Mistakes were made, Unraid IP on DMZ


DBSilvers

Recommended Posts

Hello Unraid forum!

 

Let me preface this with, this isn't something that you should ever do.

 

So yeah being a noob that I am, I did this not thinking about the security risks involved. It was not a smart choice. This is very much a learning experience for me.

 

I got home yesterday and the fix common problems app alerted me to 251 attempted logins. I had been messing around with setting it up from work so I thought it was just me from work. I checked the system logs an saw that it was not me and that there were attempted logins from multiple IPs. I quickly got the IP off of DMZ and for good measure unplugged the modem because I didn't have time to sit down and review properly.

 

From what I can tell nothing was done, but I'm not 100% sure. 

 

Any help with understanding and upping my security game would be greatly appreciated. 

 

DBS

 

syslog.txt

Link to comment

Never put you unRaid server in the DMZ.

It totally depends on your password. If you had a secure password, and the exposure was only a few hours, you might be ok. But the trouble is, can you now trust your server?

This reminds me of several times my daughter would infect her laptop with a virus. The only safe way forward was to use the windows disk to reformat and reinstall Windows on the laptop and she lost everything. It was painful, but it was good medicine. Now she is very careful.

Sent from my chisel, carved into granite

Link to comment
17 hours ago, tr0910 said:

Never put you unRaid server in the DMZ.

It totally depends on your password. If you had a secure password, and the exposure was only a few hours, you might be ok. But the trouble is, can you now trust your server?

This reminds me of several times my daughter would infect her laptop with a virus. The only safe way forward was to use the windows disk to reformat and reinstall Windows on the laptop and she lost everything. It was painful, but it was good medicine. Now she is very careful.

Sent from my chisel, carved into granite
 

Always makes me laugh when someone uses this logic.... rootkits have been around for a lot longer than you think.  Format/reinstall won't touch it.  Only safe way now-a-days is burn it with fire---- or do far more analysis than most people are capable of to determine if it's still exploited.  Not a lot of bios level infections going around- but plenty of rootkits that will survive a format/reinstall/restore.  Computrace has been around for well over a decade and was weaponized long ago by the russians.  It was a commercial rootkit used to protect computers from theft that would survive virtually anything the thief could do to the computer.  That's just an easy example.  

 

Think of a rootkit as a "shim" that sits between the OS and the hardware- OS doesn't know it is there and it controls access to your hardware.  It can use any part of your hardware without the OS ever knowing.

 

Hard to know what to do with a previously exploited machine..... far more skill required than people know to assure it is not still infected.  

Link to comment

Some malware can create a hidden drive partition that can survive a system wiped out. Rootkit and Bootkit will survive a system wiped out for sure. Rootkit is now common nowadays, but for Bootkit I don't think they are commonly widespread as Rootkit to me.

 

True bios exploits are really rare these days.

 

The only true way to wipe those kinds of infections is to put the drive in a computer that is booted from CD and use tools to wipe the partitions at the lowest level- like dd.  

 

The other thing to consider is that SSDs are ripe for this kind of exploit because their firmware is in control of disk sector allocation and marking bad sectors.  It can allow an attacker to exploit the firmware to hide anything they want.

Edited by jordanmw
Link to comment

Just remember that unRaid is not Windows.  With unRaid being Linux based, you don't have the same win32 attack surface, and you don't have a persistent boot disk.  unRaid runs in RAM so many infections require only a reboot to clean up.  With Windows you are correct, the only safe thing to do it burn it.  But think of it this way.

 

1. Just fix my computer, please.  I can't afford to lose anything. 

2. Ok, I am willing to reformat.

3. I burnt it up to charcoal, then smashed everything with a sledgehammer.

4. Didn't just burn it, burnt the house and everything within 10 miles just to be certain.

 

Getting people to step 2 is a big win, and removes most of the typical Windows gremlins.  Step 3 is for Edward Snowden  the drug lords, and Hillary Clinton

Link to comment
13 hours ago, tr0910 said:

1. Just fix my computer, please.  I can't afford to lose anything. 

2. Ok, I am willing to reformat.

3. I burnt it up to charcoal, then smashed everything with a sledgehammer.

4. Didn't just burn it, burnt the house and everything within 10 miles just to be certain.

 

Getting people to step 2 is a big win, and removes most of the typical Windows gremlins.  Step 3 is for Edward Snowden  the drug lords, and Hillary Clinton

I agree that windows is the primary target but there are still concerns for linux and mac users, as I mentioned computrace.  That is software that I have been watching for a long time since deploying it at an insurance company in 2001.  It is one of the nastiest ones and is a direct UEFI exploit that even works with secureboot.  It has been weaponized and found in the wild.  

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

There are a few others, but this still seems the most powerful.  Not common, but becoming more so.  

 

But I do agree that for most situations, a format is what should be done.  NOT A RESTORE- as restore points are often infected also.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.