Probable Hack. How exposed am I?


Recommended Posts

My unraid box is mainly a Plex media server. I thought it odd tonight that when I went to watch a movie and I couldn't find the movie.  All my individual movie folders are still accounted for but 75% of them are missing the movies inside their respective folders.  I ran "fix common problems' and this came up with the attached possible hack attempts.  FYI. My server was set as dmz on my router which was turned on as part of an Unraid tutorial I watched when setting up Unraid and Plex. I'm not unraid savy and I just discovered its a no-no. *sigh*.  I copied some screenshots from some of the logs and at least one of the IP's is a Chinese IP.  

 

At the moment the array is off and I've turned off port forwarding and DMZ for the server on my router.  As it stands I'm pretty sure I have god knows what installed on the box and its going to need a wipe and reinstall.  I'm guessing I'm going to have to wipe all my media/drives just to be sure there isn't anything installed on there.  

 

I can handle losing my media but what I'm more concerned about is my Time Machine backup that was on the server. I'm not very tech savy with the Unraid however I set it up following Space Invader One's video.  My questions are:

 

1.) Time machine was set to a private share.  Could a hacker of copied it? There would have been backups of my local PC files which would have included a lot of personal sensitive documents which would be bad from an identify theft perspective.  Is there any way they could get into my local machine if they got into my home server on the unraid box?

 

2.) I assume my media will be lost.  Is there a way to save what's left or don't bother.  

 

3.) How do I prevent this again so I can still use Plex from outside my house but such that its protected and this won't happen again? 

 

Screen Shot 2020-05-08 at 11.19.50 PM.png

Screen Shot 2020-05-08 at 11.38.39 PM.png

Screen Shot 2020-05-08 at 11.58.45 PM.png

Link to comment
6 hours ago, cdn_bacon said:

My server was set as dmz on my router which was turned on as part of an Unraid tutorial I watched when setting up Unraid and Plex.

Can you please point out the tutorial that stated to do that...

 

6 hours ago, cdn_bacon said:

3.) How do I prevent this again so I can still use Plex from outside my house but such that its protected and this won't happen again? 

 

Forward port 32400

 

Other thoughts.

 

Considering just how few invalid login attempts there were, and that a login for ROOT did definitely get in, do you even have a password for the root user set?  That alone would have slowed the attack down (wouldn't have stopped it, but may have given you time to have noticed it - btw, if you ran Fix Common Problems on a schedule (its currently disabled), then it would have alerted you to this)

Link to comment
6 hours ago, cdn_bacon said:

My server was set as dmz on my router which was turned on as part of an Unraid tutorial I watched when setting up Unraid and Plex.

No one with a little bit of knowledge will advice you to put your server on the DMZ. Sry to hear what happened to you, but NEVER EVER put a server on a DMZ especially if you're not tech savy. DMZ on most routers has NO limits for access, no port rules, no malicious traffic detection, no firewall rules at all. You basically facing your server directly to the internet WITHOUT any extra security layers a router provides.

Link to comment

My “technical” knowledge was always a concern in setting up an unraid box and apparently I didn’t do enough homework. Ok. Hard lesson to learn but it’s done and I can’t do anything about it now. 
 

My biggest priority is trying to ascertain what they took from the machine or if it was just someone poking around and causing mischief deleting my media. Again, not unraid tech savvy, but can I pull info from the diagnostic tool and upload it here? Would anyone be able to determine if they downloaded my files and what?

 

Looking for some needed help. 

Link to comment

@cdn_bacon Uploading your diagnostics could help if someone is willing to dig deeper into what happened to you. But on default Unraid didn't record file access or which files are exfiltrated. If that intruder really had root access to your box, he had access to all files and settings on your server. Any not encrypted file could be accessed by him. So if you had sensitive login data stored to whatever account in plain text, you better quickly change passwords for any platform that might be affected. Also make sure you change logins for every self hosted applications like Bitwarden, Nextcloud, Plex etc. Make sure for every service you use no extra users are been created that might have access to your data.

 

How other devices on your network might be affected is the next question? Are there any devices with old software running on your network with possible security flaws? Hard to say and difficult to provide help with no deeper look in your whole network setup.

 

The safest way in my opinion is to start over with a fresh unraid setup to get rid of a maybe persistant access to your server has been added that dials back home. I know it's a lot of work to reconfigure everything if you for example have setup a couple of dockers. But I would feel better to start fresh.

 

Hopefully some other users have a opinion on that and also have a couple tips for you.

  • Like 1
Link to comment
1 hour ago, bastl said:

 

The safest way in my opinion is to start over with a fresh unraid setup to get rid of a maybe persistant access to your server has been added that dials back home. I know it's a lot of work to reconfigure everything if you for example have setup a couple of dockers. But I would feel better to start fresh.


