December 23, 201015 yr I just got back in town and found my unraid server off, I powered it back on and I realized my user shares have vanished!!! I see the disk mount and only one of my user shares (Storage) but it is empty. I had 3 user shares before, (Backup, Media, Storage) How can I restore how it was, or what in the world possibly happened? I had never seen this happen before. I am attacking a link to syslog: http://dl.dropbox.com/u/38304/syslog-2010-12-23.txt I noticed it was off yesterday 12/21 and then i powered it on, I then noticed it was doing a parity check etc and I thought thats why the user shares were not back up. Any help is needed, I am thinking about doing a reboot now to see if it comes up
December 23, 201015 yr I'm not well versed in this and you will surely get a more informed answer from someone else here. You didn't mention if the parity check has completed. I would definitely let it complete before rebooting to see if that solves the problem. From what I can see in your syslog, you're having I/O problems with your sdb drive. I got a lot of those type of errors and ended up replacing my cheap SATA cables with higher quality ones. But that's probably not where the problem is if it was ok before you left. If you found it off when you got back, you probably had a power outage. Do you have a UPS? I do know that if the server does not have a clean shutdown, it will automatically do a parity check upon starting up again, so that would be expected. Hopefully you'll get some more helpful responses.
December 23, 201015 yr From what I can tell you have an issue with sdb, I would shut down the server check/replace the cable for this drive, restart the server see if the error goes away, if not run a smart report on this drive and post the results back here for some of the drive experts to look at. One question on the sdb dive, do you have pins 7 & 8 jumpered?
December 23, 201015 yr DO NOT CHANGE THE JUMPER SETTINGS ONCE THE DRIVE IS ASSIGNED TO THE UNRAID ARRAY WHEN THE ARRAY IS FAILED. YOU WILL LOSE ALL THE DATA ON THE FAILED DRIVE AND THE ONE WHERE YOU ARE MESSING WITH THE JUMPERS. As far as the "user-shares" When unRAID started back up it had to replay the journal entries from your disks before it could mount them. In the interim the user-shares were defined based on what existed at that time. (and the file-systems were not yet mounted, so they did not yet exist to be accessed) The replay took several minutes: Dec 21 22:36:41 Tower kernel: REISERFS (device md1): replayed 1337 transactions in 167 seconds. The time will depend on the number of transactions to be replayed to the disks. (I've seen it take as long as 15 minutes here on one of my systems after a power failure) Once the journal entries were re-played and the file-systems mounted the shares should have become visible. (If not, stopping the array and re-starting it should show them) You should let the parity check finish as already mentioned if one is running. If a drive is disabled "red" the parity check will not run, and in fact the failed drive will be simulated. Get the SMART report on the disk with the errors (/dev/sdb). It might actually be a failed drive, or it might just be a loose cable to the drive. It is not responding at all: Dec 23 02:36:17 Tower kernel: ata4.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 Dec 23 02:36:17 Tower kernel: ata4.00: BMDMA stat 0x24 Dec 23 02:36:17 Tower kernel: ata4.00: failed command: READ DMA EXT Dec 23 02:36:17 Tower kernel: ata4.00: cmd 25/00:08:a8:88:e0/00:00:e8:00:00/e0 tag 0 dma 4096 in Dec 23 02:36:17 Tower kernel: res 51/01:00:af:88:e0/01:00:e8:00:00/e0 Emask 0x1 (device error) Dec 23 02:36:17 Tower kernel: ata4.00: status: { DRDY ERR } Dec 23 02:36:17 Tower kernel: ata4.00: configured for UDMA/33 Dec 23 02:36:17 Tower kernel: ata4: EH complete Dec 23 02:36:23 Tower kernel: sd 3:0:0:0: [sdb] Unhandled sense code Dec 23 02:36:23 Tower kernel: sd 3:0:0:0: [sdb] Result: hostbyte=0x00 driverbyte=0x08 Dec 23 02:36:23 Tower kernel: sd 3:0:0:0: [sdb] Sense Key : 0x3 [current] [descriptor] Dec 23 02:36:23 Tower kernel: Descriptor sense data with sense descriptors (in hex): Dec 23 02:36:23 Tower kernel: 72 03 13 00 00 00 00 0c 00 0a 80 00 00 00 00 00 Dec 23 02:36:23 Tower kernel: e8 e0 88 af Dec 23 02:36:23 Tower kernel: sd 3:0:0:0: [sdb] ASC=0x13 ASCQ=0x0 Dec 23 02:36:23 Tower kernel: sd 3:0:0:0: [sdb] CDB: cdb[0]=0x28: 28 00 e8 e0 88 a8 00 00 08 00 Dec 23 02:36:23 Tower kernel: end_request: I/O error, dev sdb, sector 3907029167 Dec 23 02:36:23 Tower kernel: Buffer I/O error on device sdb, logical block 488378645 Stop the array, power down, and check the connections (data and power) to the drive. Be careful not to dislodge the other cables to other disks. Joe L.
