Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Thread removed???

Fri Jan 15, 2016 9:18 pm

Why is my last thread removed????

It was a serious question about a strange file at my RPI???

User avatar
joan
Posts: 15083
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: Thread removed???

Fri Jan 15, 2016 9:20 pm

Probably because of the unnecessary use of a swear word.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 9:21 pm

Oke, but that was the name of the file???
How to mention it then?

There was already a dialog and I'm now missing it!!

This is no fun.

User avatar
joan
Posts: 15083
Joined: Thu Jul 05, 2012 5:09 pm
Location: UK

Re: Thread removed???

Fri Jan 15, 2016 9:23 pm

Canedje wrote:Oke, but that was the name of the file???
How to mention it then?

There was already a dialog and I'm now missing it!!
I'm afraid that is your own fault. You had no need to use the word in the thread title or mention it in the post.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 9:28 pm

I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused

User avatar
NickT
Posts: 276
Joined: Mon May 21, 2012 10:43 am
Location: UK

Re: Thread removed???

Fri Jan 15, 2016 9:37 pm

Writing the exact spelling of the f word gave a strong clue to the presence of malware, so could be excused in the body of the original post in my opinion. If the moderators objected, then they could have edited the post. It's a shame that all Dougie's useful security tips in a reply were deleted

stderr
Posts: 2178
Joined: Sat Dec 01, 2012 11:29 pm

Re: Thread removed???

Fri Jan 15, 2016 9:40 pm

Canedje wrote:I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
Does the situation being clear require the use of words you aren't supposed to use here? I felt like I was watching Joe Pesci on HBO 2.
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused
Rather than worrying about the exact word that the file was named, which could be anything, why not run a virus checker on your system, specifically on that file, that looks for matches for x86 threats?

Then if it turns something up, you could go on about that. Of course it doesn't really matter because it isn't news that there are threats out there and if you didn't put the file there, well, it got there somehow. The somehow is the real issue.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 9:43 pm

NickT wrote:Writing the exact spelling of the f word gave a strong clue to the presence of malware, so could be excused in the body of the original post in my opinion. If the moderators objected, then they could have edited the post. It's a shame that all Dougie's useful security tips in a reply were deleted
Thanks.
I agree.
I now still don't know what to do. Because I didn't read the reaction of Dougie, and still have a problem possible.
Again, I was not mend to be rude!

User avatar
DougieLawson
Posts: 40126
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Thread removed???

Fri Jan 15, 2016 9:43 pm

The annoyance is that my carefully crafted and sanitised answer has gone with it.

Your system has had a rogue ELF X86 executable file planted in the root directory. Your system is compromised, go and clean it up and next time change your "f-bomb" into "****" to protect the innocent and keep this place as a family friendly forum. It doesn't matter what the rogue file is called, you could have renamed it to foobar or fubar and your thread wouldn't have been removed.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 9:48 pm

stderr wrote:
Canedje wrote:I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
Does the situation being clear require the use of words you aren't supposed to use here? I felt like I was watching Joe Pesci on HBO 2.
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused
Rather than worrying about the exact word that the file was named, which could be anything, why not run a virus checker on your system, specifically on that file, that looks for matches for x86 threats?

Then if it turns something up, you could go on about that. Of course it doesn't really matter because it isn't news that there are threats out there and if you didn't put the file there, well, it got there somehow. The somehow is the real issue.
I agree for a part.
But oke it is done. If the moderator didn't agree, why not remove the word en save the thread?
Remove the total thread is rude and not necesarry

Going on the issue:
I'm not familiar in using viruscheckers in a unix like surrounding.
How to use a viruschecker?

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 9:51 pm

DougieLawson wrote:The annoyance is that my carefully crafted and sanitised answer has gone with it.

Your system has had a rogue ELF X86 executable file planted in the root directory. Your system is compromised, go and clean it up and next time change your "f-bomb" into "****" to protect the innocent and keep this place as a family friendly forum. It doesn't matter what the rogue file is called, you could have renamed it to foobar or fubar and your thread wouldn't have been removed.

Thanks Dougie.
I agree,
I just didn't realize this was cousing trouble.

what does: rogue ELF X86 executable means?

User avatar
DougieLawson
Posts: 40126
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Thread removed???

Fri Jan 15, 2016 9:53 pm

You don't need a virus checker, you need to pull the ethernet cable and/or wifi dongles out of that RPi. You need to do that NOW!

Then start running virus checkers on all of your Windows, X86/X86_64 Linux AND Apple systems.

YOU HAVE A LINUX VIRUS OR ROOTKIT INSTALLED ON YOUR RASPBERRY PI.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 9:56 pm

DougieLawson wrote:You don't need a virus checker, you need to pull the ethernet cable and/or wifi dongles out of that RPi. You need to do that NOW!

Then start running virus checkers on all of your Windows, X86/X86_64 Linux AND Apple systems.

YOU HAVE A LINUX VIRUS OR ROOTKIT INSTALLED ON YOUR RASPBERRY PI.

Oops!!

That is clear, thanks.

I did already do this a hour ago.
No virusses detected.

Is the RPI reusable again by removing these files?

stderr
Posts: 2178
Joined: Sat Dec 01, 2012 11:29 pm

Re: Thread removed???

Fri Jan 15, 2016 10:07 pm

Canedje wrote:I did already do this a hour ago.
No virusses detected.
That file doesn't come up as something?
Is the RPI reusable again by removing these files?
No, this isn't 1997, this is 2016. If your system is compromised, even if you just think it is, it needs to be completely redone from nothing by using known good media.

User avatar
DougieLawson
Posts: 40126
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Thread removed???

Fri Jan 15, 2016 10:17 pm

You should also analyse how they gained access (probably userid=pi, password=raspberry, pi still has sudo and sudo still doesn't need a password).

You should also assume, until you've checked, that EVERY device on your LAN is also compromised.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Canedje
Posts: 265
Joined: Thu Mar 26, 2015 7:18 am

Re: Thread removed???

Fri Jan 15, 2016 10:28 pm

DougieLawson wrote:You should also analyse how they gained access (probably userid=pi, password=raspberry, pi still has sudo and sudo still doesn't need a password).

You should also assume, until you've checked, that EVERY device on your LAN is also compromised.
I agree.
I did change the password of pi in the past.
Now I just removed it

Just today I found the strange file.
But about a month ago I was hacked. (around the make date of the strange file).
At that time I upgraded my firewall of the router and my total equipment/ devices.
I did also all type off virus checks on all my devices and there where some virusses at some of them at that time.
These virusse where not realy harmfull, but creating data traffic from my devices.
Thes virusses where removed at that time.

I did still use my RPI from that time until now. Until today there was no strange behaviour.
Now an hour ago after finding this strange file i removed the file. disconnect the RPI and did al kind off viruscheckes
No virusses detected.

User avatar
DougieLawson
Posts: 40126
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Thread removed???

Sat Jan 16, 2016 12:10 am

Now trash that SDcard and create a fresh one with a fresh download of NOOBS or Raspbian Jessie. You can't trust that card, so it needs to be wiped clean.

First thing to install is ufw (user-friendly fire wall) so you can block every port except the ones that need to be open to the world.
Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Return to “Troubleshooting”