Brute Force?

[physikal]

I'm seeing this in my system logs:

 

Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:31 Tower nginx: 2019/01/14 00:23:31 [error] 4984#4984: *1158237 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:33 Tower nginx: 2019/01/14 00:23:33 [error] 4984#4984: *1158248 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:34 Tower nginx: 2019/01/14 00:23:34 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158255 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:35 Tower nginx: 2019/01/14 00:23:35 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:37 Tower nginx: 2019/01/14 00:23:37 [error] 4984#4984: *1158261 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:39 Tower nginx: 2019/01/14 00:23:39 [error] 4984#4984: *1158275 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"
Jan 14 00:23:40 Tower nginx: 2019/01/14 00:23:40 [error] 4984#4984: *1158278 user "admin" was not found in "/etc/nginx/htpasswd", client: 188.243.58.117, server: , request: "GET /Main HTTP/1.1", host: "50.106.16.89", referrer: "http://50.106.16.89/"

What's interesting is I'm 99% sure my unRAID box is not externally accessible.  So that concerns me.

 

Any ideas on this?

[jordanmw]

Either unraid is exposed.... or something else on your network is exploited.  That's russia buddy.... not good.

Edited January 24, 2019 by jordanmw

[NewDisplayName]

its an external ip, so that external ip can access your unraid box.

 

Remove port forwarding.

[jordanmw]

check your exposed ports:  https://www.grc.com/x/ne.dll?bh0bkyd2

 

If you don't find any- that means that something is exploited within your network.  Do you have a microtik or qnap device anywhere?  Those were exploited en masse recently by a russia hacking group.

[NewDisplayName]

If it would be out of his network, it would be an internal ip.

[physikal]

36 minutes ago, jordanmw said:

check your exposed ports:  https://www.grc.com/x/ne.dll?bh0bkyd2

 

If you don't find any- that means that something is exploited within your network.  Do you have a microtik or qnap device anywhere?  Those were exploited en masse recently by a russia hacking group.

yes I do have a QNAP device actually.  I'll check that out I guess.  I've turned on geoblocking on my fw for the time being.

[trurl]

5 minutes ago, physikal said:

I've turned on geoblocking

If Russia can get in so can everyone else so you'd better block the whole world.

[jordanmw]

yep- I assure you it is your qnap- have quite a bit of experience with them. Go to control panel- security- and turn on the network access protection.  Also assume anything and everything on that qnap is compromised.  If they are trying to get into your unraid server- then they probably own every other device on your network- using the qnap as a relay.  

 

Make sure you update firmware and download the antivirus from the qnap app store.  Hope nothing important was on your qnap.

[NewDisplayName]

again, if the connection would come from the qnap, then the ip of the qnap would stand there.

 

Its a direct connection from outside into unraid.

 

maybe he wanted to open ports for qnap but opend port to unraid 

 

as far as i know u cant spoof tcp connections.

Edited January 24, 2019 by nuhll

[jordanmw]

9 minutes ago, physikal said:

yes I do have a QNAP device actually.  I'll check that out I guess.  I've turned on geoblocking on my fw for the time being.

Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target.  I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs.

[physikal]

1 minute ago, nuhll said:

again, if the connection would come from the qnap, then the ip of the qnap would stand there.

 

Its a direct connection from outside into unraid.

I thought so as well.  What's odd is the 50.106.16.89 address was an old address I had from my ISP, and when I checked my fw I saw 1 active session on port 6895 to an Amazon IP (Assuming AWS).

[physikal]

1 minute ago, jordanmw said:

Geoblocking is not a good solution- they bounce off of plenty of other places once they find a target.  I often found colleges in the US that had been exploited, that were turned on when I cut off their russia IPs.

yeah I 100% agree it's not a long term solution. Just to buy me some time while I investigate and rebuild some VM's that could be compromised.

[NewDisplayName]

188.243.58.117 is the attacker, the other ip should be yours

[physikal]

Shields up report: 

51 minutes ago, jordanmw said:

check your exposed ports:  https://www.grc.com/x/ne.dll?bh0bkyd2

 

If you don't find any- that means that something is exploited within your network.  Do you have a microtik or qnap device anywhere?  Those were exploited en masse recently by a russia hacking group.

 

[NewDisplayName]

which port is that? 80?

 

btw write an mail to

remarks: For general info on spam complaints email [email protected].

[physikal]

1 minute ago, nuhll said:

which port is that? 80?

 

btw write an mail to

remarks: For general info on spam complaints email [email protected].

No it's 179/bgp - which is odd. 

[NewDisplayName]

unraid, if u didnt changed it, only accepts on 80 and 443.

 

But your router might port redirect port "somethign" to "80".

 

What port forwardings do you have?

Edited January 24, 2019 by nuhll

[physikal]

3 minutes ago, nuhll said:

unraid, if u didnt changed it, only accepts on 80 and 443.

 

But your router might port redirect port "somethign" to "80".

 

What port forwardings do you have?

Just these

[jordanmw]

scary- that port (175) is for the vmnet protocol.  That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.

[physikal]

2 minutes ago, jordanmw said:

scary- that port (175) is for the vmnet protocol.  That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.

But it's port 179? And I have no vmware installs in my home lab.

[physikal]

3 minutes ago, jordanmw said:

scary- that port (175) is for the vmnet protocol.  That is what vmware uses.... truly don't know what could have happened there, but that port should never be open to the internet ESPECIALLY when dealing with vmware.

also I should clarify, blue means closed. So it confirmed closed.

[jordanmw]

8 minutes ago, physikal said:

also I should clarify, blue means closed. So it confirmed closed.

Oh right.... forgot- haven't had to use sheilds up in a while

[jordanmw]

If you can get into your qnap- you should look through the system connection logs.  Update all apps installed on it, firmware, AV, then scan and reboot.

[physikal]

Just now, jordanmw said:

If you can get into your qnap- you should look through the system connection logs.  Update all apps installed on it, firmware, AV, then scan and reboot.

yeah doing this now, thanks a ton for the info.  I'm also rebuilding any old VM's I had that were hosting game servers under that 50.106.16.89 ISP assigned address.  I'm also digging through my FW to see if I can get a mac address of that address being used internally and seeing if it matches any of my mac addresses on my internal network.  Wish I had a clear smoking gun on which machine was compromised.

[NewDisplayName]

Maybe try http://www.advanced-port-scanner.com/de/ or something and scan your external ip. I dont really believe that webpage scanners...^^ 

 

also closed means there is something, so...