December 23, 201015 yr manolodf, I did not intend on you to add jumper without completing the trouble-shooting only asking the question. I should have been clearer in my request. Joe L, I collect data points for future trouble-shooting of my systems. With my limited knowledge of unRAID, I know of no drive failures, only slow data transfers with out the jumper installed, I do not see any log entries for a UPS installed so I am assuming a hard shutdown do to power failure or some other hardware problem. The way I am looking at this is if more drive failures start to crop up on a hard shut downs it would indicate a pattern that would make jumpering these drives more important. manolodf, On a side note, if this was a power failure and you do not have a UPC installed I would invest in one as at least you will have a clean shut down.
December 23, 201015 yr Author From what I can tell you have an issue with sdb, I would shut down the server check/replace the cable for this drive, restart the server see if the error goes away, if not run a smart report on this drive and post the results back here for some of the drive experts to look at. One question on the sdb dive, do you have pins 7 & 8 jumpered? What I did actually was power down normally and power up and my shares were indeed back, it must have been something after power outage and the parity check completed succesfully it just never restored the user shares. The pins are jumpered, but that drive still sucks hard! I had to install the cache drive because it gave me tons of issues for a while.
December 23, 201015 yr Author Is that thing exposed to the internet? What's with all the failed logins? I am actually not sure, what in specific do you see? It has a few ports exposed but its not dmz or anything.
December 23, 201015 yr Is that thing exposed to the internet? What's with all the failed logins? I am actually not sure, what in specific do you see? It has a few ports exposed but its not dmz or anything. You are apparently then being attacked. (From several different IP addresses at that) Are you really sure you want to open up you server to the world? ( Your router probably has FAR too much open. I hope you have really strong passwords on every possible login. If not, you probably already have script-kiddies in your LAN. They seem to be trying about two or three login attempts per second.) Joe L. Dec 22 19:00:29 Tower sshd[23202] Did not receive identification string from 58.49.104.164 Failed password for invalid user staff from 58.49.104.164 port 33711 ssh2 Failed password for invalid user sales from 58.49.104.164 port 35833 ssh2 Failed password for invalid user recruit from 58.49.104.164 port 36705 ssh2 Failed password for invalid user alias from 58.49.104.164 port 37919 ssh2 Failed password for invalid user office from 58.49.104.164 port 39550 ssh2 Failed password for invalid user samba from 58.49.104.164 port 39803 ssh2 Failed password for invalid user tomcat from 58.49.104.164 port 42244 ssh2 Failed password for invalid user webadmin from 58.49.104.164 port 45440 ssh2 Failed password for invalid user spam from 58.49.104.164 port 45688 ssh2 Failed password for invalid user virus from 58.49.104.164 port 48105 ssh2 Failed password for invalid user cyrus from 58.49.104.164 port 48631 ssh2 Failed password for invalid user oracle from 58.49.104.164 port 50926 ssh2 Failed password for invalid user michael from 58.49.104.164 port 53984 ssh2 Dec 22 19:05:42 Tower sshd[25655]: error: Could not get shadow information for ftp Failed password for ftp from 58.49.104.164 port 54478 ssh2 Failed password for invalid user test from 58.49.104.164 port 55717 ssh2 Failed password for invalid user webmaster from 58.49.104.164 port 57295 ssh2 Failed password for invalid user postmaster from 58.49.104.164 port 58628 ssh2 Failed password for invalid user postfix from 58.49.104.164 port 60236 ssh2 Failed password