Page 1 of 1

Thread removed???

Posted: Fri Jan 15, 2016 9:18 pm
by Canedje
Why is my last thread removed????

It was a serious question about a strange file at my RPI???

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:20 pm
by joan
Probably because of the unnecessary use of a swear word.

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:21 pm
by Canedje
Oke, but that was the name of the file???
How to mention it then?

There was already a dialog and I'm now missing it!!

This is no fun.

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:23 pm
by joan
Canedje wrote:Oke, but that was the name of the file???
How to mention it then?

There was already a dialog and I'm now missing it!!
I'm afraid that is your own fault. You had no need to use the word in the thread title or mention it in the post.

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:28 pm
by Canedje
I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:37 pm
by NickT
Writing the exact spelling of the f word gave a strong clue to the presence of malware, so could be excused in the body of the original post in my opinion. If the moderators objected, then they could have edited the post. It's a shame that all Dougie's useful security tips in a reply were deleted

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:40 pm
by stderr
Canedje wrote:I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
Does the situation being clear require the use of words you aren't supposed to use here? I felt like I was watching Joe Pesci on HBO 2.
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused
Rather than worrying about the exact word that the file was named, which could be anything, why not run a virus checker on your system, specifically on that file, that looks for matches for x86 threats?

Then if it turns something up, you could go on about that. Of course it doesn't really matter because it isn't news that there are threats out there and if you didn't put the file there, well, it got there somehow. The somehow is the real issue.

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:43 pm
by Canedje
NickT wrote:Writing the exact spelling of the f word gave a strong clue to the presence of malware, so could be excused in the body of the original post in my opinion. If the moderators objected, then they could have edited the post. It's a shame that all Dougie's useful security tips in a reply were deleted
Thanks.
I agree.
I now still don't know what to do. Because I didn't read the reaction of Dougie, and still have a problem possible.
Again, I was not mend to be rude!

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:43 pm
by DougieLawson
The annoyance is that my carefully crafted and sanitised answer has gone with it.

Your system has had a rogue ELF X86 executable file planted in the root directory. Your system is compromised, go and clean it up and next time change your "f-bomb" into "****" to protect the innocent and keep this place as a family friendly forum. It doesn't matter what the rogue file is called, you could have renamed it to foobar or fubar and your thread wouldn't have been removed.

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:48 pm
by Canedje
stderr wrote:
Canedje wrote:I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
Does the situation being clear require the use of words you aren't supposed to use here? I felt like I was watching Joe Pesci on HBO 2.
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused
Rather than worrying about the exact word that the file was named, which could be anything, why not run a virus checker on your system, specifically on that file, that looks for matches for x86 threats?

Then if it turns something up, you could go on about that. Of course it doesn't really matter because it isn't news that there are threats out there and if you didn't put the file there, well, it got there somehow. The somehow is the real issue.
I agree for a part.
But oke it is done. If the moderator didn't agree, why not remove the word en save the thread?
Remove the total thread is rude and not necesarry

Going on the issue:
I'm not familiar in using viruscheckers in a unix like surrounding.
How to use a viruschecker?

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:51 pm
by Canedje
DougieLawson wrote:The annoyance is that my carefully crafted and sanitised answer has gone with it.

Your system has had a rogue ELF X86 executable file planted in the root directory. Your system is compromised, go and clean it up and next time change your "f-bomb" into "****" to protect the innocent and keep this place as a family friendly forum. It doesn't matter what the rogue file is called, you could have renamed it to foobar or fubar and your thread wouldn't have been removed.

Thanks Dougie.
I agree,
I just didn't realize this was cousing trouble.

what does: rogue ELF X86 executable means?

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:53 pm
by DougieLawson
You don't need a virus checker, you need to pull the ethernet cable and/or wifi dongles out of that RPi. You need to do that NOW!

Then start running virus checkers on all of your Windows, X86/X86_64 Linux AND Apple systems.

YOU HAVE A LINUX VIRUS OR ROOTKIT INSTALLED ON YOUR RASPBERRY PI.

Re: Thread removed???

Posted: Fri Jan 15, 2016 9:56 pm
by Canedje
DougieLawson wrote:You don't need a virus checker, you need to pull the ethernet cable and/or wifi dongles out of that RPi. You need to do that NOW!

Then start running virus checkers on all of your Windows, X86/X86_64 Linux AND Apple systems.

YOU HAVE A LINUX VIRUS OR ROOTKIT INSTALLED ON YOUR RASPBERRY PI.

Oops!!

That is clear, thanks.

I did already do this a hour ago.
No virusses detected.

Is the RPI reusable again by removing these files?

Re: Thread removed???

Posted: Fri Jan 15, 2016 10:07 pm
by stderr
Canedje wrote:I did already do this a hour ago.
No virusses detected.
That file doesn't come up as something?
Is the RPI reusable again by removing these files?
No, this isn't 1997, this is 2016. If your system is compromised, even if you just think it is, it needs to be completely redone from nothing by using known good media.

Re: Thread removed???

Posted: Fri Jan 15, 2016 10:17 pm
by DougieLawson
You should also analyse how they gained access (probably userid=pi, password=raspberry, pi still has sudo and sudo still doesn't need a password).

You should also assume, until you've checked, that EVERY device on your LAN is also compromised.

Re: Thread removed???

Posted: Fri Jan 15, 2016 10:28 pm
by Canedje
DougieLawson wrote:You should also analyse how they gained access (probably userid=pi, password=raspberry, pi still has sudo and sudo still doesn't need a password).

You should also assume, until you've checked, that EVERY device on your LAN is also compromised.
I agree.
I did change the password of pi in the past.
Now I just removed it

Just today I found the strange file.
But about a month ago I was hacked. (around the make date of the strange file).
At that time I upgraded my firewall of the router and my total equipment/ devices.
I did also all type off virus checks on all my devices and there where some virusses at some of them at that time.
These virusse where not realy harmfull, but creating data traffic from my devices.
Thes virusses where removed at that time.

I did still use my RPI from that time until now. Until today there was no strange behaviour.
Now an hour ago after finding this strange file i removed the file. disconnect the RPI and did al kind off viruscheckes
No virusses detected.

Re: Thread removed???

Posted: Sat Jan 16, 2016 12:10 am
by DougieLawson
Now trash that SDcard and create a fresh one with a fresh download of NOOBS or Raspbian Jessie. You can't trust that card, so it needs to be wiped clean.

First thing to install is ufw (user-friendly fire wall) so you can block every port except the ones that need to be open to the world.