Malware Detected on Umbrel

Nathan · November 3, 2022, 3:00am

Hi there - I’m running the latest version of Umbrel on a Raspberry PI 4 with an 16GB MCSD and 1 TB SSD. I recently updated the wifi network in my home to use Netgear Orbi wifi 6 mesh network to get better coverage in my home. I have the umbrel hooked up to an ethernet port on the main router.

When I setup the network it came with security software called Netgear Armor - and it scans the network devices for potential security threats and can block them. So far nothing on my network has been problematic except that I’ve got 12 unique notifications of malware and phishing originating from my umbrel node (raspberry pi) but this software says it is blocking it.

blocked Malware site example:
https://www.7tvv.com

Phishing
https://www.h3af.com

Attack
Detected a suspicious remote location 91.123.158.251 attempted a connection to umbrel and blocked that connection.

So I’m not sure I’ve something in my root image on the raspberry pi has been compromised or if this is related to legitimate traffic that the umbrel is doing on TOR that Netgear may not like and how do I resolve it. Maybe I just flash the whole thing, format the SD and update firmware for the raspberry pi?

Thanks!
Nathan

DRaf · July 27, 2025, 2:56pm

I have just installed this week the latest version of umbrel os, and after security tests i see the device reaching out to known listed malware/log4j targets, i will investigate this further:

1 - stopping all apps (I had around 4 running)
2 - starting and checking apps individually

My questions:
1 - Does Umbrel or anyone checks the base os for security concearns?
2 - Does Umbrel or anyone checks the apps on matketplace?

Thanks in avance, any contribution is valid

Ove · July 28, 2025, 12:37pm

Oh, if that’s true, it sounds serious… Could you provide more info about the issue what you have found, please? What addresses it’s reaching out? Or maybe you’ve found more about it already? Any suspicious apps/processes? Thank you.

DRaf · July 28, 2025, 1:01pm

More info, and i will update further

Ove · July 28, 2025, 2:00pm

Thank you for the info. As for now I can confirm a sporadic traffic from my Umbrel targeting port 7777 somewhere, but it looks like a normal I2P traffic which my Bitcoin node is using. Nothing else on the mentioned ports detected so far. Umbrel 1.4.2. Will update if I spot anything new.

DRaf · July 28, 2025, 3:46pm

Did you check the related ips?

Ove · July 28, 2025, 4:03pm

a few from the range of 23.128.248.0/24 and a single one 141.94.45.159. apparently it’s originating from the bitcoin node app.

DRaf · July 28, 2025, 4:08pm

I advise a check of the ips against know log4j malware lists,

and maybe you can help with the more important questions:
1 - Does Umbrel or anyone checks the base os for security concerns?
2 - Does Umbrel or anyone checks the apps on marketplace?

Ove · July 28, 2025, 4:33pm

Unfortunately I can’t help with the questions you brought up here. I’m just a common user. The project is opensource so in theory anyone can do the necessary checks. I believe the developers do, but yeah, maybe it’s just my false beliefs..

Topic		Replies	Views
Just started, General questions, Contribute General Discussions	2	634	July 22, 2022
Umbrel.local refused to connect Support and Troubleshooting	21	7735	February 14, 2025
Umbrel is not set up to accept connections on port http Support and Troubleshooting	1	800	May 11, 2022
Network Security General Discussions	3	497	August 7, 2021
Umbrel Node made entire network to crash Support and Troubleshooting	7	1457	November 1, 2022

Malware Detected on Umbrel

Related topics