Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Mystery youtube-viewer dockers?

Featured Replies

Just logged into my server and checked out the docker tab. I should only have Krusader and Plex, but I see all these youtube-viewer dockers.

 

I did a search for that and found nothing.

 

Anyone have a clue what these are?

 

20200809_220917.jpg

Edited by Mattaton

Can you post your diagnostics ?

Is your server management accessible from the internet ?

  • Author

It was. Not anymore. I nuked all those dockers, changed my passwords, and closed all open ports (there were only two, one for management and one to Plex - which I'm told Plex should work without that port open).

 

Diagnostics attached.

tyreemedia-diagnostics-20200810-0629.zip

This happened to me as well.

 

Management was not accessible from the web

  • Author
Just now, hgelpke said:

This happened to me as well.

 

Management was not accessible from the web

REEAAALLLY???? Did you ever figure out where it came from?

No, I just discovered it 10 minutes ago and a search found your post.

  • Author

Hmmm...so, perhaps something new going on. I noticed it within a day of it happening as well. Not sure exactly how long it'd been on there, but less than 24 hours since I had last looked at my Docker tab.

 

If your server wasn't exposed to the internet, I'm very curious how you got it. Might not have anything to do with the port I had open. Though, that seems to most obvious culprit for my scenario.

 

Someone on the facebook group I'm in posted this: https://github.com/trizen/youtube-viewer

 

The thought is perhaps it's someone trying to drive up views ore something. I erased it all and rebooted my server before I took the time to investigate further to try to track down where it came from and/or what it was doing.

32 minutes ago, hgelpke said:

No, I just discovered it 10 minutes ago and a search found your post.

Did you have Plex exposed? What other rockers are y’all running?

 

If you post have the same docker, check the repo and version. Could be a vulnerability somewhere allowing this to happen. 

  • Author

I have linuxserver Plex docker and Krusader. Plex is autostart, but Krusader is usually not started and wasn't when this happened.

9 minutes ago, Mattaton said:

I have linuxserver Plex docker and Krusader. Plex is autostart, but Krusader is usually not started and wasn't when this happened.

That’s all? Do you have any plugins installed? Any other devices on the network that could have been compromised and “wormed” their way to your Unraid server?

  • Author
3 minutes ago, jwblant said:

That’s all? Do you have any plugins installed? Any other devices on the network that could have been compromised and “wormed” their way to your Unraid server?

I have a handful of plugins. All fairly common/prevalent among unRAID users, I think.

 

I guess something else on the network could worm its way in. That's decidedly harder to determine. My son did just get his first Windows PC and had a toolbar spyware/malware within a week. I gave him "the talk." 😄 

 

I happen to be setting up pfsense. I might put him on his own little island. 😄 

plugins1.PNG

plugins2.PNG

Son on further inspection I did have my server exposed. Cleaned out all the dockers and the network that had been created.

 

Wasn't a rogue docker or plugin. Simple user error that left the server compromised.

  • Author
11 minutes ago, hgelpke said:

Son on further inspection I did have my server exposed. Cleaned out all the dockers and the network that had been created.

 

Wasn't a rogue docker or plugin. Simple user error that left the server compromised.

Network that had been created? Can you elaborate on that?

You can create custom networks in Docker.

 

In terminal, type:

docker network ls

 

If you see something with a name that looks like the YT docker you should remove it

 

docker network rm NAME OF NETWORK

  • Author
6 minutes ago, hgelpke said:

You can create custom networks in Docker.

 

In terminal, type:

docker network ls

 

If you see something with a name that looks like the YT docker you should remove it

 

docker network rm NAME OF NETWORK

Done! Thank you!

  • 3 weeks later...
  • Community Expert
16 minutes ago, truyardi said:

Still had this happen again after checking the above suggestions.

Seems like everyone else that had this allowed themselves to be hacked. Are you sure that isn't what happened with you?

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.