The only docker I had setup was Plex. The machine as made for that purpose. 
 

Other network devices. The usual WiFi devices like Apple TV, iPad, phones etc. only thing of significance is my iMac which is newer and running the most current software OSX. Uses a separate user login and password. I think it’s probably doubtful they could get in unless “they” had those credentials?  I mean realistically they already have access to that devices data given the time machine backup is on the comprimised raid box. 
 

I’ll probably wipe and rebuild the iMac just to be safe. For that matter can I backup my data or use the “possible” compromised time machine backup? Concern would be something installed coming back to haunt me later. That leaves the ISP provided. router. Factory reset?  Is there a risk with this to do nothing?

Link to comment
2 minutes ago, cdn_bacon said:

compromised time machine backup?

Good question. I'am not an apple user and can't tell whats included in it. If it's only user data you should be safe to restore it. If application data and settings are also stored this might be a risc factor to restore them.

4 minutes ago, cdn_bacon said:

That leaves the ISP provided. router. Factory reset?

Also depends on the configuration and the model itself. Lot's of consumer routers have old firmwares on it, often with dozens of vulnerabilities. If not faced to the public and "clean" Lan devices not that big of a deal. But there are a lot of malware around searching for that vulns and exploiting such devices. The question is if a reset helps. Some "router malware" are persistent and survives a normal reset. Maybe check your routers firmware/model and search the web for possible vulnerabilities to get an idea if there is an risk factor.

Link to comment

Local machine is secured and router is safe IMO.  Next phase will be the unraid box rebuild.  Question is can I flash the usb stick with a newer version of unraid and format the cache drive and rebuild.  Delete the dockers and done?

 

There are still a great number of media files on the array on various drives.  Can I reuse the array? and/or can I reuse the media or do I need to do a fresh format on the entire array?  I don't want to risk any lingering vulnerability however what's the odds there's something embedded in a media file? 

Link to comment
3 hours ago, cdn_bacon said:

what's the odds there's something embedded in a media file?

Slim to almost none. Since they don't execute themselves, anything embedded has to trigger a vulnerability in the player / viewer. Which means it's trivial to scan them without risking a breach.

 

Your rebuild plan sounds solid to me. If the only thing you keep from your USB config folder is your license key and super.dat file, I can't see how a vulnerability could survive there, and deleting your appdata and docker image should take care of any compromised executables there.

Link to comment
5 hours ago, jonathanm said:

Slim to almost none. Since they don't execute themselves, anything embedded has to trigger a vulnerability in the player / viewer. Which means it's trivial to scan them without risking a breach.


Can one scan with a traditional antivirus software package from a PC on the home network? I’ve never tried that before. 
 

What’s the process for rebuilding and reusing the array data? Wipe the flash stick and cache drive. But then just set it up new but then will it auto detect the exciting array?
 

what's the best way to protect myself post rebuild for purpose of using Plex? Setup a VPN in a docker? 

Link to comment
1 hour ago, cdn_bacon said:

what's the best way to protect myself post rebuild for purpose of using Plex? Setup a VPN in a docker? 

 

On 5/9/2020 at 5:42 AM, Squid said:

Forward port 32400

 

 

1 hour ago, cdn_bacon said:

Can one scan with a traditional antivirus software package from a PC on the home network? I’ve never tried that before. 

Yes.  Or install ClamAV via Apps

Link to comment
1 hour ago, cdn_bacon said:

What’s the process for rebuilding and reusing the array data? Wipe the flash stick and cache drive. But then just set it up new but then will it auto detect the exciting array?

 

7 hours ago, jonathanm said:

the only thing you keep from your USB config folder is your license key and super.dat file

The super.dat file contains the array drive assignments. Back up the two files, wipe the USB drive, prepare as new, copy those two files back to the config folder, boot up, start reconfiguring things. Your users and share settings will all be set back to defaults.

Link to comment
  • 2 weeks later...

Just a quick update:

 

Local machines on the network were deep scanned and nothing found. Out of an abundance of caution (and peace of mind) I wiped and rebuilt my Mac. I keep very little on it so it didn’t take long. The router settings were updated. 
 

I’m about to rebuild the unraid box now. 
 

plan of attack. Save the license key and super.dat file. Wipe the flash drive and update unraid. Copy files back and boot up

and rebuild. I assume when I start up before starting the array I can unselect the cache drive and format it. 
 

Then do a fresh setup? At the moment the box will stay on internal network until it’s built and I can do some more homework on how to protect myself for opening up plex to the outside world again. I’ll be honest, I’m not the most advanced user. Can anyone tell me if my plan sounds good? Recommend any guides or tutorials on VPN use in unraid? 
 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.