Description of issue: My wife was watching things on Plex and mentioned that she couldnāt watch any of her shows - i booted into plex and everything looked normal to me at first, but then I noticed no TV Shows or other series maintained by Sonarr were there anymore. I immediately went to a prompt and navigated to the relevant shares and they were there, but one had 6 empty folders and the other was there, but had zero folders. Before, the first had probably 300 and the second had about 400ish.
Iāve lost all of this media - its totally gone. I thought it could possibly be a filesystem corruption or something, but no, according to multiple helpers at Unraid. Then I started fruitlessly researching this and I come across posts here and there that are remarkably similar, but with no resolution over the last two years or so.
I love this software, but good God, I canāt risk loosing absolutely everything because it isnāt ready for prime time!
Per all the other threads, Sonarrr does not randomly delete files on itās own. Ever.
Likely Sonarr was not secured properly and was exposed to the internet. There have been a few recent reports of similar occurrences. Thereās likely some bad actors / script kiddies running an automated script scanning for open Sonarr ports and then running a delete all command via API.
Secure your setup. Enable recycle bin as a backup failsafe. Recover or re-download all your content.
Thanks, I appreciate it. You are basically confirming where I was going. Thanks!
Any recovery tools you are aware of/recommend? I backup all work files offsite, but media isnāt (or wasnāt) on my backup list and there are a handful of directories that had things that I will never be able to download again.
Iām not familiar with unraid so I donāt know if there are targeted solutions that may be best to start with. Probably best to ask on the unraid forums or subreddit.
For general recovery tasks, I have had some success with Recuva.
Most important thing here is that if you are going to attempt recovery make sure you are not using the drives in question at all. Any use runs the risk of overwriting with newer files.
How would one go about proving this theory? This is the second time this has happened to my Sonarr directory in 5 months. After the first time I setup the SonarrTrash folder and this time I havenāt lost any files (just moved them back). If this was a script kiddy what would I look for in the logs to verify this?
Edit: These are the error logs around each show delete entry. Could this have something to do with the notification service for Plex?
|2:59am|RecycleBinProvider|Attempting to send ā/volume1/Media/TV/Extraordinary Attorney Wooā to recycling bin||
|2:59am|NotificationService|Unable to process notification queue for Plex on Nikola: Unauthorized - AuthToken is invalid||
|2:59am|PlexServerService|Failed to Update Plex host: 127.0.0.1: Unauthorized - AuthToken is invalid||
Sorry, beyond my knowledge and understanding of the inner workings of Sonarr at this point. Educated guess would be access and associated API commands from unknown IP addresses.
From a related thread, markus101 indicated that Trace logs would be needed, which typically you donāt want enabled all the time. So I guess that would leave something external like wireshark or something that can monitor network traffic?
Shouldnāt have anything at all to do with Plex notification service (which FYI you should not even need to be using per https://wiki.servarr.com/sonarr/supported#plexserver). The only reason it shows up at the same time is because Sonarr is trying to notify Plex of the library change resulting from the deletion.
Your token for your connection from sonarr to plex has no relation to you leaving your sonarr instance open to the internet and exposed without auth like all the other users have.
Just thought I would jump in to say this just happened to me last night. It seems all shows in Sonarr have been wiped from Sonarrās DB and my File System (On two servers!).
It was exposed to the internet, which it now isnāt. Not helpfully, logs stopped an hour before this event happened so I have no real idea what went wrong. All I know is Sonarr updated the day before this all happened. (3.0.9.1549 - 07 Aug 2022).
Luckily my files were in the recycle bin so Iāve managed to restore and re-import into Sonarr.
Very bizarre.
Nit bizarre at all. People go around and find open instances all the time. Sometimes malicious to steal your creds, sometimes for the lolz and deleting the data like most in this thread, and sometimes theyāll be nice and leave a message saying to close your shit.
Itās very simple donāt leave your *arr instances exposed to the internet without any authentication