ColonelRhodes Posted January 20, 2017 Share Posted January 20, 2017 Just received a letter from my ISP about one the computers on my home network being infected with a botnet (or flagged for connecting to a botnet host). I can't really think of how this would be possible on my unraid system, but I was looking for some advice on where to start looking just in case. I only have one other "desktop" computer in my house. It's an iMac. That system was scanned for malware, but I still want to make sure my unraid isn't doing anything weird. Maybe there are logs I can look at for clues. I have plenty of dockers installed, but all are from legitimate sources like linuxserver.io Thanks for any help you can provide. I was told I can call my ISP security team in a week to see if any more activity was detected. Quote Link to comment
ashman70 Posted January 20, 2017 Share Posted January 20, 2017 Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi? Quote Link to comment
JonathanM Posted January 20, 2017 Share Posted January 20, 2017 Just received a letter from my ISP about one the computers on my home network being infected with a botnet (or flagged for connecting to a botnet host). I can't really think of how this would be possible on my unraid system, but I was looking for some advice on where to start looking just in case. I only have one other "desktop" computer in my house. It's an iMac. That system was scanned for malware, but I still want to make sure my unraid isn't doing anything weird. Maybe there are logs I can look at for clues. I have plenty of dockers installed, but all are from legitimate sources like linuxserver.io Thanks for any help you can provide. I was told I can call my ISP security team in a week to see if any more activity was detected. Is your unraid machine or any of its VM's or apps exposed to the internet? Have you opened any ports in your router, or put the unraid ip in a "DMZ"? Post a diagnostics.zip file, it may contain some clues. Quote Link to comment
ColonelRhodes Posted January 21, 2017 Author Share Posted January 21, 2017 Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi? Yes. Philips Hue and other things like that. Of course iPhone and iPads as well. Is your unraid machine or any of its VM's or apps exposed to the internet? Have you opened any ports in your router, or put the unraid ip in a "DMZ"? Post a diagnostics.zip file, it may contain some clues. I have a few docker images that have open ports, yes. I would never turn DMZ on though, haha. I'm attaching the diagnostics archive if you wouldn't mind. Thank you! tower-diagnostics-20170120-2008.zip Quote Link to comment
ColonelRhodes Posted January 25, 2017 Author Share Posted January 25, 2017 Any direction that I should look here? I did a tcpdump last night (2GB file!) I'm going to try and coordinate that with the time my sip provides me if there was any botnet activity. Hopefully to find an answer. Quote Link to comment
ColonelRhodes Posted February 7, 2017 Author Share Posted February 7, 2017 I have called my ISP back two weeks in a row and they say no reports have come back with any potential threats, but I just received another email this morning for the same thing. I'm not sure if I should be look towards my unRaid or something else at this point. Quote Link to comment
druck21 Posted February 23, 2017 Share Posted February 23, 2017 I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. I've formatted my unraid flash drive and installed the latest version fresh. What else can I do? Is there anyway to run a spyware check on my whole system? Quote Link to comment
RobJ Posted February 24, 2017 Share Posted February 24, 2017 On 1/20/2017 at 8:12 PM, ColonelRhodes said: On 1/20/2017 at 9:38 AM, ashman70 said: Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi? Yes. Philips Hue and other things like that. It's my understanding those are known to be highly vulnerable to hacking, and have been taken over and used in cyber attacks. I'd recommend researching how to harden them, at the least change any passwords or security keys associated with them. Quote Link to comment
RobJ Posted February 24, 2017 Share Posted February 24, 2017 1 hour ago, druck21 said: I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. I've formatted my unraid flash drive and installed the latest version fresh. What else can I do? Is there anyway to run a spyware check on my whole system? Chances are that you have a compromised station or IOT device on your local network, and it's the source of your problems, not your unRAID server. I'm not saying it's not possible, but rather unlikely, compared to Windows, IOT devices, or even Mac's. A rigorous investigation of them is more likely to find something. No, currently there's no malware detection tools available for unRAID, but since an unRAID server system is rebuilt on every boot, it would be difficult to keep it infected, even if it had been hacked. And since you've refreshed your flash drive, I see little chance of the problem being your unRAID server. Just make sure you NEVER put it in the router DMZ! Quote Link to comment
