Page 1 of 1

I'm hacked what to do?

Posted: Mon Dec 07, 2015 4:47 pm
by Canedje
It looks like my Raspberry is hacked.
Last week I received a letter from my provider that my account showing behaviour to be hacked.
At the same moment my Raspberry is doing strange. The crontab was emptied for example.
Because of that I increased my protection level of my Router.

Since then the router is telling me on regular base that the Raspberry is trying to connect to strange and malicious sites.
My router is protecting this by blocking this.
I cheked the IP's and it are all IP's from the USA (I'm from Holland).

What can I do against this?

Re: I'm hacked what to do?

Posted: Mon Dec 07, 2015 4:57 pm
by RaTTuS
remove the SDcard
reflash with clean raspbian
add a new user
make a good passowrd
make that user to be sudo able
disable the user PI
re-create things you had on that RPI - not by copying things but by going from your backup notes

only allow external access to your RPi via keys and not password
think what it is that you want exposed to the internet and why

consider everything on the old SDcard to be compromised - anuy passwords that you use to access external things are out in the wild

Re: I'm hacked what to do?

Posted: Mon Dec 07, 2015 5:00 pm
by joan
Er? Immediately take your Pi off the network. Copy any essential files off the card. Remove the SD card and write a new image.

If you believe your Pi was compromised think about the software you had running. Was it all from a known good source? Did you open up any security holes, e.g. running a web server with root privileges.

Re: I'm hacked what to do?

Posted: Mon Dec 07, 2015 7:25 pm
by Canedje
Thanks for thinking with me
It is al quit heavy you mentioned.

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 8:35 am
by RaTTuS
next questions to ask :-
what ports did you forward to your RPI ? 22, 80 , others if so why
what account did you have available pi ? did you have the default password set ?
did you login via ssh keys or password
did you login via a site like logmein or a 3rd party or a compromised machine ?
what had you installed on your RPi

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 10:57 am
by karrika
One problem with passwords is that people use the same password for almost every site. When one site is compromised your password is out in the wild. I am seriously looking into a code ring for creating different passwords for every site. The idea is simple: turn the rings to the first four letters of the name of the site and pick some special rule of how to form the password. It could be line above/below followed by your own few characters that you add to every password. This is available on tindie.

https://www.tindie.com/products/Russtop ... rod_search

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 11:10 am
by joan
karrika wrote:One problem with passwords is that people use the same password for almost every site. When one site is compromised your password is out in the wild. I am seriously looking into a code ring for creating different passwords for every site. The idea is simple: turn the rings to the first four letters of the name of the site and pick some special rule of how to form the password. It could be line above/below followed by your own few characters that you add to every password. This is available on tindie.

https://www.tindie.com/products/Russtop ... rod_search
I only know two passwords. One for my PC and one for the password safe on my PC. I just cut&paste the individual site password from the password safe to the site as and when it needs entering.

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 11:15 am
by karrika
That is a good solution. Most people are not even close to that level of security.

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 11:42 am
by Woll
In this link there is info for a Raspberry Pi firewall.

http://www.makeuseof.com/tag/securing-r ... firewalls/

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 11:53 am
by DougieLawson
joan wrote: I only know two passwords. One for my PC and one for the password safe on my PC. I just cut&paste the individual site password from the password safe to the site as and when it needs entering.
I have three passwords.
1. Windows
2. Password safe - I use KeePass2
3. A junk password for sites that need a registration but don't hold security/privacy critical data

Yesterday I generated a complex 20 character password for a secure site and it was rejected as too long. Doh!

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 12:15 pm
by karrika
The funny thing is that many government installations require 1024 or 2048 bit keys. How many character passwords fulfill this?

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 12:20 pm
by joan
DougieLawson wrote: ...
Yesterday I generated a complex 20 character password for a secure site and it was rejected as too long. Doh!
The UK Government Gateway (our interface to enter tax returns and other sensitive information on-line) has a limit of 12 characters. You would hope for better, even if you didn't really expect better.

That may be the reason only the hoi polloi are allowed to submit tax returns on-line. The rich and famous are instructed not to use the Government Gateway for that purpose.

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 12:42 pm
by DougieLawson
karrika wrote:The funny thing is that many government installations require 1024 or 2048 bit keys. How many character passwords fulfill this?
You're confusing password strength with crypto key lengths.

You get a reasonably strong password with about 12 characters. You get stronger security with pass phrases. Things that force users to generate 8 complex characters (letters, numbers, upper & lower case and some funky punctuation mark) are not secure enough. We humans are incredibly useless at generating random things. Things like Benford's Law https://en.wikipedia.org/wiki/Benford's_law get in the way of passwords with numbers.

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 12:52 pm
by karrika
I know. Roughly 91^12=3,224754874×10²³ (91 is the usable characters from the ASCII table)

Karri

Re: I'm hacked what to do?

Posted: Tue Dec 08, 2015 1:50 pm
by rurwin
It doesn't help that there are certain punctuation characters such as /, ?, %, # that cannot exist in a URL and therefore can cause problems if you try to use them for passwords on some sites. That makes it less likely I'll choose good punctuation characters but I'm otherwise not too bad at generating a random password. You'd have to know my personal frequency table before you could crack it anyway.

I have a little black book with my passwords in. If someone breaks in and steals it then I'm in trouble, but it can't be hacked, it's unlikely to get corrupted and I can't forget the password for it.

Yes, I'm not totally secure, but I think I'm probably good enough.