Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

I'm hacked what to do?

Mon Dec 07, 2015 4:47 pm

It looks like my Raspberry is hacked.
Last week I received a letter from my provider that my account showing behaviour to be hacked.
At the same moment my Raspberry is doing strange. The crontab was emptied for example.
Because of that I increased my protection level of my Router.

Since then the router is telling me on regular base that the Raspberry is trying to connect to strange and malicious sites.
My router is protecting this by blocking this.
I cheked the IP's and it are all IP's from the USA (I'm from Holland).

What can I do against this?

User avatar
RaTTuS
Posts: 10610
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: I'm hacked what to do?

Mon Dec 07, 2015 4:57 pm

remove the SDcard
reflash with clean raspbian
add a new user
make a good passowrd
make that user to be sudo able
disable the user PI
re-create things you had on that RPI - not by copying things but by going from your backup notes

only allow external access to your RPi via keys and not password
think what it is that you want exposed to the internet and why

consider everything on the old SDcard to be compromised - anuy passwords that you use to access external things are out in the wild
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

User avatar
joan
Posts: 15107
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: I'm hacked what to do?

Mon Dec 07, 2015 5:00 pm

Er? Immediately take your Pi off the network. Copy any essential files off the card. Remove the SD card and write a new image.

If you believe your Pi was compromised think about the software you had running. Was it all from a known good source? Did you open up any security holes, e.g. running a web server with root privileges.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: I'm hacked what to do?

Mon Dec 07, 2015 7:25 pm

Thanks for thinking with me
It is al quit heavy you mentioned.

User avatar
RaTTuS
Posts: 10610
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: I'm hacked what to do?

Tue Dec 08, 2015 8:35 am

next questions to ask :-
what ports did you forward to your RPI ? 22, 80 , others if so why
what account did you have available pi ? did you have the default password set ?
did you login via ssh keys or password
did you login via a site like logmein or a 3rd party or a compromised machine ?
what had you installed on your RPi
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

User avatar
karrika
Posts: 1273
Joined: Mon Oct 19, 2015 6:21 am
Location: Finland

Re: I'm hacked what to do?

Tue Dec 08, 2015 10:57 am

One problem with passwords is that people use the same password for almost every site. When one site is compromised your password is out in the wild. I am seriously looking into a code ring for creating different passwords for every site. The idea is simple: turn the rings to the first four letters of the name of the site and pick some special rule of how to form the password. It could be line above/below followed by your own few characters that you add to every password. This is available on tindie.

https://www.tindie.com/products/Russtop ... rod_search

User avatar
joan
Posts: 15107
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: I'm hacked what to do?

Tue Dec 08, 2015 11:10 am

karrika wrote:One problem with passwords is that people use the same password for almost every site. When one site is compromised your password is out in the wild. I am seriously looking into a code ring for creating different passwords for every site. The idea is simple: turn the rings to the first four letters of the name of the site and pick some special rule of how to form the password. It could be line above/below followed by your own few characters that you add to every password. This is available on tindie.

https://www.tindie.com/products/Russtop ... rod_search
I only know two passwords. One for my PC and one for the password safe on my PC. I just cut&paste the individual site password from the password safe to the site as and when it needs entering.

User avatar
karrika
Posts: 1273
Joined: Mon Oct 19, 2015 6:21 am
Location: Finland

Re: I'm hacked what to do?

Tue Dec 08, 2015 11:15 am

That is a good solution. Most people are not even close to that level of security.

Woll
Posts: 472
Joined: Mon Jul 06, 2015 2:14 am
Location: Cloud Cuckoo Land

Re: I'm hacked what to do?

Tue Dec 08, 2015 11:42 am

In this link there is info for a Raspberry Pi firewall.

http://www.makeuseof.com/tag/securing-r ... firewalls/
Who ate all the Pi's? Who ate all the Pi's?
Boris Johnson, Boris Johnson,
Who ate all the Pi's?

User avatar
DougieLawson
Posts: 40218
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: I'm hacked what to do?

Tue Dec 08, 2015 11:53 am

joan wrote: I only know two passwords. One for my PC and one for the password safe on my PC. I just cut&paste the individual site password from the password safe to the site as and when it needs entering.
I have three passwords.
1. Windows
2. Password safe - I use KeePass2
3. A junk password for sites that need a registration but don't hold security/privacy critical data

Yesterday I generated a complex 20 character password for a secure site and it was rejected as too long. Doh!
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

User avatar
karrika
Posts: 1273
Joined: Mon Oct 19, 2015 6:21 am
Location: Finland

Re: I'm hacked what to do?

Tue Dec 08, 2015 12:15 pm

The funny thing is that many government installations require 1024 or 2048 bit keys. How many character passwords fulfill this?

User avatar
joan
Posts: 15107
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: I'm hacked what to do?

Tue Dec 08, 2015 12:20 pm

DougieLawson wrote: ...
Yesterday I generated a complex 20 character password for a secure site and it was rejected as too long. Doh!
The UK Government Gateway (our interface to enter tax returns and other sensitive information on-line) has a limit of 12 characters. You would hope for better, even if you didn't really expect better.

That may be the reason only the hoi polloi are allowed to submit tax returns on-line. The rich and famous are instructed not to use the Government Gateway for that purpose.

User avatar
DougieLawson
Posts: 40218
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: I'm hacked what to do?

Tue Dec 08, 2015 12:42 pm

karrika wrote:The funny thing is that many government installations require 1024 or 2048 bit keys. How many character passwords fulfill this?
You're confusing password strength with crypto key lengths.

You get a reasonably strong password with about 12 characters. You get stronger security with pass phrases. Things that force users to generate 8 complex characters (letters, numbers, upper & lower case and some funky punctuation mark) are not secure enough. We humans are incredibly useless at generating random things. Things like Benford's Law https://en.wikipedia.org/wiki/Benford's_law get in the way of passwords with numbers.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

User avatar
karrika
Posts: 1273
Joined: Mon Oct 19, 2015 6:21 am
Location: Finland

Re: I'm hacked what to do?

Tue Dec 08, 2015 12:52 pm

I know. Roughly 91^12=3,224754874×10²³ (91 is the usable characters from the ASCII table)

Karri

User avatar
rurwin
Forum Moderator
Forum Moderator
Posts: 4257
Joined: Mon Jan 09, 2012 3:16 pm
Contact: Website

Re: I'm hacked what to do?

Tue Dec 08, 2015 1:50 pm

It doesn't help that there are certain punctuation characters such as /, ?, %, # that cannot exist in a URL and therefore can cause problems if you try to use them for passwords on some sites. That makes it less likely I'll choose good punctuation characters but I'm otherwise not too bad at generating a random password. You'd have to know my personal frequency table before you could crack it anyway.

I have a little black book with my passwords in. If someone breaks in and steals it then I'm in trouble, but it can't be hacked, it's unlikely to get corrupted and I can't forget the password for it.

Yes, I'm not totally secure, but I think I'm probably good enough.

Return to “Troubleshooting”