ColonelRhodes Posted February 24, 2017 Author Share Posted February 24, 2017 I'm not even sure where to start with my IoT devices. I currently have Philips Hue, 2 Nest thermostats, and 1 weemo outlet. They are all on static IP addresses. Not sure if I should reassign them or just "reset" them back to factory settings. Quote Link to comment
Squid Posted February 24, 2017 Share Posted February 24, 2017 19 hours ago, druck21 said: I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. As an aside, the fix common problems plugin checks for and alerts you for things like this as part of its daily schedule. Quote Link to comment
RobJ Posted February 24, 2017 Share Posted February 24, 2017 2 hours ago, Squid said: As an aside, the fix common problems plugin checks for and alerts you for things like this as part of its daily schedule. This is a little off-topic, but I wonder if there's a way to detect DMZ usage. I have no idea myself, but I think a good smart network hacker could probably think of a test that would reveal an open DMZ config. Or perhaps it could be inferred from the type of attacks occurring in the syslog. Then you could warn the user ... Quote Link to comment
druck21 Posted February 25, 2017 Share Posted February 25, 2017 (edited) Thank you guys both so much for the responses. I know not to put it in a DMZ so that's not an issue. I checked out that fix common errors plugin and all that came up was it recommending me to turn on notifications for updates on my dockers/plugins. I've re-flashed my router and taken things like my smart TV that I never use online off my network for now. Now to just figure out how to get my IP unbanned from Sony. Thank you again! Edited February 25, 2017 by druck21 Quote Link to comment
TSM Posted March 15, 2017 Share Posted March 15, 2017 On 2/6/2017 at 11:04 PM, ColonelRhodes said: I have called my ISP back two weeks in a row and they say no reports have come back with any potential threats, but I just received another email this morning for the same thing. I'm not sure if I should be look towards my unRaid or something else at this point. Sort of old thread but, I'm just curious. Are you sure the email was actually from your ISP, and not just some scam? I don't know... I mean if you called them and they said there wasn't a problem? Quote Link to comment
ColonelRhodes Posted March 15, 2017 Author Share Posted March 15, 2017 3 hours ago, TSM said: Sort of old thread but, I'm just curious. Are you sure the email was actually from your ISP, and not just some scam? I don't know... I mean if you called them and they said there wasn't a problem? 100% sure. I've been in contact with the security team of my ISP over the past few months. Quote Link to comment
BRiT Posted March 16, 2017 Share Posted March 16, 2017 Chances are it's your Router that has been hacked and not your workstation or server. 1 Quote Link to comment
JonathanM Posted March 16, 2017 Share Posted March 16, 2017 11 minutes ago, BRiT said: Chances are it's your Router that has been hacked and not your workstation or server. +1 It's amazing the number of popular routers that have had their most recently available firmware versions compromised. Typically if the router is over a couple years old and was sold in any mass quantity, it's been hacked. Quote Link to comment
ColonelRhodes Posted March 16, 2017 Author Share Posted March 16, 2017 1 minute ago, jonathanm said: +1 It's amazing the number of popular routers that have had their most recently available firmware versions compromised. Typically if the router is over a couple years old and was sold in any mass quantity, it's been hacked. Thats an interesting idea. It's an ASUS router. But I guess it wouldn't be a bad idea to just reformat it back to factory settings and clear the NVRAM. Quote Link to comment
BRiT Posted March 16, 2017 Share Posted March 16, 2017 Or look into running dd-wrt custom firmware on it. Quote Link to comment
ColonelRhodes Posted March 16, 2017 Author Share Posted March 16, 2017 4 minutes ago, BRiT said: Or look into running dd-wrt custom firmware on it. Ive run DDWRT in the past. I find ASUS-Wrt Merlin firmware to be more stable. 1 Quote Link to comment
HellDiverUK Posted March 22, 2017 Share Posted March 22, 2017 (edited) Any Asus router user should be running Merlin firmware. I've been running it for years, first on my RT-N66U and now on my amazingly stable RT-AC87U (considering that model is considered a bit wobbly) . Edited March 22, 2017 by HellDiverUK Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.