I think my nas is infected with a cryptocurrency virus

Zitat von aguti76

Can you show the compose text for each container? Im really curious as how this this happened and which container is the problem (if any)

Jdownloader and Homarr are ran with no PUID which is the same as run with root.

And homarr has RW access to docker.sock.

If it's similar to Heimdall and no login/password was created, you found your hole.

Enough said...

Zitat von Soma

Jdownloader and Homarr are ran with no PUID which is the same as run with root.

And homarr has RW access to docker.sock.

If it's similar to Heimdall and no login/password was created, you found your hole.

This

Zitat von aguti76

Delete HOMARR container was the frist thing I did

The fact that you delete it doesn't mean you get rid of any harm already on the server.

Be it a mining script, a ransonware, a malware, etc... Once installed, it will replicate itself.

Honestly, I wouldn't trust a system like that anymore.

Zitat von aguti76

port 80 only

That port is internet insecure.

To have WAN access to the services, you need https that runs on port 443.

Like KM0201 Said, it looks that you just opened your server to the outside world without securing it with a proper certificate via reverse proxy. Be it SWAG, Traefik, NPM, whatever....

Zitat von KM0201

I'm wondering if this is a result of users (unprivileged) being put in the docker group. It's been demonstrated on this forum why this is a bad idea, but I know many of the tutorials say to create a docker user and put said user in the docker group... Read posts 94-101 below. Zoki demonstrated to me how he could delete my root partition with an unprivileged user who was in the docker group. Note to anyone who wants to try this: It absolutely works. Do not do this on a running system or you will wreck your OS drive. I done this on a VM.

Thema

I have a domain name, do I need to do anything special at setup?

I own a domain from cloudflare, and I'm going to point it to my server through NGINX and some sort or SSL so I can have https. (off topic, but please point me to a tutorial, guide, or thread about this, maybe SWAG? :))

When I first install and I have to type in the name for the server, and the hostname or whatever (usually .local), do I need to put my domain in at some point? Or will all of that be done with NGINX and cloudflare?

Chipwingg

11. Mai 2022

I would assume by the same token, you could execute malicious code in the same way.

Interesting. All the more reason why my refusal to blindly follow a guide that is posted so that everyone ends up with the exact same docker user name, makes more and more sense.

Zitat von aguti76

Delete HOMARR container was the frist thing I did

port 80 only

As Soma said port 80 is not secure with ssl encryption, so it's possible for someone to intercept traffic on that port and see everything you are doing clearly such as typing user names and passwords. All internet traffic should be redirected to an ssl encrypted port 443 via a reverse proxy using lets encrypt or some other certificate provider.

So what does port 80 forward to? Your release of information when asking for help is very slow.

Zitat von aguti76

Are you joking me?

Nope, I'm not joking.

You asked for help but didn't give any information. When asked why you thought it was docker related and to point to the docker you suspected you showed a list of 10 or more dockers with no information and no direction of what one you suspected and why. When asked what you have open to the internet you said only port 80 and no explanation about how it is configured, where is it forwarded to/what are you accessing through it, etc.

When asking for help, releasing pertinent information is needed. If the problem is related to internet things (security, getting hacked, dns errors, etc.) releasing the basic information about how you are configured initially will help people spot problems quicker because they won't have to ask for the basic information so they can decide what direction the questions need to go in.

Asking for help with no information will slow down the process. Something that could be spotted and fixed in a day can now take several days, all the while, the security hole that may have been used to hack into your system is still open all because that basic information is not being released.

Zitat von aguti76

I have given you all the information I have to the best of my knowledge.

I have to improve? Of course yes but if I had been better I probably wouldn't have needed help.

I also have a life (that doesn't revolve around my home server) that keeps me very busy so I don't understand why you respond to me this way. If you don't want or don't know how to help me then I still thank you and say goodbye

I responded in the hope that it would help you realize that providing the pertinent/correct information is important when asking for help. It also helps people get an idea of the level of understanding that you have and then responses can be structured in a way that is the most helpful to you.

I’m not trying to be inconsiderate or mean. My first response to you about changing passwords and then confirming soma’s point about security were both meant to be helpful, but without more information there was little more that could be said at the time.

We all have lives beside dealing with our systems but it doesn’t mean we can’t release the information that is required.

I’m sorry if I have “ruffled your feathers”. That is not the intent. Remember email and posts on forums lack the personal interaction cues that an in person conversation has.