Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Unsecured Unraid server available with no password

Featured Replies

I stumbled on an unraid server that is fully exposed and running with no security on the internet.  It looks like someone in the US in bloomfield Indiana.  What can I do to alert the user of the issue? It has been up for 47 days and running 6.5.3.  Running pro version- so maybe I can give LT the reg key, and they can contact the user?  Looks like it is running serviio and not much else- bunch of movies on drives. 

You could delete the USB content and replace it with a file with your phone number 🤠

Edited by saarg

  • Author

I'm definitely more on the white side of grey- probably won't do anything quite that malicious- just trying to save someone some headache.  I have found several others but this was the most exposed. 

Every time you see the machine is online and unsecured, shut it down. Least harm possible for best benefit. It can't be hacked by anyone else if it's off.

 

  • Author

I grabbed the guid for the flash drive- and I'll turn it off and let LT know.

How about adding a benign docker container and give it a scary sounding name. Like "Hacked" or PWNED or "Virus Bot". Then wait for the inevitable panicked forum post.

1 minute ago, primeval_god said:

How about adding a benign docker container and give it a scary sounding name. Like "Hacked" or PWNED or "Virus Bot". Then wait for the inevitable panicked forum post.

Only a fraction of Unraid users read this forum, and only a fraction of those post. There is no guarantee that someone clueless enough to leave the server open is clueful enough to come here for help.

Just now, jonathanm said:

Only a fraction of Unraid users read this forum, and only a fraction of those post. There is no guarantee that someone clueless enough to leave the server open is clueful enough to come here for help.

True, I guess you could embed an explanation in the container description, and a phone number in the name.

  • Author
5 minutes ago, primeval_god said:

How about adding a benign docker container and give it a scary sounding name. Like "Hacked" or PWNED or "Virus Bot". Then wait for the inevitable panicked forum post.

Honestly- I won't make changes out of principle.  I will try to identify the user and inform them only.  It appears from the movie collection, that it is an older person- possibly a war vet based on the military movies from by gone eras. I don't want some poor vet somewhere thinking that his system has been altered.  Jonathan is right- off is the least damaging action and will keep his data safe until he can be informed.  If it comes back on- and I fail to contact them- I may do other things to inform them when they reboot. 

Wait a sec, it's possible to set Unraid up with no root password? I always thought the root password is required.

  • Author

password not required

  • Author

I sent info to LT- they will contact them. I powered it down for now.

Edited by jordanmw

3 hours ago, jordanmw said:

I sent info to LT- they will contact them. I powered it down for now.

Nice to see a good guy!  Just curious, how did you come upon it?

  • Author

There are strings in the logs that are unique to unraid, and if the server is fully open to the internet- they get indexed in google searches.  From there- used a little google-fu to find others.  There are a few, but most are not completely open like his was.  Obviously anyone who leaves the default server name had Tower/Main in the title.

7 minutes ago, jordanmw said:

There are strings in the logs that are unique to unraid, and if the server is fully open to the internet- they get indexed in google searches.  From there- used a little google-fu to find others.  There are a few, but most are not completely open like his was.  Obviously anyone who leaves the default server name had Tower/Main in the title.

Clever.....

4 hours ago, jordanmw said:

There are strings in the logs that are unique to unraid, and if the server is fully open to the internet- they get indexed in google searches.  From there- used a little google-fu to find others.  There are a few, but most are not completely open like his was.  Obviously anyone who leaves the default server name had Tower/Main in the title.

Just FYI - A few versions back Unraid added a robots.txt file, which should keep legitimate search engines from indexing a server that is placed on the Internet. 

Edited by ljm42

Hi guys,

 

a big big thumb up for jordanmw for posting and trying to inform the owner. But also to the community here where everybody can get a solution for different problems.

  • Author

I know that LT tried to reach out to them but it is back online this morning.  I shut it down again but if it comes back up, I may change their banner to something with a message for them.  Good to know that they added the robots.txt so indexing won't continue.  Maybe mail from LT is going to spam or something.

Change the auto start so the array doesn't come up automatically.

we need to identify this person and publicly shame them LOL JK good job @jordanmw

if the server keeps coming back online unsecured that banner Idea is a good idea 

Edited by Fiservedpi

Change the default boot option to be MEMTEST. 👿

I would be really careful what you're doin. Sure, we all know you will not deal any harm to that person and this is all in his/her interest, but changing files on that persons pc in lot of countries without his permission is against the law. Just sayin.

On 6/6/2019 at 6:51 PM, jordanmw said:

password not required

I think that my Towers are unsecure, as I don't have to use a password.

How can I make them secure?

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.