for invalid user postgres from 58.49.104.164 port 62091 ssh2 Failed password for invalid user paul from 58.49.104.164 port 63251 ssh2 Dec 22 19:05:59 Tower sshd[25855]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 64510 ssh2 Failed password for invalid user guest from 58.49.104.164 port 2171 ssh2 Failed password for invalid user admin from 58.49.104.164 port 2914 ssh2 Failed password for invalid user linux from 58.49.104.164 port 5119 ssh2 Failed password for invalid user user from 58.49.104.164 port 5401 ssh2 Failed password for invalid user david from 58.49.104.164 port 7829 ssh2 Failed password for invalid user web from 58.49.104.164 port 8321 ssh2 Dec 22 19:06:15 Tower sshd[25965]: error: Could not get shadow information for apache Failed password for apache from 58.49.104.164 port 10240 ssh2 Failed password for invalid user pgsql from 58.49.104.164 port 11256 ssh2 Dec 22 19:06:19 Tower sshd[26021]: error: Could not get shadow information for mysql Failed password for mysql from 58.49.104.164 port 13251 ssh2 Failed password for invalid user info from 58.49.104.164 port 14213 ssh2 Failed password for invalid user tony from 58.49.104.164 port 15432 ssh2 Failed password for invalid user core from 58.49.104.164 port 17165 ssh2 Failed password for invalid user newsletter from 58.49.104.164 port 18051 ssh2 Failed password for invalid user named from 58.49.104.164 port 20092 ssh2 Failed password for invalid user visitor from 58.49.104.164 port 20446 ssh2 Failed password for invalid user ftpuser from 58.49.104.164 port 22526 ssh2 Failed password for invalid user username from 58.49.104.164 port 23387 ssh2 Failed password for invalid user administrator from 58.49.104.164 port 24743 ssh2 Failed password for invalid user library from 58.49.104.164 port 26690 ssh2 Failed password for invalid user test from 58.49.104.164 port 28123 ssh2 Dec 22 19:06:46 Tower sshd[26211]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 29917 ssh2 Dec 22 19:06:48 Tower sshd[26237]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 30254 ssh2 Failed password for invalid user admin from 58.49.104.164 port 32274 ssh2 Failed password for invalid user guest from 58.49.104.164 port 36038 ssh2 Failed password for invalid user master from 58.49.104.164 port 36374 ssh2 Dec 22 19:07:00 Tower sshd[26413]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 38702 ssh2 Dec 22 19:07:02 Tower sshd[26439]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 39348 ssh2 Dec 22 19:07:04 Tower sshd[26465]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 40543 ssh2 Dec 22 19:07:06 Tower sshd[26473]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 42237 ssh2 Dec 22 19:07:08 Tower sshd[26499]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 42835 ssh2 Failed password for invalid user admin from 58.49.104.164 port 44989 ssh2 Failed password for invalid user admin from 58.49.104.164 port 45573 ssh2 Failed password for invalid user admin from 58.49.104.164 port 47825 ssh2 Failed password for invalid user admin from 58.49.104.164 port 48397 ssh2 Dec 22 19:07:19 Tower sshd[26575]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 49554 ssh2 Dec 22 19:07:22 Tower sshd[26601]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 51258 ssh2 Failed password for invalid user test from 58.49.104.164 port 52490 ssh2 Failed password for invalid user test from 58.49.104.164 port 54145 ssh2 Failed password for invalid user webmaster from 58.49.104.164 port 54623 ssh2 Failed password for invalid user username from 58.49.104.164 port 57075 ssh2 Failed password for invalid user user from 58.49.104.164 port 60090 ssh2 Dec 22 19:07:38 Tower sshd[26733]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 60431 ssh2 Failed password for invalid user admin from 58.49.104.164 port 63129 ssh2 Failed password for invalid user test from 58.49.104.164 port 63458 ssh2 Dec 22 19:07:49 Tower