Mattaton Posted August 10, 2020 Share Posted August 10, 2020 (edited) Just logged into my server and checked out the docker tab. I should only have Krusader and Plex, but I see all these youtube-viewer dockers. I did a search for that and found nothing. Anyone have a clue what these are? Edited August 10, 2020 by Mattaton Quote Link to comment
ChatNoir Posted August 10, 2020 Share Posted August 10, 2020 Can you post your diagnostics ? Is your server management accessible from the internet ? Quote Link to comment
Mattaton Posted August 10, 2020 Author Share Posted August 10, 2020 It was. Not anymore. I nuked all those dockers, changed my passwords, and closed all open ports (there were only two, one for management and one to Plex - which I'm told Plex should work without that port open). Diagnostics attached. tyreemedia-diagnostics-20200810-0629.zip Quote Link to comment
hgelpke Posted August 10, 2020 Share Posted August 10, 2020 This happened to me as well. Management was not accessible from the web Quote Link to comment
Mattaton Posted August 10, 2020 Author Share Posted August 10, 2020 Just now, hgelpke said: This happened to me as well. Management was not accessible from the web REEAAALLLY???? Did you ever figure out where it came from? Quote Link to comment
hgelpke Posted August 10, 2020 Share Posted August 10, 2020 No, I just discovered it 10 minutes ago and a search found your post. Quote Link to comment
Mattaton Posted August 10, 2020 Author Share Posted August 10, 2020 Hmmm...so, perhaps something new going on. I noticed it within a day of it happening as well. Not sure exactly how long it'd been on there, but less than 24 hours since I had last looked at my Docker tab. If your server wasn't exposed to the internet, I'm very curious how you got it. Might not have anything to do with the port I had open. Though, that seems to most obvious culprit for my scenario. Someone on the facebook group I'm in posted this: https://github.com/trizen/youtube-viewer The thought is perhaps it's someone trying to drive up views ore something. I erased it all and rebooted my server before I took the time to investigate further to try to track down where it came from and/or what it was doing. Quote Link to comment
jwblant Posted August 10, 2020 Share Posted August 10, 2020 32 minutes ago, hgelpke said: No, I just discovered it 10 minutes ago and a search found your post. Did you have Plex exposed? What other rockers are y’all running? If you post have the same docker, check the repo and version. Could be a vulnerability somewhere allowing this to happen. Quote Link to comment
Mattaton Posted August 10, 2020 Author Share Posted August 10, 2020 I have linuxserver Plex docker and Krusader. Plex is autostart, but Krusader is usually not started and wasn't when this happened. Quote Link to comment
jwblant Posted August 10, 2020 Share Posted August 10, 2020 9 minutes ago, Mattaton said: I have linuxserver Plex docker and Krusader. Plex is autostart, but Krusader is usually not started and wasn't when this happened. That’s all? Do you have any plugins installed? Any other devices on the network that could have been compromised and “wormed” their way to your Unraid server? Quote Link to comment
Mattaton Posted August 10, 2020 Author Share Posted August 10, 2020 3 minutes ago, jwblant said: That’s all? Do you have any plugins installed? Any other devices on the network that could have been compromised and “wormed” their way to your Unraid server? I have a handful of plugins. All fairly common/prevalent among unRAID users, I think. I guess something else on the network could worm its way in. That's decidedly harder to determine. My son did just get his first Windows PC and had a toolbar spyware/malware within a week. I gave him "the talk." 😄 I happen to be setting up pfsense. I might put him on his own little island. 😄 Quote Link to comment
hgelpke Posted August 10, 2020 Share Posted August 10, 2020 Son on further inspection I did have my server exposed. Cleaned out all the dockers and the network that had been created. Wasn't a rogue docker or plugin. Simple user error that left the server compromised. Quote Link to comment
Mattaton Posted August 10, 2020 Author Share Posted August 10, 2020 11 minutes ago, hgelpke said: Son on further inspection I did have my server exposed. Cleaned out all the dockers and the network that had been created. Wasn't a rogue docker or plugin. Simple user error that left the server compromised. Network that had been created? Can you elaborate on that? Quote Link to comment
hgelpke Posted August 11, 2020 Share Posted August 11, 2020 You can create custom networks in Docker. In terminal, type: docker network ls If you see something with a name that looks like the YT docker you should remove it docker network rm NAME OF NETWORK Quote Link to comment
Mattaton Posted August 11, 2020 Author Share Posted August 11, 2020 6 minutes ago, hgelpke said: You can create custom networks in Docker. In terminal, type: docker network ls If you see something with a name that looks like the YT docker you should remove it docker network rm NAME OF NETWORK Done! Thank you! Quote Link to comment
trurl Posted August 31, 2020 Share Posted August 31, 2020 16 minutes ago, truyardi said: Still had this happen again after checking the above suggestions. Seems like everyone else that had this allowed themselves to be hacked. Are you sure that isn't what happened with you? 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.