Page 1 of 1
"nzbdwinbeast2" keeps downloading
Posted: April 14th, 2021, 1:58 pm
by starmanj
SAB is acting weird- it keeps downloading "sabnzbdwinbeast2" folders containing:
config.json
cron.bat
cronget.bat
sabsznbd.exe
search_indexer.exe
winring0x64.sys
Anybody know what the heck is going on?
Re: "nzbdwinbeast2" keeps downloading
Posted: April 14th, 2021, 2:09 pm
by OneCD
Re: "nzbdwinbeast2" keeps downloading
Posted: April 15th, 2021, 8:05 am
by starmanj
Jeez I had no idea SAB was so dangerous!
Re: "nzbdwinbeast2" keeps downloading
Posted: April 15th, 2021, 11:47 am
by safihre
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 11:13 am
by AtariBaby
I have username/password and no access, and my system still downloaded it.
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 11:41 am
by jcfp
AtariBaby wrote: ↑April 18th, 2021, 11:13 amI have username/password and no access, and my system still downloaded it.
All it takes for a script kiddie to download an nzb and modify script settings to run downloaded code, is a windows operating system plus remote access to the web interface (no user/pass or credentials known/guessed) or the api (api key known or disabled).
Note that if the web interface was at any time exposed to the internet without authentication, the apikey could simply have been read by an attacker at that time and still be used to access sab now - even if you have put a user/pass in place. An apikey could also be harvested from a hacked or malicious indexer if it was shared there for integration purposes.
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 1:33 pm
by AtariBaby
jcfp wrote: ↑April 18th, 2021, 11:41 am
AtariBaby wrote: ↑April 18th, 2021, 11:13 amI have username/password and no access, and my system still downloaded it.
All it takes for a script kiddie to download an nzb and modify script settings to run downloaded code, is a windows operating system plus remote access to the web interface (no user/pass or credentials known/guessed) or the api (api key known or disabled).
Note that if the web interface was at any time exposed to the internet without authentication, the apikey could simply have been read by an attacker at that time and still be used to access sab now - even if you have put a user/pass in place. An apikey could also be harvested from a hacked or malicious indexer if it was shared there for integration purposes.
So should I change the password? reset the API?
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 1:33 pm
by AtariBaby
Also I did some testing, and both Bitdefender and Malwarebytes detected and killed this thing.
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 1:37 pm
by Puzzled
AtariBaby wrote: ↑April 18th, 2021, 1:33 pm
So should I change the password? reset the API?
Both.
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 1:59 pm
by safihre
Did you maybe use nzbgeek? They were hacked a few months ago.
Re: "nzbdwinbeast2" keeps downloading
Posted: April 18th, 2021, 2:10 pm
by AtariBaby
safihre wrote: ↑April 18th, 2021, 1:59 pm
Did you maybe use nzbgeek? They were hacked a few months ago.
I am a member. I checked and there appears to be no where to enter a sabnzbd api key. Plus I have 2FA on that site, if that matters. Maybe there was before the hack IDK. But I can change the sab api key and I changed my sab login password
