botnet security threat


ColonelRhodes

Recommended Posts

Just received a letter from my ISP about one the computers on my home network being infected with a botnet (or flagged for connecting to a botnet host). I can't really think of how this would be possible on my unraid system, but I was looking for some advice on where to start looking just in case.

 

I only have one other "desktop" computer in my house. It's an iMac. That system was scanned for malware, but I still want to make sure my unraid isn't doing anything weird. Maybe there are logs I can look at for clues. I have plenty of dockers installed, but all are from legitimate sources like linuxserver.io

 

Thanks for any help you can provide. I was told I can call my ISP security team in a week to see if any more activity was detected.

Link to comment

Just received a letter from my ISP about one the computers on my home network being infected with a botnet (or flagged for connecting to a botnet host). I can't really think of how this would be possible on my unraid system, but I was looking for some advice on where to start looking just in case.

 

I only have one other "desktop" computer in my house. It's an iMac. That system was scanned for malware, but I still want to make sure my unraid isn't doing anything weird. Maybe there are logs I can look at for clues. I have plenty of dockers installed, but all are from legitimate sources like linuxserver.io

 

Thanks for any help you can provide. I was told I can call my ISP security team in a week to see if any more activity was detected.

Is your unraid machine or any of its VM's or apps exposed to the internet? Have you opened any ports in your router, or put the unraid ip in a "DMZ"? Post a diagnostics.zip file, it may contain some clues.
Link to comment

Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi?

 

Yes. Philips Hue and other things like that. Of course iPhone and iPads as well.

 

Is your unraid machine or any of its VM's or apps exposed to the internet? Have you opened any ports in your router, or put the unraid ip in a "DMZ"? Post a diagnostics.zip file, it may contain some clues.

 

I have a few docker images that have open ports, yes. I would never turn DMZ on though, haha.

 

I'm attaching the diagnostics archive if you wouldn't mind. Thank you!

tower-diagnostics-20170120-2008.zip

Link to comment
  • 2 weeks later...
  • 3 weeks later...

I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. 

 

I've formatted my unraid flash drive and installed the latest version fresh. What else can I do? Is there anyway to run a spyware check on my whole system?

Link to comment
On 1/20/2017 at 8:12 PM, ColonelRhodes said:

 

On 1/20/2017 at 9:38 AM, ashman70 said:

Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi?

 

 

Yes. Philips Hue and other things like that.

 

 

It's my understanding those are known to be highly vulnerable to hacking, and have been taken over and used in cyber attacks.  I'd recommend researching how to harden them, at the least change any passwords or security keys associated with them.

Link to comment
1 hour ago, druck21 said:

I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. 

 

I've formatted my unraid flash drive and installed the latest version fresh. What else can I do? Is there anyway to run a spyware check on my whole system?

 

Chances are that you have a compromised station or IOT device on your local network, and it's the source of your problems, not your unRAID server.  I'm not saying it's not possible, but rather unlikely, compared to Windows, IOT devices, or even Mac's.  A rigorous investigation of them is more likely to find something.

 

No, currently there's no malware detection tools available for unRAID, but since an unRAID server system is rebuilt on every boot, it would be difficult to keep it infected, even if it had been hacked.  And since you've refreshed your flash drive, I see little chance of the problem being your unRAID server.  Just make sure you NEVER put it in the router DMZ!

Link to comment
19 hours ago, druck21 said:

 

I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. 

 

As an aside, the fix common problems plugin checks for and alerts you for things like this as part of its daily schedule.

Link to comment
2 hours ago, Squid said:

As an aside, the fix common problems plugin checks for and alerts you for things like this as part of its daily schedule.

 

This is a little off-topic, but I wonder if there's a way to detect DMZ usage.  I have no idea myself, but I think a good smart network hacker could probably think of a test that would reveal an open DMZ config.  Or perhaps it could be inferred from the type of attacks occurring in the syslog.

 

Then you could warn the user ...

Link to comment

Thank you guys both so much for the responses. I know not to put it in a DMZ so that's not an issue. I checked out that fix common errors plugin and all that came up was it recommending me to turn on notifications for updates on my dockers/plugins. I've re-flashed my router and taken things like my smart TV that I never use online off my network for now. Now to just figure out how to get my IP unbanned from Sony. Thank you again!

Edited by druck21
Link to comment
  • 3 weeks later...
On 2/6/2017 at 11:04 PM, ColonelRhodes said:

I have called my ISP back two weeks in a row and they say no reports have come back with any potential threats, but I just received another email this morning for the same thing. I'm not sure if I should be look towards my unRaid or something else at this point.

Sort of old thread but, I'm just curious.  Are you sure the email was actually from your ISP, and not just some scam?  I don't know...  I mean if you called them and they said there wasn't a problem?

Link to comment
3 hours ago, TSM said:

Sort of old thread but, I'm just curious.  Are you sure the email was actually from your ISP, and not just some scam?  I don't know...  I mean if you called them and they said there wasn't a problem?

 

100% sure. I've been in contact with the security team of my ISP over the past few months.

Link to comment
11 minutes ago, BRiT said:

Chances are it's your Router that has been hacked and not your workstation or server.

+1

It's amazing the number of popular routers that have had their most recently available firmware versions compromised. Typically if the router is over a couple years old and was sold in any mass quantity, it's been hacked.

Link to comment
1 minute ago, jonathanm said:

+1

It's amazing the number of popular routers that have had their most recently available firmware versions compromised. Typically if the router is over a couple years old and was sold in any mass quantity, it's been hacked.

 

Thats an interesting idea. It's an ASUS router. But I guess it wouldn't be a bad idea to just reformat it back to factory settings and clear the NVRAM.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.