RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 okay now im confused should i wait for a reply of the Abuse Team, Just run it or disable dockers Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 Just now, RossEm said: okay now im confused should i wait for a reply of the Abuse Team, Just run it or disable dockers I apologize, there are two different troubleshooting suggestions here. Disabling your port forwarding for 22 is a good first step. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 (edited) okay i will run this after what the abuse team sends back to me. Edited December 19, 2019 by RossEm Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 See this thread for the sort of thing we're talking about: https://forums.unraid.net/topic/86061-unraid-dropping-wan-connections That user thought they had found their problem before we had a chance to respond. So they were going to keep doing what they were doing. They never came back to find out what we had to say about what was happening and what they were doing wrong, so probably they are still getting hacked. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 Ight thank you. I did send an email to the abuse team. Removed port 22. That’s all. I will wait for further instructions for them. Did you find any of them connections in my diagnostics? Quote Link to comment
bonienl Posted December 19, 2019 Share Posted December 19, 2019 6 minutes ago, RossEm said: Did you find any of them connections in my diagnostics? You should uninstall the ssh plugin. This installs putty on your server, but this isn't really needed, because you won't use the server to set up ssh connections to other systems. Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 34 minutes ago, RossEm said: Did you find any of them connections in my diagnostics? The diagnostics you gave us only include a few seconds after reboot, and without the array started. You have to setup Syslog Server if you want to keep syslogs from earlier. https://forums.unraid.net/topic/46802-faq-for-unraid-v6/?do=findComment&comment=781601 Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 I’ve might got some useful info from when this happend (not the most recent time) received: from mail.abusix.invalid (ip.............adsl-surfen.hetnet.nl[MYIP]) by example.me(Haraka/2.8.25) with ESMTPA id 1E07A68A-DE36-4357-AC9D-4A3B86C1CC95.72 envelope-from <[email protected]> (authenticated bits=0); Mon, 25 Nov 2019 08:37:56 +0100 Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 Yeah that looks like something on your network is sending out mail. The question is where from? Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 It’s from the UnRaid I can tell you that much. Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 1 minute ago, RossEm said: It’s from the UnRaid I can tell you that much. I saw you have the community-applications plugin installed. Did you install anything email related from that? A SMTP server perhaps? Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 Just now, soja said: I saw you have the community-applications plugin installed. Did you install anything email related from that? A SMTP server perhaps? maybe I don’t remember well it could be as I wanted to install my own. Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 1 minute ago, RossEm said: maybe I don’t remember well it could be as I wanted to install my own. Do you have a list of all ports currently forwarded to your unraid box? Does it have a public IP usually? Is port 25 among those forwarded? Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 I mentioned in above messages. first: 22, 80/180, 443/1443 now: 80/180, 443/1443 and what do you mean with public ip Quote Link to comment
bonienl Posted December 19, 2019 Share Posted December 19, 2019 Is your Unraid system fully up and running now? If yes, please post new diagnostics. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 (edited) No it isn’t I’m posting an update when it is waiting for the abuse team to write me back Edited December 19, 2019 by RossEm Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 (edited) 22 minutes ago, RossEm said: I mentioned in above messages. first: 22, 80/180, 443/1443 now: 80/180, 443/1443 and what do you mean with public ip Ok I just wanted to make sure we knew ALL forwarded ports, thank you and sorry for asking you to do it twice. A public IP is an address that is not within these ranges: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses Typical private IP addresses look like: 10.1.10.55 172.16.1.55 192.168.1.55 Does unraid usually have an IP like one of these? Edited December 19, 2019 by soja Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 (edited) Only one question is still left for me. Should I reinstall all dockers or a fresh reinstall of UnRaid? Edited December 19, 2019 by RossEm Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 10 minutes ago, soja said: Ok I just wanted to make sure we knew ALL forwarded ports, thank you and sorry for asking you to do it twice. A public IP is an address that is not within these ranges: https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses Typical private IP addresses look like: 10.1.10.55 172.16.1.55 192.168.1.55 Does unraid usually have an IP like one of these? Yes it’s 192.168.2.23 Quote Link to comment
soja Posted December 19, 2019 Share Posted December 19, 2019 5 minutes ago, RossEm said: Yes it’s 192.168.2.23 Ok so that should eliminate the possibility of it being a smtp server open to the internet without any authentication. Points toward something on the server sending the mail. When do you think you'd be able to see if you have a smtp server installed, and if you do check out any logs from it? Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 If I ever had it installed I removed it anyway Quote Link to comment
trurl Posted December 19, 2019 Share Posted December 19, 2019 14 minutes ago, RossEm said: Only one question is still left for me. Should I reinstall all dockers or a fresh reinstall of UnRaid? You should close all those ports, that is the main thing. The docker and Unraid installs are very unlikely to be a problem. In any case, dockers are easily reinstalled using the Previous Apps feature on the Apps page. As for Unraid, it installs itself into RAM fresh from the archives on flash each time it boots. Quote Link to comment
RossEm Posted December 19, 2019 Author Share Posted December 19, 2019 Can in open port 443 that points to 1443 locally and 80 that points to 180 locally for the nextcloud? Quote Link to comment
RossEm Posted December 20, 2019 Author Share Posted December 20, 2019 I got an email back from the abuse team they said close port 22 and turn the machine back on. Should I open in safe mode because the dockers are on autostart Quote Link to comment
itimpi Posted December 20, 2019 Share Posted December 20, 2019 1 hour ago, RossEm said: I got an email back from the abuse team they said close port 22 and turn the machine back on. Should I open in safe mode because the dockers are on autostart The Safe Mode boot option only stops plugins from being installed (since they can de-stabilize the system ) It will not stop dockers from being started. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.