physikal Posted January 24, 2019 Share Posted January 24, 2019 I'm seeing this in my system logs: Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:34 Tower nginx: 2019/01/14 00:23:34 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:37 Tower nginx: 2019/01/14 00:23:37 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" Jan 14 00:23:40 Tower nginx: 2019/01/14 00:23:40 [error] 4984#4984: *1158278 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/" What's interesting is I'm 99% sure my unRAID box is not externally accessible. So that concerns me. Any ideas on this? Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 (edited) Either unraid is exposed.... or something else on your network is exploited. That's russia buddy.... not good. Edited January 24, 2019 by jordanmw Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 its an external ip, so that external ip can access your unraid box. Remove port forwarding. Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 check your exposed ports: https://www.grc.com/x/ne.dll?bh0bkyd2 If you don't find any- that means that something is exploited within your network. Do you have a microtik or qnap device anywhere? Those were exploited en masse recently by a russia hacking group. Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 If it would be out of his network, it would be an internal ip. Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 36 minutes ago, jordanmw said: check your exposed ports: https://www.grc.com/x/ne.dll?bh0bkyd2 If you don't find any- that means that something is exploited within your network. Do you have a microtik or qnap device anywhere? Those were exploited en masse recently by a russia hacking group. yes I do have a QNAP device actually. I'll check that out I guess. I've turned on geoblocking on my fw for the time being. Quote Link to comment
trurl Posted January 24, 2019 Share Posted January 24, 2019 5 minutes ago, physikal said: I've turned on geoblocking If Russia can get in so can everyone else so you'd better block the whole world. Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 yep- I assure you it is your qnap- have quite a bit of experience with them. Go to control panel- security- and turn on the network access protection. Also assume anything and everything on that qnap is compromised. If they are trying to get into your unraid server- then they probably own every other device on your network- using the qnap as a relay. Make sure you update firmware and download the antivirus from the qnap app store. Hope nothing important was on your qnap. Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 (edited) again, if the connection would come from the qnap, then the ip of the qnap would stand there. Its a direct connection from outside into unraid. maybe he wanted to open ports for qnap but opend port to unraid as far as i know u cant spoof tcp connections. Edited January 24, 2019 by nuhll Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 9 minutes ago, physikal said: yes I do have a QNAP device actually. I'll check that out I guess. I've turned on geoblocking on my fw for the time being. Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target. I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs. Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 1 minute ago, nuhll said: again, if the connection would come from the qnap, then the ip of the qnap would stand there. Its a direct connection from outside into unraid. I thought so as well. What's odd is the 50.106.16.89 address was an old address I had from my ISP, and when I checked my fw I saw 1 active session on port 6895 to an Amazon IP (Assuming AWS). Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 1 minute ago, jordanmw said: Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target. I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs. yeah I 100% agree it's not a long term solution. Just to buy me some time while I investigate and rebuild some VM's that could be compromised. Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 188.243.58.117 is the attacker, the other ip should be yours Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 Shields up report: 51 minutes ago, jordanmw said: check your exposed ports: https://www.grc.com/x/ne.dll?bh0bkyd2 If you don't find any- that means that something is exploited within your network. Do you have a microtik or qnap device anywhere? Those were exploited en masse recently by a russia hacking group. Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 which port is that? 80? btw write an mail to remarks: For general info on spam complaints email [email protected]. Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 1 minute ago, nuhll said: which port is that? 80? btw write an mail to remarks: For general info on spam complaints email [email protected]. No it's 179/bgp - which is odd. Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 (edited) unraid, if u didnt changed it, only accepts on 80 and 443. But your router might port redirect port "somethign" to "80". What port forwardings do you have? Edited January 24, 2019 by nuhll Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 3 minutes ago, nuhll said: unraid, if u didnt changed it, only accepts on 80 and 443. But your router might port redirect port "somethign" to "80". What port forwardings do you have? Just these Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 scary- that port (175) is for the vmnet protocol. That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware. Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 2 minutes ago, jordanmw said: scary- that port (175) is for the vmnet protocol. That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware. But it's port 179? And I have no vmware installs in my home lab. Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 3 minutes ago, jordanmw said: scary- that port (175) is for the vmnet protocol. That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware. also I should clarify, blue means closed. So it confirmed closed. Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 8 minutes ago, physikal said: also I should clarify, blue means closed. So it confirmed closed. Oh right.... forgot- haven't had to use sheilds up in a while Quote Link to comment
jordanmw Posted January 24, 2019 Share Posted January 24, 2019 If you can get into your qnap- you should look through the system connection logs. Update all apps installed on it, firmware, AV, then scan and reboot. Quote Link to comment
physikal Posted January 24, 2019 Author Share Posted January 24, 2019 Just now, jordanmw said: If you can get into your qnap- you should look through the system connection logs. Update all apps installed on it, firmware, AV, then scan and reboot. yeah doing this now, thanks a ton for the info. I'm also rebuilding any old VM's I had that were hosting game servers under that 50.106.16.89 ISP assigned address. I'm also digging through my FW to see if I can get a mac address of that address being used internally and seeing if it matches any of my mac addresses on my internal network. Wish I had a clear smoking gun on which machine was compromised. Quote Link to comment
NewDisplayName Posted January 24, 2019 Share Posted January 24, 2019 Maybe try http://www.advanced-port-scanner.com/de/ or something and scan your external ip. I dont really believe that webpage scanners...^^ also closed means there is something, so... Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.