sshd[26850]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 1764 ssh2 Dec 22 19:07:51 Tower sshd[26909]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 5173 ssh2 Dec 22 19:07:53 Tower sshd[26917]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 5935 ssh2 Failed password for invalid user danny from 58.49.104.164 port 8004 ssh2 Failed password for invalid user alex from 58.49.104.164 port 8398 ssh2 Failed password for invalid user brett from 58.49.104.164 port 37632 ssh2 Failed password for invalid user mike from 58.49.104.164 port 41778 ssh2 Failed password for invalid user alan from 58.49.104.164 port 42121 ssh2 Failed password for invalid user data from 58.49.104.164 port 44419 ssh2 Failed password for invalid user www-data from 58.49.104.164 port 45162 ssh2 Failed password for invalid user http from 58.49.104.164 port 47419 ssh2 Failed password for invalid user httpd from 58.49.104.164 port 48039 ssh2 Dec 22 19:08:21 Tower sshd[27135]: error: Could not get shadow information for pop Failed password for pop from 58.49.104.164 port 49197 ssh2 Dec 22 19:08:24 Tower sshd[27165]: error: Could not get shadow information for nobody Failed password for nobody from 58.49.104.164 port 51653 ssh2 Dec 22 19:08:26 Tower sshd[27195]: error: Could not get shadow information for root Failed password for root from 58.49.104.164 port 54279 ssh2 Failed password for invalid user backup from 58.49.104.164 port 55042 ssh2 Failed password for invalid user info from 58.49.104.164 port 57277 ssh2 Failed password for invalid user shop from 58.49.104.164 port 58300 ssh2 Failed password for invalid user sales from 58.49.104.164 port 59506 ssh2 Failed password for invalid user web from 58.49.104.164 port 61106 ssh2 Failed password for invalid user www from 58.49.104.164 port 62571 ssh2 Failed password for invalid user wwwrun from 58.49.104.164 port 64702 ssh2 Failed password for invalid user adam from 58.49.104.164 port 2057 ssh2 Failed password for invalid user stephen from 58.49.104.164 port 4684 ssh2 Failed password for invalid user richard from 58.49.104.164 port 5885 ssh2 Failed password for invalid user george from 58.49.104.164 port 7789 ssh2 Failed password for invalid user john from 58.49.104.164 port 11530 ssh2 Dec 22 19:08:57 Tower sshd[27533]: error: Could not get shadow information for news Failed password for news from 58.49.104.164 port 12762 ssh2 Failed password for invalid user angel from 58.49.104.164 port 14498 ssh2 Dec 22 19:09:09 Tower sshd[27601]: error: Could not get shadow information for games Failed password for games from 58.49.104.164 port 18369 ssh2 Failed password for invalid user pgsql from 58.49.104.164 port 22533 ssh2 Dec 22 19:09:14 Tower sshd[27635]: error: Could not get shadow information for mail Failed password for mail from 58.49.104.164 port 23831 ssh2 Dec 22 19:09:16 Tower sshd[27665]: error: Could not get shadow information for adm Failed password for adm from 58.49.104.164 port 27123 ssh2 Failed password for invalid user ident from 58.49.104.164 port 28391 ssh2 Failed password for invalid user webpop from 58.49.104.164 port 29997 ssh2 Failed password for invalid user susan from 58.49.104.164 port 31275 ssh2 Dec 22 19:09:24 Tower emhttp: shcmd (42): /usr/sbin/hdparm -y /dev/sdc >/dev/null Failed password for invalid user sunny from 58.49.104.164 port 33307 ssh2 Failed password for invalid user steven from 58.49.104.164 port 35874 ssh2 Failed password for invalid user ssh from 58.49.104.164 port 37348 ssh2 Failed password for invalid user search from 58.49.104.164 port 38717 ssh2 Failed password for invalid user sara from 58.49.104.164 port 40782 ssh2 Failed password for invalid user robert from 58.49.104.164 port 44880 ssh2 Failed password for invalid user richard from 58.49.104.164 port 46155 ssh2 Failed password for invalid user party from 58.49.104.164 port 48240 ssh2 Failed password for invalid user amanda from 