ColonelRhodes

botnet security threat

Recommended Posts

Just received a letter from my ISP about one the computers on my home network being infected with a botnet (or flagged for connecting to a botnet host). I can't really think of how this would be possible on my unraid system, but I was looking for some advice on where to start looking just in case.

 

I only have one other "desktop" computer in my house. It's an iMac. That system was scanned for malware, but I still want to make sure my unraid isn't doing anything weird. Maybe there are logs I can look at for clues. I have plenty of dockers installed, but all are from legitimate sources like linuxserver.io

 

Thanks for any help you can provide. I was told I can call my ISP security team in a week to see if any more activity was detected.

Share this post


Link to post
Share on other sites

Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi?

Share this post


Link to post
Share on other sites

Just received a letter from my ISP about one the computers on my home network being infected with a botnet (or flagged for connecting to a botnet host). I can't really think of how this would be possible on my unraid system, but I was looking for some advice on where to start looking just in case.

 

I only have one other "desktop" computer in my house. It's an iMac. That system was scanned for malware, but I still want to make sure my unraid isn't doing anything weird. Maybe there are logs I can look at for clues. I have plenty of dockers installed, but all are from legitimate sources like linuxserver.io

 

Thanks for any help you can provide. I was told I can call my ISP security team in a week to see if any more activity was detected.

Is your unraid machine or any of its VM's or apps exposed to the internet? Have you opened any ports in your router, or put the unraid ip in a "DMZ"? Post a diagnostics.zip file, it may contain some clues.

Share this post


Link to post
Share on other sites

Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi?

 

Yes. Philips Hue and other things like that. Of course iPhone and iPads as well.

 

Is your unraid machine or any of its VM's or apps exposed to the internet? Have you opened any ports in your router, or put the unraid ip in a "DMZ"? Post a diagnostics.zip file, it may contain some clues.

 

I have a few docker images that have open ports, yes. I would never turn DMZ on though, haha.

 

I'm attaching the diagnostics archive if you wouldn't mind. Thank you!

tower-diagnostics-20170120-2008.zip

Share this post


Link to post
Share on other sites

Any direction that I should look here? I did a tcpdump last night (2GB file!)

 

I'm going to try and coordinate that with the time my sip provides me if there was any botnet activity. Hopefully to find an answer.

Share this post


Link to post
Share on other sites

I have called my ISP back two weeks in a row and they say no reports have come back with any potential threats, but I just received another email this morning for the same thing. I'm not sure if I should be look towards my unRaid or something else at this point.

Share this post


Link to post
Share on other sites

I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. 

 

I've formatted my unraid flash drive and installed the latest version fresh. What else can I do? Is there anyway to run a spyware check on my whole system?

Share this post


Link to post
Share on other sites
On 1/20/2017 at 8:12 PM, ColonelRhodes said:

 

On 1/20/2017 at 9:38 AM, ashman70 said:

Do you have any Internet of Things devices in your house that connect wirelessly to the Internet, security cameras, tablets, anything that uses wifi?

 

 

Yes. Philips Hue and other things like that.

 

 

It's my understanding those are known to be highly vulnerable to hacking, and have been taken over and used in cyber attacks.  I'd recommend researching how to harden them, at the least change any passwords or security keys associated with them.

Share this post


Link to post
Share on other sites
1 hour ago, druck21 said:

I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. 

 

I've formatted my unraid flash drive and installed the latest version fresh. What else can I do? Is there anyway to run a spyware check on my whole system?

 

Chances are that you have a compromised station or IOT device on your local network, and it's the source of your problems, not your unRAID server.  I'm not saying it's not possible, but rather unlikely, compared to Windows, IOT devices, or even Mac's.  A rigorous investigation of them is more likely to find something.

 

No, currently there's no malware detection tools available for unRAID, but since an unRAID server system is rebuilt on every boot, it would be difficult to keep it infected, even if it had been hacked.  And since you've refreshed your flash drive, I see little chance of the problem being your unRAID server.  Just make sure you NEVER put it in the router DMZ!

