute ago, nuhll said:

again, if the connection would come from the qnap, then the ip of the qnap would stand there.

 

Its a direct connection from outside into unraid.

I thought so as well.  What's odd is the 50.106.16.89 address was an old address I had from my ISP, and when I checked my fw I saw 1 active session on port 6895 to an Amazon IP (Assuming AWS).

  • Author
1 minute ago, jordanmw said:

Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target.  I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs.

yeah I 100% agree it's not a long term solution. Just to buy me some time while I investigate and rebuild some VM's that could be compromised.

188.243.58.117 is the attacker, the other ip should be yours

  • Author

Shields up report: shieldsup.PNG.6d724e4b40f8ca57b5bdc2c47064fe2b.PNG

51 minutes ago, jordanmw said:

check your exposed ports:  https://www.grc.com/x/ne.dll?bh0bkyd2

 

If you don't find any- that means that something is exploited within your network.  Do you have a microtik or qnap device anywhere?  Those were exploited en masse recently by a russia hacking group.

 

which port is that? 80?

 

btw write an mail to

remarks: For general info on spam complaints email [email protected].

  • Author
1 minute ago, nuhll said:

which port is that? 80?

 

btw write an mail to

remarks: For general info on spam complaints email [email protected].

No it's 179/bgp - which is odd. 

unraid, if u didnt changed it, only accepts on 80 and 443.

 

But your router might port redirect port "somethign" to "80".

 

What port forwardings do you have?

Edited by nuhll

  • Author
3 minutes ago, nuhll said:

unraid, if u didnt changed it, only accepts on 80 and 443.

 

But your router might port redirect port "somethign" to "80".

 

What port forwardings do you have?

Just theseports.png.e36f17deace0d751ea8cde51e48ad56c.png

scary- that port (175) is for the vmnet protocol.  That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.

  • Author
2 minutes ago, jordanmw said:

scary- that port (175) is for the vmnet protocol.  That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.

But it's port 179? And I have no vmware installs in my home lab.

  • Author
3 minutes ago, jordanmw said:

scary- that port (175) is for the vmnet protocol.  That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.

also I should clarify, blue means closed. So it confirmed closed.

8 minutes ago, physikal said:

also I should clarify, blue means closed. So it confirmed closed.

Oh right.... forgot- haven't had to use sheilds up in a while

If you can get into your qnap- you should look through the system connection logs.  Update all apps installed on it, firmware, AV, then scan and reboot.

  • Author
Just now, jordanmw said:

If you can get into your qnap- you should look through the system connection logs.  Update all apps installed on it, firmware, AV, then scan and reboot.

yeah doing this now, thanks a ton for the info.  I'm also rebuilding any old VM's I had that were hosting game servers under that 50.106.16.89 ISP assigned address.  I'm also digging through my FW to see if I can get a mac address of that address being used internally and seeing if it matches any of my mac addresses on my internal network.  Wish I had a clear smoking gun on which machine was compromised.

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.