58.49.104.164 port 49656 ssh2 Failed password for invalid user rpm from 58.49.104.164 port 52196 ssh2 Dec 22 19:09:52 Tower sshd[28008]: error: Could not get shadow information for operator Failed password for operator from 58.49.104.164 port 53596 ssh2 Failed password for invalid user sgi from 58.49.104.164 port 55396 ssh2 Failed password for sshd from 58.49.104.164 port 59141 ssh2 Failed password for invalid user users from 58.49.104.164 port 60757 ssh2 Failed password for invalid user admins from 58.49.104.164 port 61946 ssh2 Failed password for invalid user admins from 58.49.104.164 port 63526 ssh2 Dec 22 19:10:08 Tower sshd[28150]: error: Could not get shadow information for bin Failed password for bin from 58.49.104.164 port 64760 ssh2 Dec 22 19:10:10 Tower sshd[28158]: error: Could not get shadow information for daemon Failed password for daemon from 58.49.104.164 port 2912 ssh2 Dec 22 19:10:12 Tower sshd[28184]: error: Could not get shadow information for lp Failed password for lp from 58.49.104.164 port 4288 ssh2 Dec 22 19:10:14 Tower sshd[28192]: error: Could not get shadow information for sync Failed password for sync from 58.49.104.164 port 5573 ssh2 Dec 22 19:10:17 Tower sshd[28222]: error: Could not get shadow information for shutdown Failed password for shutdown from 58.49.104.164 port 7140 ssh2 Dec 22 19:10:19 Tower sshd[28248]: error: Could not get shadow information for halt Failed password for halt from 58.49.104.164 port 9178 ssh2 Dec 22 19:10:21 Tower sshd[28256]: error: Could not get shadow information for uucp Failed password for uucp from 58.49.104.164 port 10788 ssh2 Dec 22 19:10:23 Tower sshd[28264]: error: Could not get shadow information for smmsp Failed password for smmsp from 58.49.104.164 port 12099 ssh2 Failed password for invalid user dean from 58.49.104.164 port 14554 ssh2 Failed password for invalid user unknown from 58.49.104.164 port 15831 ssh2 Failed password for invalid user securityagent from 58.49.104.164 port 17921 ssh2 Failed password for invalid user tokend from 58.49.104.164 port 19551 ssh2 Failed password for invalid user windowserver from 58.49.104.164 port 21308 ssh2 Failed password for invalid user appowner from 58.49.104.164 port 22746 ssh2 Failed password for invalid user xgridagent from 58.49.104.164 port 26174 ssh2 Failed password for invalid user agent from 58.49.104.164 port 27106 ssh2 Failed password for invalid user xgridcontroller from 58.49.104.164 port 28965 ssh2 Failed password for invalid user jabber from 58.49.104.164 port 30193 ssh2 Failed password for invalid user amavisd from 58.49.104.164 port 33947 ssh2 Failed password for invalid user clamav from 58.49.104.164 port 36210 ssh2 Failed password for invalid user appserver from 58.49.104.164 port 38188 ssh2 Failed password for invalid user mailman from 58.49.104.164 port 40517 ssh2 Failed password for invalid user cyrusimap from 58.49.104.164 port 42064 ssh2 Failed password for invalid user qtss from 58.49.104.164 port 43090 ssh2 Failed password for invalid user eppc from 58.49.104.164 port 44892 ssh2 Failed password for invalid user telnetd from 58.49.104.164 port 46203 ssh2 Failed password for invalid user identd from 58.49.104.164 port 48254 ssh2 Failed password for invalid user gnats from 58.49.104.164 port 49637 ssh2 Failed password for invalid user jeff from 58.49.104.164 port 50954 ssh2 Failed password for invalid user irc from 58.49.104.164 port 52517 ssh2 Failed password for invalid user list from 58.49.104.164 port 53681 ssh2 Failed password for invalid user eleve from 58.49.104.164 port 55159 ssh2 Failed password for invalid user proxy from 58.49.104.164 port 56382 ssh2 Failed password for invalid user sys from 58.49.104.164 port 58106 ssh2 Failed password for invalid user zzz from 58.49.104.164 port 59254 ssh2 Failed password for invalid user frank from 58.49.104.164 port 60621 ssh2 Failed password for invalid user