My Amahi server was hacked

techlife
Posts: 63
Joined: Sat Dec 18, 2010 3:26 pm

My Amahi server was hacked

Postby techlife » Fri Oct 14, 2016 5:51 pm

So I happened to bump the mouse for my server when I was in the basement today and noticed stuff open on the desktop which there hardy ever is. I was greeted with a browser window opened to "minegate" and a terminal window open. In the terminal window was the results of a ls under my standard user (not root) followed by ":^) Sweet honey pot man, keep it up^C". I can only narrow the intrusion down to the last week or so since that's how long it's been since I last looked at it.

So anyway, seeing how there's almost 24TB of content on that server including all our music/movies/tv, family pics and financial info, yeah, I'm freaking out. Fortunately I can not see where anything has been deleted and from the note, he doesn't necessarily seem malicious. This time.

I moved the sensitive data off the server altogether temporarily.

The only thing I can see was when I replaced my router last weekend, I forgot to turn uPnP off. When I did that, I also disabled DHCP, DNS and VPN on the server since the only thing I really need it to do is run greyhole. There are no ports forwarded to the server. There's only two open at all: one for my automation system and one for Emby. VNC is active on the server without a password but connections can only be made to it from my local network.

I'm only posting here because it was the server that showed the evidence. That and there are some really smart folks here that may be able to offer some advice. I am in no way, shape or form blaming the Amahi team.

Could there be something on the server sending info back now? Should I format the OS drive and reload Amahi? I know I need to anyway since I'm still on 6 but taking the server down long enough to do that is very difficult since it's our only source of entertainment and there will be screaming. Especially if greyhole has to rebuild which last time took 3-4 days before everything was available again.

User avatar
cpg
Administrator
Posts: 2618
Joined: Wed Dec 03, 2008 7:40 am
Contact:

Re: My Amahi server was hacked

Postby cpg » Fri Oct 14, 2016 6:44 pm

Weren't you the one that came to IRC a bit ago talking about running honeypots on your server?

And we told you that was just inviting attention?

I would say take the data drives offline, reinstall, re-add the drives.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1

techlife
Posts: 63
Joined: Sat Dec 18, 2010 3:26 pm

Re: My Amahi server was hacked

Postby techlife » Fri Oct 14, 2016 6:45 pm

No. It wasn't me. I have never used IRC and I don't know what a "honeypot" is. I just assumed they meant nice movie collection.

User avatar
cpg
Administrator
Posts: 2618
Joined: Wed Dec 03, 2008 7:40 am
Contact:

Re: My Amahi server was hacked

Postby cpg » Fri Oct 14, 2016 6:53 pm

It sounds extremely unlikely that your server was hacked, since there are very few ports open and they seem unrelated.

I would look through logs, etc.

Or get our commercial support (requires VPN/ssh access) to investigate, but it sounds like you should reinstall anyway.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1

techlife
Posts: 63
Joined: Sat Dec 18, 2010 3:26 pm

Re: My Amahi server was hacked

Postby techlife » Fri Oct 14, 2016 7:00 pm

If I wasn't hacked then do you have any thoughts on how what I mentioned appeared on the screen? Or what logs I should look at to try to figure it out? I'm not trying to come off the wrong way. I genuinely don't understand and want to learn.

I'll pickup a new OS drive tomorrow (since it needs to be replaced anyway) and get to work.

Thank you for the replies.

User avatar
cpg
Administrator
Posts: 2618
Joined: Wed Dec 03, 2008 7:40 am
Contact:

Re: My Amahi server was hacked

Postby cpg » Fri Oct 14, 2016 7:04 pm

No idea. It could be a hack, or it could be a silly teenager prank from someone in the network. Or as simple as a drive-by paste.
My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 8GB RAM, 1TBx2+3TBx1

Who is online

Users browsing this forum: No registered users and 22 guests