afsilver Posted March 30, 2020 Share Posted March 30, 2020 So recently got my unraid server up and running. During setup i left unraid and VMs visible to wan ie. I forwarded the ports to webgui for unraid and VNC(stupid i know). I did this incase i wanted to work on the server from... well anywhere. Earlier today i started working on gpu passthrough. Started the VM and open VNC. Once i got to the VMs desktop i lost vnc connection and could not reconnect. I noticed unraid reporting vnc port 5900 but when i open a new vnc window it open it with port 5700. Then i looked over to the display for the VM and noticed a "run" window and CMD was being used 😮 So i rushed to unplug all the ethernet cables i could, and the activity stopped. Since i had no control over the VM, I could only see some of the command being written. "...E6netsh advfirewall firewall add rule name02ok2 dir0in" I assume this is some bot/hacker opening the vm firewall and not some expected behavior from unraid? Safe to say. Upnp and the ports has been disabled/closed in the router. I also checked the VMs vnc was setup with a password. Also how did the vnc ports get f...ed up? Firefox did not allow me to edit the url in the vnc window. Quote Link to comment
JonathanM Posted March 30, 2020 Share Posted March 30, 2020 It would appear your VM was infiltrated, if it were me I'd delete that vdisk and start over. Unraid itself is a little more resilient, but since they were in your VM, who knows where else in your network they poked around. Each device on your network needs to be examined and possibly reset, including your router. 1 Quote Link to comment
Hoopster Posted March 30, 2020 Share Posted March 30, 2020 1 hour ago, afsilver said: I did this incase i wanted to work on the server from... well anywhere. This is why you setup WireGuard (currently included in unRAID), OpenVPN-AS docker container or ZeroTier docker container. I have used all three, but WireGuard is the most convenient. They all work great for remote access without the risks inherent in opening standard ports on your server directly to the Internet. 1 Quote Link to comment
afsilver Posted March 31, 2020 Author Share Posted March 31, 2020 13 hours ago, jonathanm said: It would appear your VM was infiltrated, if it were me I'd delete that vdisk and start over. Unraid itself is a little more resilient, but since they were in your VM, who knows where else in your network they poked around. Each device on your network needs to be examined and possibly reset, including your router. Thanks, i'll get ridd of the vdisk straight away. Regarding the router, I am hesitant to reset it. Took me quite i while to set up, guess i'll have to go digging for my backup config (if i ever made one). 12 hours ago, Hoopster said: This is why you setup WireGuard (currently included in unRAID), OpenVPN-AS docker container or ZeroTier docker container. I have used all three, but WireGuard is the most convenient. They all work great for remote access without the risks inherent in opening standard ports on your server directly to the Internet. Then WireGuard will be my next "project". thanks for the tip. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.