Hacked - Help Needed


Recommended Posts

Good morning,

This morning I noticed 0/4 had a 100% usage as well as my shares where no longer accessible. I was about to get diagnostic log and changed root password. And I couldn't power up off the server using the power button so pulled power cable. Attached is diagnostic log. Could some one tell me the first step i should take to see if I can recovery my data. 

helix-diagnostics-20200624-0920.zip

Link to comment

Why and how is your server on the internet? It should be behind your router firewall. Close ports on your router immediately.

 

You also have some problems with disks and with flash drive, but get your server off the internet first then we can work through the other things.

Link to comment

I opened the ports the other day  trying to fix a connectivity issue, and didn't close the ports. So I'm not at home but had my fiancee disconnected it from power I  will be home later this evening. First I had her reconnect it and connected to my  desktop on  the local network and it was no longer  showing up on the network. So I will update you when i get home and physically present. Thanks. I'm sick to my stomach right now smh 

 

Ports are closed now. 

Edited by MrT
Link to comment
1 minute ago, MrT said:

fix a connectivity issue

What do you mean by a "connectivity issue"?

 

The internet is full of bots that automatically seek out systems to attack, and will relentlessly attack any systems they find.

 

If you want to access your server remotely you MUST use a VPN. The WireGuard VPN is built in to Unraid:

 

 

Link to comment

I haven't made it home, I was out of town working. Should be back this week. 

 

Recieved this from my girlfriend this morning. 

 

Account ending in XXX<br></u>This is a courtesy notice from AT&T. We have identified opportunities for you to enhance your Internet security and privacy.<br>Please review the issues identified below on the IP address(es) using your Internet service. Check the settings on your router or gateway to ensure these devices are not improperly exposed to the Internet.

My.X.X.IP :

Mirai infection: Mirai refers to a type of IoT malware. It is different than regular malware because it targets equipment on your network, such as surveillance cameras, rather than traditional PCs. Presence of Mirai on one of your devices allows hackers to use your equipment to attack other computers.<br><br>Because this malware targets equipment rather than a PC, it can be difficult to detect and remove.<br><br>Removal steps:

Determine which devices on your network may be exposed to the Internet. Pay special attention to cameras, digital video recorders (DVR’s), and video surveillance systems; and devices with model numbers LS300, GX400, GX/ES440, GX/ES450, and RV50k manufactured by Sierra Wireless.

Ensure that your firewall or wireless router is configured to block access to ports 22/tcp (ssh) and 23/tcp (telnet). If you are not able to disable access to these ports, limit access to only the remote IP addresses you need for remote management.

Restart the equipment. If you continue to receive alerts, you may need to reset the device to “factory settings”. Consult the equipment manual for more information.

Visit the manufacturer’s website for the latest firmware updates for your device.

After restarting, change the administrator password for the device.

<br>Additional tools and information:

US CERT ALERT regarding Mirai: Heightened DDoS Threat Posed by Mirai and Other Botnets | CISA

US CERT ALERT regarding Sierra Wireless Equipment: Sierra Wireless Mitigations Against Mirai Malware | CISA

Link to comment

Since all those IoT embedded OS are some linux flavor and your Unraid is also some linux flavor, it is conceivable that your server is infected.

 

The good thing about Unraid is the OS is only in RAM. A boot from a clean install should take care of it, as long as you don't keep any executables from your data drives, such as dockers and VMs.

Link to comment

Running a bit of geo-ip for funzies from your logs, you got Nigeria, China, India IPs basically battling over the control of your server. That's actually kinda cute.

That's actually motivating me to setup an honeypot in the form of a i486 or i386 box with a screen that would just display live-logs 24/7 :D

 

On a more serious note though, if I was in that situation, yeah, it would be pulling the box's plug, then using a VM with passthrough on an other box to each drive of the array, one by one, analyzing them fully for malware.
And obviously, wiping blank unraid's flash drive and then restoring a back up of it / fresh new installation (eventually just power on the server in GUI mode, but with ethernet unplugged, to make notes of some configs you fear not to remember).

On a more 'paranoid' point of view, I would eventually also go through the logs to check if any attempt at firmware update of something has been done. Okay, HDD firmware malware is rare, but it's a thing. They are a thing, the worse thing possible, but rare, but a thing.
And like half the components of a computer have a firmware that the OS can flash without needing a reboot. In my case, if I wouldn't worry about the motherboard much for example, raid cards / HBAs are more susceptible targets already, and worse for me, my old iDrac7 and iDrac6 interfaces, which are known to be targets of a firmware exploit. (in that particular case, it's actually hardly troubleshootable/analyzable, so my go at it is simply to stop iDrac from communicating to the outsideworld completly, but able to access it remotely through a VPN tunnel that let me access my home LAN)

 

Though, keep that in head: unraid isn't made to be front facing. You can expose selective ports of docker containers and all, but as long as your router isn't pure garbage, you have, never ever, a single valid reason to put your server on front line to the world wide web. That's a major no-no.
The only true way to access securely any admin-related part of an unraid host (so, excluding the services your run from it, like some dockers or VM hosted web-services through selective port exposition or reverse-proxies) is through a VPN tunnel. Never expose SSH, Telnet, and even 80-443 would lead to a pretty hefty number of bruteforce attempts.

Edited by Keexrean
Link to comment
  • 2 weeks later...

Thanks Guys, I finally have enough time to start to see what happened. And Try to recover my data. It looks like what ever infected my system zero'd the usb flash drive. I was able to format it and re-create the Unraid flash drive now, I am going to connect to to each drive individually out side of the box and see if there is still any data left. Would I be able to view in information on the drives outside of unraid?  @Trurl @Keexrean

 

Link to comment
46 minutes ago, MrT said:

@Trurl @Keexrean

Just a note about the forum software. In order to successfully ping anyone, you must begin typing the @ followed by characters from the username, and then you must actually make a selection from the choices. Like this: @MrT

 

Your Unraid disks can be read from any Linux.

Link to comment
  • 3 weeks later...

@trurl

Thank you for the the note! I tried connecting them to a ubuntu system but no partitions are showing up. Any other suggestions on how to access the data. I am going to look at partition recovery software but i'm working will any of them recognize Btrfs or is this waste energy? Thanks again

 

Link to comment

 

You still didn't do this right:

3 hours ago, MrT said:

@trurl

On 7/6/2020 at 8:15 PM, trurl said:

In order to successfully ping anyone, you must begin typing the @ followed by characters from the username, and then you must actually make a selection from the choices. Like this: @MrT

 

Some people have had success with this:

https://www.ufsexplorer.com/

 

I have no experience with it but the website says it support btrfs.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.