Sonarr deleted EVERY SINGLE MEDIA FILE AND DIRECTORY on my system (all other files in other shares are fine)

Sonarr version (): binhex-sonarr 3.0.8.1507
OS: UNRAID 6.10.3
Debug logs:
Sonarr.txt: https://pastebin.ubuntu.com/p/FP2VNcBScv/
Sonarr.0.txt: https://pastebin.ubuntu.com/p/yrFQSnkMTq/
Sonarr.1.txt: https://pastebin.ubuntu.com/p/QhzPf8z6zx/
Sonarr.2.txt https://pastebin.ubuntu.com/p/mzpY8JHNcr/
Sonarr.3.txt https://pastebin.ubuntu.com/p/Bbsf7CngZt/
Sonarr.4.txt https://pastebin.ubuntu.com/p/pZYC8yS7Np/

Description of issue: My wife was watching things on Plex and mentioned that she couldnā€™t watch any of her shows - i booted into plex and everything looked normal to me at first, but then I noticed no TV Shows or other series maintained by Sonarr were there anymore. I immediately went to a prompt and navigated to the relevant shares and they were there, but one had 6 empty folders and the other was there, but had zero folders. Before, the first had probably 300 and the second had about 400ish.

Iā€™ve lost all of this media - its totally gone. I thought it could possibly be a filesystem corruption or something, but no, according to multiple helpers at Unraid. Then I started fruitlessly researching this and I come across posts here and there that are remarkably similar, but with no resolution over the last two years or so.

I love this software, but good God, I canā€™t risk loosing absolutely everything because it isnā€™t ready for prime time!

Another post that sounds familiar:

Per all the other threads, Sonarrr does not randomly delete files on itā€™s own. Ever.

Likely Sonarr was not secured properly and was exposed to the internet. There have been a few recent reports of similar occurrences. Thereā€™s likely some bad actors / script kiddies running an automated script scanning for open Sonarr ports and then running a delete all command via API.

Secure your setup. Enable recycle bin as a backup failsafe. Recover or re-download all your content.

1 Like

Thanks, I appreciate it. You are basically confirming where I was going. Thanks!

Any recovery tools you are aware of/recommend? I backup all work files offsite, but media isnā€™t (or wasnā€™t) on my backup list and there are a handful of directories that had things that I will never be able to download again.

I LEARNED A LESSON!

Iā€™m not familiar with unraid so I donā€™t know if there are targeted solutions that may be best to start with. Probably best to ask on the unraid forums or subreddit.

For general recovery tasks, I have had some success with Recuva.

Most important thing here is that if you are going to attempt recovery make sure you are not using the drives in question at all. Any use runs the risk of overwriting with newer files.

Good luck!

How would one go about proving this theory? This is the second time this has happened to my Sonarr directory in 5 months. After the first time I setup the SonarrTrash folder and this time I havenā€™t lost any files (just moved them back). If this was a script kiddy what would I look for in the logs to verify this?

Edit: These are the error logs around each show delete entry. Could this have something to do with the notification service for Plex?

|2:59am|RecycleBinProvider|Attempting to send ā€˜/volume1/Media/TV/Extraordinary Attorney Wooā€™ to recycling bin||

|2:59am|NotificationService|Unable to process notification queue for Plex on Nikola: Unauthorized - AuthToken is invalid||

|2:59am|PlexServerService|Failed to Update Plex host: 127.0.0.1: Unauthorized - AuthToken is invalid||

2:59am HttpClient HTTP Error - Res: [GET] http://127.0.0.1:32400/library/sections?X-Plex-Client-Identifier=(removed)&X-Plex-Product=Sonarr&X-Plex-Platform=Windows&X-Plex-Platform-Version=7&X-Plex-Device-Name=Sonarr&X-Plex-Version=3.0.8.1507&X-Plex-Token=(removed) 401.Unauthorized (91 bytes)

Sorry, beyond my knowledge and understanding of the inner workings of Sonarr at this point. Educated guess would be access and associated API commands from unknown IP addresses.

From a related thread, markus101 indicated that Trace logs would be needed, which typically you donā€™t want enabled all the time. So I guess that would leave something external like wireshark or something that can monitor network traffic?

Shouldnā€™t have anything at all to do with Plex notification service (which FYI you should not even need to be using per https://wiki.servarr.com/sonarr/supported#plexserver). The only reason it shows up at the same time is because Sonarr is trying to notify Plex of the library change resulting from the deletion.

Your token for your connection from sonarr to plex has no relation to you leaving your sonarr instance open to the internet and exposed without auth like all the other users have.

Just thought I would jump in to say this just happened to me last night. It seems all shows in Sonarr have been wiped from Sonarrā€™s DB and my File System (On two servers!).
It was exposed to the internet, which it now isnā€™t. Not helpfully, logs stopped an hour before this event happened so I have no real idea what went wrong. All I know is Sonarr updated the day before this all happened. (3.0.9.1549 - 07 Aug 2022).
Luckily my files were in the recycle bin so Iā€™ve managed to restore and re-import into Sonarr.
Very bizarre.

Very bizarre.

Nit bizarre at all. People go around and find open instances all the time. Sometimes malicious to steal your creds, sometimes for the lolz and deleting the data like most in this thread, and sometimes theyā€™ll be nice and leave a message saying to close your shit.

Itā€™s very simple donā€™t leave your *arr instances exposed to the internet without any authentication

/thread

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.