January 24, 20197 yr I'm seeing this in my system logs: Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:34 Tower nginx: 2019/01/14 00:23:34 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:37 Tower nginx: 2019/01/14 00:23:37 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:40 Tower nginx: 2019/01/14 00:23:40 [error] 4984#4984: *1158278 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" What's interesting is I'm 99% sure my unRAID box is not externally accessible. So that concerns me. Any ideas on this?
January 24, 20197 yr Either unraid is exposed.... or something else on your network is exploited. That's russia buddy.... not good. Edited January 24, 20197 yr by jordanmw
January 24, 20197 yr its an external ip, so that external ip can access your unraid box. Remove port forwarding.
January 24, 20197 yr check your exposed ports: https://www.grc.com/x/ne.dll?bh0bkyd2 If you don't find any- that means that something is exploited within your network. Do you have a microtik or qnap device anywhere? Those were exploited en masse recently by a russia hacking group.
January 24, 20197 yr Author 36 minutes ago, jordanmw said: check your exposed ports: https://www.grc.com/x/ne.dll?bh0bkyd2 If you don't find any- that means that something is exploited within your network. Do you have a microtik or qnap device anywhere? Those were exploited en masse recently by a russia hacking group. yes I do have a QNAP device actually. I'll check that out I guess. I've turned on geoblocking on my fw for the time being.
January 24, 20197 yr Community Expert 5 minutes ago, physikal said: I've turned on geoblocking If Russia can get in so can everyone else so you'd better block the whole world.
January 24, 20197 yr yep- I assure you it is your qnap- have quite a bit of experience with them. Go to control panel- security- and turn on the network access protection. Also assume anything and everything on that qnap is compromised. If they are trying to get into your unraid server- then they probably own every other device on your network- using the qnap as a relay. Make sure you update firmware and download the antivirus from the qnap app store. Hope nothing important was on your qnap.
January 24, 20197 yr again, if the connection would come from the qnap, then the ip of the qnap would stand there. Its a direct connection from outside into unraid. maybe he wanted to open ports for qnap but opend port to unraid as far as i know u cant spoof tcp connections. Edited January 24, 20197 yr by nuhll
January 24, 20197 yr 9 minutes ago, physikal said: yes I do have a QNAP device actually. I'll check that out I guess. I've turned on geoblocking on my fw for the time being. Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target. I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs.
January 24, 20197 yr Author 1 minute ago, nuhll said: again, if the connection would come from the qnap, then the ip of the qnap would stand there. Its a direct connection from outside into unraid. I thought so as well. What's odd is the 50.106.16.89 address was an old address I had from my ISP, and when I checked my fw I saw 1 active session on port 6895 to an Amazon IP (Assuming AWS).
January 24, 20197 yr Author 1 minute ago, jordanmw said: Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target. I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs. yeah I 100% agree it's not a long term solution. Just to buy me some time while I investigate and rebuild some VM's that could be compromised.
January 24, 20197 yr Author Shields up report: 51 minutes ago, jordanmw said: check your exposed ports: https://www.grc.com/x/ne.dll?bh0bkyd2 If you don't find any- that means that something is exploited within your network. Do you have a microtik or qnap device anywhere? Those were exploited en masse recently by a russia hacking group.
January 24, 20197 yr which port is that? 80? btw write an mail to remarks: For general info on spam complaints email [email protected].
January 24, 20197 yr Author 1 minute ago, nuhll said: which port is that? 80? btw write an mail to remarks: For general info on spam complaints email [email protected]. No it's 179/bgp - which is odd.
January 24, 20197 yr unraid, if u didnt changed it, only accepts on 80 and 443. But your router might port redirect port "somethign" to "80". What port forwardings do you have? Edited January 24, 20197 yr by nuhll
January 24, 20197 yr Author 3 minutes ago, nuhll said: unraid, if u didnt changed it, only accepts on 80 and 443. But your router might port redirect port "somethign" to "80". What port forwardings do you have? Just these
January 24, 20197 yr scary- that port (175) is for the vmnet protocol. That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.
January 24, 20197 yr Author 2 minutes ago, jordanmw said: scary- that port (175) is for the vmnet protocol. That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware. But it's port 179? And I have no vmware installs in my home lab.
January 24, 20197 yr Author 3 minutes ago, jordanmw said: scary- that port (175) is for the vmnet protocol. That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware. also I should clarify, blue means closed. So it confirmed closed.
January 24, 20197 yr 8 minutes ago, physikal said: also I should clarify, blue means closed. So it confirmed closed. Oh right.... forgot- haven't had to use sheilds up in a while
January 24, 20197 yr If you can get into your qnap- you should look through the system connection logs. Update all apps installed on it, firmware, AV, then scan and reboot.
January 24, 20197 yr Author Just now, jordanmw said: If you can get into your qnap- you should look through the system connection logs. Update all apps installed on it, firmware, AV, then scan and reboot. yeah doing this now, thanks a ton for the info. I'm also rebuilding any old VM's I had that were hosting game servers under that 50.106.16.89 ISP assigned address. I'm also digging through my FW to see if I can get a mac address of that address being used internally and seeing if it matches any of my mac addresses on my internal network. Wish I had a clear smoking gun on which machine was compromised.
January 24, 20197 yr Maybe try http://www.advanced-port-scanner.com/de/ or something and scan your external ip. I dont really believe that webpage scanners...^^ also closed means there is something, so...
Archived
This topic is now archived and is closed to further replies.