Hacked? By Mr Robot?


#1

Sonarr version (exact version): 2.0.0.5322
Mono version (if Sonarr is not running on Windows): 5.18.1.0
OS: Librelec
Debug logs:
Description of issue:

A week or so ago I had an issue when suddenly, all of my series were removed and replaced with a single series “Mr Robot”, as much as I like that show I had seen it all… and I definitely didn’t add it.

Now I do have Sonarr visible from the web and dynamic DNS switched on, and foolishly didn’t have any authentication turned on.

I did also notice that my indexing service appeared to have been compromised so changed all passwords and API etc.

I have now turned on authentication on for Sonarr. But wondering if I should do anything else and whether this has happened to anyone else?


#2

… and whether this has happened to anyone else?

Indubitably. They’re all hiding in the corner out of shame.
Lesson learned, I suppose?

But wondering if I should do anything else

Scan for malware would be a good step, but on linux check if sonarr was running as a priviledged user if need be check syslog. Check your download client logs for any suspicious downloads, and Sonarr’s logs too. Check Sonarr settings for added Proxy or changed indexers, tbh I’d just roll back to a reliable Sonarr backup.

PS: Based on the kind of vandalism, I doubt anything worse happened, so count yourself lucky.


#3

Indeed lesson learned. Malware isn’t an issue as Sonarr doesn’t have any privileges beyond what it needs.

Nothing in indexers, I have switched up all APIs for indexers etc.

Download client (that was password protected) had two denied accesses from an IP address that doesn’t resolve to anything and won’t respond to ping (my guess is VPN).

The one thing I would love is a simpler way to restore a backup (appreciate it’s not hugely difficult, but it’s not something possible via the Web UI).


#4

Sonarr v3 (alpha/beta) has restore from the UI.