Trojan.Linux.Mozi.Botnet

[elated-emu]

Grabbing Info..

[elated-emu]

I am using Umbrel inside Proxmox. Immediately after updating to 1.2.1, I have been getting notified by my router IDS (ProtectIQ) about it blocking "Trojan.Linux.Mozi Botnet".
I seem to get hits every 5 minutes to 40 minutes

Troubleshooting Steps

Checking the network logs at the time within Proxmox.

MESSAGE=IN=fwbr101i0 OUT= PHYSIN=tap101i0 MAC=f8:85:f9:22:5c:16:bc:24:11:42:2b:8e:08:00 SRC=192.168.1.210 DST=114.239.10.95 LEN=93 TOS=0x04 PREC=0x00 TTL=63 ID=8509 DF PROTO=UDP SPT=18175 DPT=30301 LEN=73

What is port 18175? It seems to always hit that one. Different external IP every hit.

Rollback to version prior to 1.2.1

No longer getting these notifications. It seems weird since the 1.2.1 update only updated some language stuff from what I saw in the change-log?

I tested this overnight, getting 0 detections over 8 hours.

Update back to 1.2.1 through WebUI.

Right after update, I got a hit at 08:36 AM and haven't gotten one since.

10:26 AM: The umbrel password seems to have been changed. I think it is actively being targeted.

10:38 AM: Reverting to an old snapshot confirms that the password was updated. I have reverted to Umbrel 1.2. Going to update again through WebUI. Maybe 1.2.1 changes the password by default?

10:41 AM: I just noticed another hit at the same time I would have restored the snapshot (10:35 AM) to 203.192.198.37.

11:05 AM: The default root password for Umbrel 1.2.1 is "umbrel" regardless of prior setting?!

[nmfretz]

Thanks for reporting @elated-emu. I'm going to post our Discord discussion here for proper documentation. Let's keep the discussion over on Discord for now.

qBittorrent thread: https://www.reddit.com/r/qBittorrent/comments/13wltnc/weird_problem_with_qbittorrent/