catchbay Posted October 1, 2020 Share Posted October 1, 2020 Probably old topics, just please give a links so... Probably my UnRaid is compromised. Got email-abuse message that my UnRaid box is sending a lot of emails (10G connection to Internet, public IP, no firewall). Noticed from syslog that user "none" has FTP connections from several IPs. Those are accepted. I don't use FTP. There are several hundreds ftp -processes. Maybe there is other non wanted traffic also. So, maybe best way is to install the UnRaid again. I have 16*8T data + 2*10T parity and the box is 96% full. Is it safe to just take the normal backup from Flash via browser, install UnRaid to new USB stick and load somehow the backup to new stick? Then disable FTP and all is ok again? Quote Link to comment
Squid Posted October 1, 2020 Share Posted October 1, 2020 2 minutes ago, catchbay said: public IP, The root of you issue is this ^^^ No reason to have Unraid directly on the internet. You should have the a router that issues private IP's and then utilize a VPN (OpenVPN / Wireguard) if you need to access your server remotely. Simply disabling FTP isn't going to be good enough.. Quote Link to comment
civic95man Posted October 1, 2020 Share Posted October 1, 2020 28 minutes ago, Squid said: No reason to have Unraid directly on the internet. absolutely! I would personally disconnect unraid from the internet immediately! Then try to create a flash drive backup and then reboot your server. Chances are that whatever they placed on your server is residing in ram via the rootfs so a reboot will clear that out. Hopefully they didn't mess with the boot directory. Quote Link to comment
falconexe Posted October 1, 2020 Share Posted October 1, 2020 UNPLUG THE NETWORK CABLE IMMEDIATELY! If this was me personally, I would start from complete scratch. Sounds like people are having an all you can eat buffet on your data. I sincerely hope you didn’t have anything sensitive on it! Really curious why you would expose your server with a public IP. Was this on purpose? If so, for what reason? Quote Link to comment
trurl Posted October 2, 2020 Share Posted October 2, 2020 2 hours ago, falconexe said: I would start from complete scratch. Sounds like people are having an all you can eat buffet on your data. And probably not only the data if it was being used for email abuse. No telling what else has been installed on your server, and it's possible some of that would persist in the form of executables on the flash or on your disks. A fresh install of Unraid on a formatted flash drive, with no plugins, dockers, or VMs configured should take care of it since there would be nothing left to launch anything that might actually still be on your data disks. Quote Link to comment
falconexe Posted October 2, 2020 Share Posted October 2, 2020 (edited) 3 hours ago, trurl said: And probably not only the data if it was being used for email abuse. No telling what else has been installed on your server, and it's possible some of that would persist in the form of executables on the flash or on your disks. A fresh install of Unraid on a formatted flash drive, with no plugins, dockers, or VMs configured should take care of it since there would be nothing left to launch anything that might actually still be on your data disks. I would also be extremely worried about other devices on your network that had LAN access to that server as well. I would look at EVERYTHING in your router/firewall logs. Look for anything suspicious like open connections/ports (Netstat -a on Windows). Run full virus/malware scans on every device you can. I wouldn't even use the same USB FLASH device when you restore. Get a new key with a new GUID and start from scratch. You could use the same device with a secure erase, but I would just move on ha ha. I would not trust your FLASH backups either as they very well may be compromised with executable code just sitting in there waiting for a network connection. First thing you do is assign a static INTERNAL IP address via your router to the new UNRAID box. Then start adding your dockers/apps. I actually have a BS degree in IS Security, so I'm coming at this from a unique perspective. Good luck! Edited October 2, 2020 by falconexe 1 Quote Link to comment
catchbay Posted October 2, 2020 Author Share Posted October 2, 2020 If I start with fresh UnRaid stick and Trial key now first and just add the HDDs back to the system, does the Unraid detect all data + raid disks and their contents OK? Quote Link to comment
trurl Posted October 2, 2020 Share Posted October 2, 2020 9 hours ago, catchbay said: fresh UnRaid stick and Trial key Did you have a paid Unraid license? 9 hours ago, catchbay said: add the HDDs back to the system, does the Unraid detect all data If you assign all disks exactly as before before starting the array for the first time, then Unraid will take all the disks with their data just as they are. Not sure how much uncertainty there might be in getting the disks assigned exactly as before because don't know enough details about your hardware. Were you using a RAID controller? 9 hours ago, catchbay said: raid disks Unraid IS NOT RAID. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.