magicalDuck
Posts: 24
Joined: Mon Oct 09, 2017 6:45 am

Restoring Access to a hacked rpi

Sat May 04, 2019 9:47 pm

Hi.

So i made a Time lapse machine with a rpi zéro to continue my aquarium timelapse while I'm in vacation. Set up a no ip to get external access.

Then 2 hours ago I could not connect : invalid password / username.

i got home thinking that my port forwarding was bad. But same thing on the local network.

I did not change the default password. Thinking who would want to attack that.

Well someone did. Changed the password and disabled my timelapse script :(

I had to catch my train so i just put the rpi in my backpack. Timelapse is ruined TT

Is it possible to regain access. I'd like to get the ip of the attacker.

Thanks.

User avatar
DaveyDave1999
Posts: 28
Joined: Tue Apr 16, 2019 9:16 pm
Location: United States, Hawaii

Re: Restoring Access to a hacked rpi

Sat May 04, 2019 10:33 pm

Those kind of attacks can easily be automated.
That means the IP the attack is from doesn't really matter.

In fact, its pretty common to see infected PCs scan for open ports on the internet. Once they find an open SSH port, they try to login using default credentials commonly used on Linux flavored distros, for example.

What id recommend you to do is to remove your port forward rules for now.
Then, I propose you pop out your SD card and shove it into another computer.
From there, internet is your friend. You should be able to change your password, and
most importantly, retrieve your python scripts.
Tho, lets not forget your SD card is infected. I highly recommend you format your SD card
before putting it back in.

Keep in mind that the attacker(s) may have altered your code!

I hope this help, good luck!
Blog about Raspberries coming soon...

User avatar
DougieLawson
Posts: 35381
Joined: Sun Jun 16, 2013 11:19 pm
Location: Basingstoke, UK
Contact: Website Twitter

Re: Restoring Access to a hacked rpi

Sun May 05, 2019 8:34 am

What you really need to do is start with a completely fresh copy of Raspbian. You can't trust anything on your old SDCard - it has been compromised and needs to be wiped clean. Retaining anything from your old SDCard risks your rebuilt system.

https://www.raspberrypi.org/documentati ... ecurity.md
Note: Having anything remotely humorous in your signature is completely banned on this forum.

Any DMs sent on Twitter will be answered next month.

This is a doctor free zone.

magicalDuck
Posts: 24
Joined: Mon Oct 09, 2017 6:45 am

Re: Restoring Access to a hacked rpi

Thu May 09, 2019 6:14 am

Yes I will format the SD card, I just wanted to get access to the ssh logs, the python script is just a while loop that checks what time it is and triggers my camera, not really important^^.

I found a way of resetting the admin password, didn't have time to do it yet (just got back)

I'm amazed of how fast my rpi was hacked, how does those automated hacking system work? do they just try to initiate an SSH connection to random IPs ?

User avatar
rpdom
Posts: 14483
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Restoring Access to a hacked rpi

Thu May 09, 2019 7:23 am

magicalDuck wrote:
Thu May 09, 2019 6:14 am
I'm amazed of how fast my rpi was hacked, how does those automated hacking system work? do they just try to initiate an SSH connection to random IPs ?
Yes, that's pretty much how they work. I've run a number of servers on different hardware and all of them get attempts to ssh log in as the user pi along with several other "default" login details from other systems.

Return to “Troubleshooting”