dan from 58.49.104.164 port 62091 ssh2 Failed password for invalid user james from 58.49.104.164 port 63336 ssh2 Failed password for invalid user snort from 58.49.104.164 port 1517 ssh2 Failed password for invalid user radiomail from 58.49.104.164 port 2998 ssh2 Failed password for invalid user harrypotter from 58.49.104.164 port 5202 ssh2 Failed password for invalid user divine from 58.49.104.164 port 6915 ssh2 Failed password for invalid user popa3d from 58.49.104.164 port 9189 ssh2 Failed password for invalid user aptproxy from 58.49.104.164 port 10352 ssh2 Failed password for invalid user desktop from 58.49.104.164 port 12020 ssh2 Failed password for invalid user workshop from 58.49.104.164 port 13791 ssh2 Failed password for invalid user mailnull from 58.49.104.164 port 15483 ssh2 Failed password for invalid user nfsnobody from 58.49.104.164 port 17852 ssh2 Failed password for invalid user rpcuser from 58.49.104.164 port 19107 ssh2 Dec 22 19:11:59 Tower sshd[29190]: error: Could not get shadow information for rpc Failed password for rpc from 58.49.104.164 port 21369 ssh2 Failed password for invalid user gopher from 58.49.104.164 port 23125 ssh2 Dec 23 00:11:56 Tower sshd[23383]: Did not receive identification string from 113.98.212.239
December 23, 201015 yr Author I only have like 4 ports that are open to the Unraid, for unMenu, Airvideo and few other things etc. Definately all those ports listed. My lan here is just family and was WPA2 so its not like its an unsecured, so it must be one of the other PCs? Is there a way to know what local IP is doing this?
December 23, 201015 yr I only have like 4 ports that are open to the Unraid, for unMenu, Airvideo and few other things etc. Definately all those ports listed. My lan here is just family and was WPA2 so its not like its an unsecured, so it must be one of the other PCs? Is there a way to know what local IP is doing this? They are trying to get through on a lot of ports. Check your router config again to make sure something is not mis-configured. I specifically turn OFF UPNP on all my routers so that they do not try and "help" me.
December 23, 201015 yr Author I have turned UPNP Off. Could it be anything internal? XBMC, or any computers do their backups to unraid etc?
December 23, 201015 yr You should have no ports forwarded on your router that point to your UnRaid box zero zip nada. All these attempts are getting past your router/firewall/NAT if they are showing up on your internal network!
December 24, 201015 yr You are clearly being attacked. By the way, WPA2 is not an anti-malware tool. It simply provides secure communications between a station and the router, essentially providing a 'secure line' between them, for both good and bad traffic. If the station is infected, then the trojan/malware can also take advantage of that secure line to attack others or perform its malware duties. WPA2 will not protect you from malware, just keep the traffic between that station and the router from being sniffed or tampered with. I would first start a tail of the syslog on the system console, so that you can see the incoming login attempts, then disconnect the Internet cable to your router, to verify that the login attempts stop. Then reconnect that cable, watch for more attempted logins, then shut down your other computers one by one, monitoring the console for the cessation of logins. That should hopefully help you determine which machine is infected, unless it is the router itself. On second thought, perhaps it would be better to shut down other stations first, one by one, before pulling the cable... Perhaps someone else has a more rigorous testing method... Do you possibly have a VPN set up somewhere on the network, including on the router?
December 24, 201015 yr The IP is from china. http://www.ip-adress.com/ip_tracer/58.49.104.164 I'm guessing there is at least one script-kiddie in china.
