Don't know admin and root passwords

I was pretty dumb when I set this up. I don't believe I ever gave my admin username a password, but now I'm unable to get into the WebGUI. I can access the flash share but I'm not seeing a password to use within passwd or smbpasswd.

Where would the password be stored on the flash share to regain access to the WebGUI?

Side note I logged into a VM last night and saw that someone had started Bitcoin mining on it. I've since changed all my passwords and strengthened my wifi router's password.

Yeah, you won't be able to find out what the password is, but you can nuke the passwd and shadow files from /config/ on the flash drive and reboot the machine. Of course, then you'll be in the same exact place you were to begin with, an unprotected unRAID installation. That will last until whoever took over your machine decides to do it again.

On second thought, let's do this carefully.

1) Power the machine off by power button, and keep it off.

2) Remove the flash drive.

3) Plug the flash drive into a spare machine.

4) Download or install Python 3 on whichever machine you have handy, possibly the same one.

5) Run the following script against Python 3:

python3 -c 'import crypt; print(crypt.crypt("<your password>", crypt.mksalt(crypt.METHOD_SHA512)))'

6) Copy the resulting string and paste it into the password field for the "root" user in the /config/shadow file on your flash drive. That's the field between the first and second colons of the line starting with "root".

7) Delete any other unexpected user accounts from both /config/passwd and /config/shadow, even if they won't be able to get in to administer the machine. Just to play it safe.

Cleanly eject the flash drive.

It should now be "safe" to boot your unRAID installation again, as you've just configured a salted Crypt hashed password for the root account without a moment of the machine being live without a password.

No, scratch that. Look at the "go" script in the /config/ folder as well. Check for anything suspicious being started up there. Also wipe out /config/plugins/ just in case anything weird was dropped there, you can reinstall those later.

I'd go over all your virtual machines and dockers with a fine tooth comb, looking for any inconsistencies.

This is what was in the go file

#!/bin/bash
# Start the Management Utility
/usr/local/sbin/emhttp &

If I just delete the passwd and shadow files will I be able to get back into my shares on boot? Will I be able to log back into the admin and reset a password?

I downloaded python but I don't understand step five. Do I need to run anything in Python or just copy the script into the the shadow password field?

I did find a two unkown to me  XML's in D:\config\plugins\dockerMan\templates-user and those have been deleted. I do see that I have three files that are a day in the future; random-seed.file drift.file and secrets.tdb. Should those be deleted? I just don't know what a standard config file really looks like and what stands out.

Fine. Delete those files. Reboot.

SET A PASSWORD IMMEDIATELY. MAKE NO DELAY.

Also, is your unRAID machine visible from the Internet? That is a very dumb thing to do.

Are these files normal in the config?

random-seed, super.dat, and domain.cfg are normal. secrets.tdb is part of Samba, probably safe to keep that. drift likely has to do with your machine's clock drift.

So, it looks like those are probably all safe, but even then, it may be wise to remove the secrets.tdb and redo your network share user passwords.

And don't expose your server (or any of your other computers) to the internet. Setup a VPN.