"nzbdwinbeast2" keeps downloading

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
starmanj
Newbie
Newbie
Posts: 3
Joined: April 14th, 2021, 1:55 pm

"nzbdwinbeast2" keeps downloading

Post by starmanj »

SAB is acting weird- it keeps downloading "sabnzbdwinbeast2" folders containing:

config.json
cron.bat
cronget.bat
sabsznbd.exe
search_indexer.exe
winring0x64.sys

Anybody know what the heck is going on?

User avatar
OneCD
Sr. Member
Sr. Member
Posts: 413
Joined: March 4th, 2017, 3:47 pm

Re: "nzbdwinbeast2" keeps downloading

Post by OneCD »

Looks like malware. :(

viewtopic.php?f=2&t=25295
Stuff I like: Apache BASH CRON DD-WRT Debian DNSMasq Entware FireFox GitHub ImageMagick Kate KDE LibreELEC Netrunner NFS NVIDIA OpenVPN Orvibo-S20 pfSense Python Raspberry-Pi RAID SABnzbd SickChill Transmission Usenet VirtualBox Watcher3 XFCE

starmanj
Newbie
Newbie
Posts: 3
Joined: April 14th, 2021, 1:55 pm

Re: "nzbdwinbeast2" keeps downloading

Post by starmanj »

Jeez I had no idea SAB was so dangerous!

User avatar
safihre
Administrator
Administrator
Posts: 4228
Joined: April 30th, 2015, 7:35 am
Location: Switzerland
Contact:

Re: "nzbdwinbeast2" keeps downloading

Post by safihre »

Sab is not. Your settings are.
See:
https://www.reddit.com/r/usenet/comment ... protected/
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate

AtariBaby
Jr. Member
Jr. Member
Posts: 62
Joined: November 25th, 2011, 5:10 pm

Re: "nzbdwinbeast2" keeps downloading

Post by AtariBaby »

safihre wrote:
April 15th, 2021, 11:47 am
Sab is not. Your settings are.
See:
https://www.reddit.com/r/usenet/comment ... protected/
I have username/password and no access, and my system still downloaded it.

User avatar
jcfp
Release Testers
Release Testers
Posts: 895
Joined: February 7th, 2008, 12:45 pm

Re: "nzbdwinbeast2" keeps downloading

Post by jcfp »

AtariBaby wrote:
April 18th, 2021, 11:13 am
I have username/password and no access, and my system still downloaded it.
All it takes for a script kiddie to download an nzb and modify script settings to run downloaded code, is a windows operating system plus remote access to the web interface (no user/pass or credentials known/guessed) or the api (api key known or disabled).

Note that if the web interface was at any time exposed to the internet without authentication, the apikey could simply have been read by an attacker at that time and still be used to access sab now - even if you have put a user/pass in place. An apikey could also be harvested from a hacked or malicious indexer if it was shared there for integration purposes.

AtariBaby
Jr. Member
Jr. Member
Posts: 62
Joined: November 25th, 2011, 5:10 pm

Re: "nzbdwinbeast2" keeps downloading

Post by AtariBaby »

jcfp wrote:
April 18th, 2021, 11:41 am
AtariBaby wrote:
April 18th, 2021, 11:13 am
I have username/password and no access, and my system still downloaded it.
All it takes for a script kiddie to download an nzb and modify script settings to run downloaded code, is a windows operating system plus remote access to the web interface (no user/pass or credentials known/guessed) or the api (api key known or disabled).

Note that if the web interface was at any time exposed to the internet without authentication, the apikey could simply have been read by an attacker at that time and still be used to access sab now - even if you have put a user/pass in place. An apikey could also be harvested from a hacked or malicious indexer if it was shared there for integration purposes.
So should I change the password? reset the API?

AtariBaby
Jr. Member
Jr. Member
Posts: 62
Joined: November 25th, 2011, 5:10 pm

Re: "nzbdwinbeast2" keeps downloading

Post by AtariBaby »

Also I did some testing, and both Bitdefender and Malwarebytes detected and killed this thing.

Puzzled
Jr. Member
Jr. Member
Posts: 85
Joined: September 2nd, 2017, 3:02 am

Re: "nzbdwinbeast2" keeps downloading

Post by Puzzled »

AtariBaby wrote:
April 18th, 2021, 1:33 pm
So should I change the password? reset the API?
Both.

User avatar
safihre
Administrator
Administrator
Posts: 4228
Joined: April 30th, 2015, 7:35 am
Location: Switzerland
Contact:

Re: "nzbdwinbeast2" keeps downloading

Post by safihre »

Did you maybe use nzbgeek? They were hacked a few months ago.
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate

AtariBaby
Jr. Member
Jr. Member
Posts: 62
Joined: November 25th, 2011, 5:10 pm

Re: "nzbdwinbeast2" keeps downloading

Post by AtariBaby »

safihre wrote:
April 18th, 2021, 1:59 pm
Did you maybe use nzbgeek? They were hacked a few months ago.
I am a member. I checked and there appears to be no where to enter a sabnzbd api key. Plus I have 2FA on that site, if that matters. Maybe there was before the hack IDK. But I can change the sab api key and I changed my sab login password

Post Reply