December 24, 201015 yr Author You are clearly being attacked. By the way, WPA2 is not an anti-malware tool. It simply provides secure communications between a station and the router, essentially providing a 'secure line' between them, for both good and bad traffic. If the station is infected, then the trojan/malware can also take advantage of that secure line to attack others or perform its malware duties. WPA2 will not protect you from malware, just keep the traffic between that station and the router from being sniffed or tampered with. I would first start a tail of the syslog on the system console, so that you can see the incoming login attempts, then disconnect the Internet cable to your router, to verify that the login attempts stop. Then reconnect that cable, watch for more attempted logins, then shut down your other computers one by one, monitoring the console for the cessation of logins. That should hopefully help you determine which machine is infected, unless it is the router itself. On second thought, perhaps it would be better to shut down other stations first, one by one, before pulling the cable... Perhaps someone else has a more rigorous testing method... Do you possibly have a VPN set up somewhere on the network, including on the router? I do not have VPN setup, and none of the ports that appear being attempted from the china IP are being forwarded, which is the weird thing. How do I do a tail on the syslog on the console so I can see the logins? What exactly is it trying to log into? Because I am not sure I have any logins actually. I am seeing the IP has changed a bit. here are a few new ones, but if they were coming from inside my network then how could they be a different IP? : Dec 24 08:29:11 Tower sshd[26142]: error: Could not get shadow information for NOUSER Dec 24 08:29:11 Tower sshd[26142]: Failed password for invalid user mailman from 77.105.207.192 port 34093 ssh2 Dec 24 08:29:12 Tower sshd[26150]: Invalid user mailman from 77.105.207.192 Dec 24 08:29:12 Tower sshd[26150]: error: Could not get shadow information for NOUSER Dec 24 08:29:12 Tower sshd[26150]: Failed password for invalid user mailman from 77.105.207.192 port 34218 ssh2 Dec 24 08:29:13 Tower sshd[26158]: Invalid user mailman from 77.105.207.192 Dec 24 08:29:13 Tower sshd[26158]: error: Could not get shadow information for NOUSER Dec 24 08:29:13 Tower sshd[26158]: Failed password for invalid user mailman from 77.105.207.192 port 34240 ssh2 Dec 24 08:29:15 Tower sshd[26183]: Invalid user mailman from 77.105.207.192 Dec 24 08:29:15 Tower sshd[26183]: error: Could not get shadow information for NOUSER Dec 24 08:29:15 Tower sshd[26183]: Failed password for invalid user mailman from 77.105.207.192 port 34541 ssh2 Dec 24 08:29:16 Tower sshd[26191]: Invalid user mailman from 77.105.207.192 Dec 24 08:29:16 Tower sshd[26191]: error: Could not get shadow information for NOUSER Dec 24 08:29:16 Tower sshd[26191]: Failed password for invalid user mailman from 77.105.207.192 port 34633 ssh2 Dec 24 08:29:18 Tower sshd[26220]: Invalid user mailman from 77.105.207.192 Dec 24 08:29:18 Tower sshd[26220]: error: Could not get shadow information for NOUSER Dec 24 08:29:18 Tower sshd[26220]: Failed password for invalid user mailman from 77.105.207.192 port 34689 ssh2 Dec 24 08:29:19 Tower sshd[26228]: Invalid user mailman from 77.105.207.192 Dec 24 08:29:19 Tower sshd[26228]: error: Could not get shadow information for NOUSER Dec 24 08:29:19 Tower sshd[26228]: Failed password for invalid user mailman from 77.105.207.192 port 34979 ssh2
December 24, 201015 yr You are clearly being attacked. ... I would first start a tail of the syslog on the system console, so that you can see the incoming login attempts, then disconnect the Internet cable to your router, to verify that the login attempts stop. Then reconnect that cable, watch for more attempted logins, then shut down your other computers one by one, monitoring the console for the cessation of logins. That should hopefully help you determine which machine is infected, unless it is the router itself. On second thought, perhaps it would be better to shut down other stations first, one by one, before pulling the cable... Perhaps someone else has a more rigorous testing method... If I was doing it, I would compromise a few machines and leave unused back doors on all of them - I guess I'm paranoid enough I'd pull the plug until all the machines are swept and proven clean. UnRaid is the easy one
December 24, 201015 yr To see what is happening to the syslog "live" log in to the console as root and execute tail -f /var/log/syslog To exit use CTRL-C The logins you are seeing are via ssh and the port number you see listed is the originating port, not the destination port. The logins are being attempted on whatever port you have sshd running on on the unRAID box, default is port 22.
December 24, 201015 yr It looks as if you are forwarding port 22 from the Internet to your UNraid. You will need to use PKI to secure this if you must keep it open. You could also use a 20 char random password but it is less secure. In any case the attacks will continue until you close the port forwarding.
December 25, 201015 yr Author Yea, I had actually closed the port forwarding a bit earlier before I forced a new IP, I have since not seen the attacks.
Archived
This topic is now archived and is closed to further replies.