mhn_10 Posted June 30, 2020 Share Posted June 30, 2020 I had a 250gb SSD that I used as my disk2 since it was lying around. It was only used by the iso share. Yesterday when the cache became full, I thought, I could remove it from disk 2 and make it as slot 2 of a cache pool. I did this Tools>new config>Preserve All. Once that was done, I added disk 2 as my cache pool and went to sleep. Today morning when I check, it looks like my plex container is not starting. I had updated plex as well just before this. All my other container seems to be running fine. I thought this might be due to the cache pool not setup correctly, so I went and balanced the cache pool to single. After doing this I'm getting the following Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. I feel like the appdata that plex uses was in cache and it got corrupt. What can I do to get back my plex container. Should I go to docker settings and delete my docker.img and recreate container from my template? I'm worried if I lost my plex library matches. diagnostics-20200630-1055.zip Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 Looks like you are being hacked. Close all ports immediately. Why is your server on the internet? 1 Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 I have exposed ports for Plex, OpenVpn and Ombi only. How were you able to conclude that my server was hacked Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 The end of your syslog Jun 30 10:54:24 unMHN sshd[15251]: Failed password for root from 87.251.74.48 port 46684 ssh2 Jun 30 10:54:24 unMHN sshd[15252]: Failed password for root from 87.251.74.48 port 46682 ssh2 Jun 30 10:54:24 unMHN sshd[15251]: Connection closed by authenticating user root 87.251.74.48 port 46684 [preauth] Jun 30 10:54:24 unMHN sshd[15252]: Connection closed by authenticating user root 87.251.74.48 port 46682 [preauth] https://www.abuseipdb.com/check/87.251.74.48 Also some ftp logins from various. Are these expected? Jun 30 10:33:26 unMHN sshd[10227]: Accepted none for ftp from 167.71.222.119 port 58092 ssh2 ... Jun 30 10:34:04 unMHN sshd[12055]: Accepted none for ftp from 68.183.180.132 port 59740 ssh2 ... Jun 30 10:34:31 unMHN sshd[13178]: Accepted none for ftp from 104.248.156.167 port 34192 ssh2 Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 1 minute ago, trurl said: The end of your syslog Jun 30 10:54:24 unMHN sshd[15251]: Failed password for root from 87.251.74.48 port 46684 ssh2 Jun 30 10:54:24 unMHN sshd[15252]: Failed password for root from 87.251.74.48 port 46682 ssh2 Jun 30 10:54:24 unMHN sshd[15251]: Connection closed by authenticating user root 87.251.74.48 port 46684 [preauth] Jun 30 10:54:24 unMHN sshd[15252]: Connection closed by authenticating user root 87.251.74.48 port 46682 [preauth] https://www.abuseipdb.com/check/87.251.74.48 Also some ftp logins from various. Are these expected? Jun 30 10:33:26 unMHN sshd[10227]: Accepted none for ftp from 167.71.222.119 port 58092 ssh2 ... Jun 30 10:34:04 unMHN sshd[12055]: Accepted none for ftp from 68.183.180.132 port 59740 ssh2 ... Jun 30 10:34:31 unMHN sshd[13178]: Accepted none for ftp from 104.248.156.167 port 34192 ssh2 Thanks a lot for pointing this out. I have closed all ports The FTP is also not expected. What does this mean. Someone was able to transfer files? --- I realized I had port 22 open for ssh, which I dont plan on using. I also had these ports open Ombi => 3579 OpenVpn => 1194 Plex => 32400 Http : 443/80 => 1443/180 for reverse proxy I guess the open port 22 caused the issue. Is the above configuration vulnerable even after closing port 22. What should I change? I want to be able to use Plex without configuring OpenVpn on every client device. --- Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 I just realized that I had opened the ports to the dashboard long back when I followed some tutorial. The server was off for 3mo, and I just got back into setting everything up. Forgot about this setting. 😧 . I have turned of these setting in Management access as follow. What should I do now, if the server might be compromised. Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 Plex should be fine. Port 22 definitely should not be open. Disable ftp. Your system share has files on disk1. Do you have any VMs? Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 No VM's Only running docker. 1x 12tb parity disk, 1x 10tb data disk, 2x cache pool Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 Normally you will want ssh (or at least telnet) available, but only on your LAN, not on the internet. Instead of OpenVPN you might consider using the built in WireGuard VPN: https://forums.unraid.net/topic/84226-wireguard-quickstart/ Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 3 minutes ago, mhn_10 said: No VM's Only running docker. 