Share this post


Link to post
Share on other sites

I'm not even sure where to start with my IoT devices. I currently have Philips Hue, 2 Nest thermostats, and 1 weemo outlet. They are all on static IP addresses. Not sure if I should reassign them or just "reset" them back to factory settings.

Share this post


Link to post
Share on other sites
19 hours ago, druck21 said:

 

I'm dealing with a similar situation right now and I'm not sure how to proceed. I noticed a couple nights ago that my server was being hammered by 2 IP's from China, trying to get in via ssh. I closed port 22 (it was forwarded so I could access it from outside my home network, I see now that was a bad idea) but yesterday my IP was banned from PlayStation Network so I'm assuming it's related. How can I know if my server has been compromised? From looking through my logs I just see that the connections failed but I really don't know what I'm looking for. 

 

As an aside, the fix common problems plugin checks for and alerts you for things like this as part of its daily schedule.

Share this post


Link to post
Share on other sites
2 hours ago, Squid said:

As an aside, the fix common problems plugin checks for and alerts you for things like this as part of its daily schedule.

 

This is a little off-topic, but I wonder if there's a way to detect DMZ usage.  I have no idea myself, but I think a good smart network hacker could probably think of a test that would reveal an open DMZ config.  Or perhaps it could be inferred from the type of attacks occurring in the syslog.

 

Then you could warn the user ...

Share this post


Link to post
Share on other sites

Thank you guys both so much for the responses. I know not to put it in a DMZ so that's not an issue. I checked out that fix common errors plugin and all that came up was it recommending me to turn on notifications for updates on my dockers/plugins. I've re-flashed my router and taken things like my smart TV that I never use online off my network for now. Now to just figure out how to get my IP unbanned from Sony. Thank you again!

Edited by druck21

Share this post


Link to post
Share on other sites
On 2/6/2017 at 11:04 PM, ColonelRhodes said:

I have called my ISP back two weeks in a row and they say no reports have come back with any potential threats, but I just received another email this morning for the same thing. I'm not sure if I should be look towards my unRaid or something else at this point.

Sort of old thread but, I'm just curious.  Are you sure the email was actually from your ISP, and not just some scam?  I don't know...  I mean if you called them and they said there wasn't a problem?

Share this post


Link to post
Share on other sites
3 hours ago, TSM said:

Sort of old thread but, I'm just curious.  Are you sure the email was actually from your ISP, and not just some scam?  I don't know...  I mean if you called them and they said there wasn't a problem?

 

100% sure. I've been in contact with the security team of my ISP over the past few months.

Share this post


Link to post
Share on other sites

Chances are it's your Router that has been hacked and not your workstation or server.

  • Upvote 1

Share this post


Link to post
Share on other sites
11 minutes ago, BRiT said:

Chances are it's your Router that has been hacked and not your workstation or server.

+1

It's amazing the number of popular routers that have had their most recently available firmware versions compromised. Typically if the router is over a couple years old and was sold in any mass quantity, it's been hacked.

Share this post


Link to post
Share on other sites
1 minute ago, jonathanm said:

+1

It's amazing the number of popular routers that have had their most recently available firmware versions compromised. Typically if the router is over a couple years old and was sold in any mass quantity, it's been hacked.

 

Thats an interesting idea. It's an ASUS router. But I guess it wouldn't be a bad idea to just reformat it back to factory settings and clear the NVRAM.

Share this post


Link to post
Share on other sites

Or look into running dd-wrt custom firmware on it.

Share this post


Link to post
Share on other sites
4 minutes ago, BRiT said:

Or look into running dd-wrt custom firmware on it.

 

Ive run DDWRT in the past. I find ASUS-Wrt Merlin firmware to be more stable.

  • Upvote 1

Share this post


Link to post
Share on other sites
Posted (edited)

Any Asus router user should be running Merlin firmware.  I've been running it for years, first on my RT-N66U and now on my amazingly stable RT-AC87U (considering that model is considered a bit wobbly) .

Edited by HellDiverUK

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Copyright © 2005-2017 Lime Technology, Inc. unRAID® is a registered trademark of Lime Technology, Inc.