1x 12tb parity disk, 1x 10tb data disk, 2x cache pool Go to Settings - VM Manager, disable VMs, then delete libvirt image from that same page. Go to Settings - Docker, disable Dockers, then delete docker image from that same page. Then post new diagnostics. Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 Hey, Just saw your reply in middle of recreating the docker. Have attached the diagnostics diagnostics-20200630-1224.zip Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 Seems like plex still has the same issue even after creating new docker container. [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 40-plex-first-run: executing... Plex Media Server first run setup complete [cont-init.d] 40-plex-first-run: exited 0. [cont-init.d] 45-plex-hw-transcode-and-connected-tuner: executing... [cont-init.d] 45-plex-hw-transcode-and-connected-tuner: exited 0. [cont-init.d] 50-plex-update: executing... [cont-init.d] 50-plex-update: exited 0. [cont-init.d] done. [services.d] starting services Starting Plex Media Server. [services.d] done. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] Starting Plex Media Server. Stopping Plex Media Server. kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec] [cont-finish.d] executing container finish scripts... [cont-finish.d] done. [s6-finish] waiting for services. s6-svwait: fatal: timed out [s6-finish] sending all processes the TERM signal. [s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 Did you do this before posting those latest diagnostics? 1 hour ago, trurl said: Go to Settings - VM Manager, disable VMs, then delete libvirt image from that same page. Go to Settings - Docker, disable Dockers, then delete docker image from that same page. If so you must have done a lot more than that since your dockers and VMs are still enabled in those diagnostics. And your system share still has files on disk1. Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 This is the steps I performed Disabled docker Deleted Docker Image Enabled Docker Performed the Same for VM Went and added new container from My Template. It was in the middle of adding the docker containers from templates, I took the diagnostic. Do you want a clean diagnostic just after clearing the Docker/VM image? Quote Link to comment
trurl Posted June 30, 2020 Share Posted June 30, 2020 18 minutes ago, mhn_10 said: Do you want a clean diagnostic just after clearing the Docker/VM image? yes, docker and libvirt img deleted/not enabled. Trying to clean up the setup so those things that belong on cache are all on cache. Then we can go from there. Quote Link to comment
mhn_10 Posted June 30, 2020 Author Share Posted June 30, 2020 2 hours ago, trurl said: yes, docker and libvirt img deleted/not enabled. Here you go. diagnostics-20200630-1643.zip Quote Link to comment
trurl Posted July 1, 2020 Share Posted July 1, 2020 Go to Main - Array Operation and Move Now. Wait for it to complete then post new diagnostics. Quote Link to comment
mhn_10 Posted July 1, 2020 Author Share Posted July 1, 2020 (edited) @trurl Diagnostics after mover is complete unmhn-diagnostics-20200630-1924.zip Edited July 1, 2020 by mhn_10 Quote Link to comment
trurl Posted July 1, 2020 Share Posted July 1, 2020 Looks good. Go ahead and enable dockers then when you reinstall plex, capture the docker run command and post it. See this first link in the Docker FAQ: https://forums.unraid.net/topic/57181-docker-faq/?do=findComment&comment=564345 Quote Link to comment
mhn_10 Posted July 1, 2020 Author Share Posted July 1, 2020 4 minutes ago, trurl said: Looks good. Go ahead and enable dockers then when you reinstall plex, capture the docker run command and post it. See this first link in the Docker FAQ: https://forums.unraid.net/topic/57181-docker-faq/?do=findComment&comment=564345 Shall I use my template from previous run Quote Link to comment
trurl Posted July 1, 2020 Share Posted July 1, 2020 3 minutes ago, mhn_10 said: Shall I use my template from previous run I guess we could start there and see if it makes sense Quote Link to comment
mhn_10 Posted July 1, 2020 Author Share Posted July 1, 2020 (edited) I'm attaching the pics and diagnostics during each stepDiag-AfterEnableDocker.zip Diag-AfterPlexStarted.zip Diag-AfterEnableDocker.zip Diag-BeforeEnableDocker.zip Diag_AfterPlexCrash.zip Edited July 2, 2020 by trurl delete docker run because it contained plex token Quote Link to comment
mhn_10 Posted July 2, 2020 Author Share Posted July 2, 2020 @trurl Any updates on what I should do next. In the mean time I'm CA fix common problems Quote Link to comment
trurl Posted July 2, 2020 Share Posted July 2, 2020 Do you use any other dockers? Quote Link to comment
mhn_10 Posted July 2, 2020 Author Share Posted July 2, 2020 Yes @trurl, these were the ones I had previously DelugeVPN Sonarr Radarr Bazarr Jackett Krusader OpenVPN LetsEncrypt DuckDNS Ombi Grafana/InfluxDB/Telegraf Tautulli HDDtemp For the above diagnostics, only Plex was running. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.