Capt-Dave
Posts: 2
Joined: Mon Feb 22, 2016 2:35 am

Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 2:19 pm

Help, am I being hacked...
Using Putty I SSH into a remote raspberry pi this morning. Once there I hit the down arrow to bring up passed commands. I often do this rather than retyping a string. To my surprise I found all my past string commands (history) were missing except this one unknown disturbing sting: AMERICA_DIE=true killall -9 libxml_CP

What is this all about. Hacked??

ejolson
Posts: 4923
Joined: Tue Mar 18, 2014 11:47 am

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 2:44 pm

Capt-Dave wrote:
Sun Mar 22, 2020 2:19 pm
Help, am I being hacked...
Using Putty I SSH into a remote raspberry pi this morning. Once there I hit the down arrow to bring up passed commands. I often do this rather than retyping a string. To my surprise I found all my past string commands (history) were missing except this one unknown disturbing sting: AMERICA_DIE=true killall -9 libxml_CP

What is this all about. Hacked??
Welcome to the forum!

It would appear you need format a new SD card for that remote machine and start over. I would keep the old card in case you are contacted by an agency that wants to perform an analysis of it. Unless you have already been directed by an authority what to do, store the old card and put in a new one. If you can't travel because of a quarantine, take the machine offline by asking someone on site to physically remove the power.

There is a chance other machines on the same subnet have been compromised as well as others that connect through ssh or a VPN. The message you found may, in fact, be designed to distract you from the security compromise of a different computer that is ongoing and much more serious. Obviously don't use any of the same passwords as before and set the WiFi router up with a new password if the Pi was on WiFi.

User avatar
davidcoton
Posts: 4780
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK
Contact: Website

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 3:54 pm

In addition, review your SSH security measures and beef them up. There is a good starter here (but it is only a starter).
Signature retired

Heater
Posts: 15493
Joined: Tue Jul 17, 2012 3:02 pm

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 4:26 pm

Interesting. The string "AMERICA_DIE=true killall -9 libxml_CP" is unknown to google. Neither any parts of it. "libxml_CP" is not even a thing. So you are the first case of whatever hack this might be.

Did you perchance use the default user name and a weak password?

What else do you have running on that machine? A badly secured web server for example?

Have you had a good look through your log files, /var/log... ?

I'd be tempted to keep that machine up and on line, but add some network monitoring to try and find out what goes on.
Memory in C++ is a leaky abstraction .

trejan
Posts: 1672
Joined: Tue Jul 02, 2019 2:28 pm

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 4:51 pm

It sounds like this has been hacked. Get any data you want off the card and do a fresh install. Check that your files haven't been altered and that nothing has been added.
Heater wrote:
Sun Mar 22, 2020 4:26 pm
Interesting. The string "AMERICA_DIE=true killall -9 libxml_CP" is unknown to google. Neither any parts of it. "libxml_CP" is not even a thing. So you are the first case of whatever hack this might be.
AMERICA_DIE=true does come up with 1 result from January.

Heater
Posts: 15493
Joined: Tue Jul 17, 2012 3:02 pm

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 4:55 pm

trejan,

Link please?
Memory in C++ is a leaky abstraction .

ejolson
Posts: 4923
Joined: Tue Mar 18, 2014 11:47 am

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 4:58 pm

Heater wrote:
Sun Mar 22, 2020 4:26 pm
I'd be tempted to keep that machine up and on line, but add some network monitoring to try and find out what goes on.
It's tempting, but that's how the Equifax data breach happended. There were two hacking teams: A bumbling one that served as a distraction for the security guys to monitor while a separate expert team siphoned off data from someplace else. Maybe it's better to take care of this problem quickly to have extra time for making sure everything else is secure.
Last edited by ejolson on Sun Mar 22, 2020 5:09 pm, edited 2 times in total.

trejan
Posts: 1672
Joined: Tue Jul 02, 2019 2:28 pm

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 5:04 pm

Heater wrote:
Sun Mar 22, 2020 4:55 pm
Link please?
I'm not going to link it directly but search for "AMERICA_DIE=true" including the quotes on Google.

Heater
Posts: 15493
Joined: Tue Jul 17, 2012 3:02 pm

Re: Am I being Hacked?? (Strange sting in history)

Sun Mar 22, 2020 5:30 pm

Did that before. Nothing. But now it turns up a few hits. They don't mean much.

Personally I think we have been hacked.

First poster. Strange question. Odd wording... Likely never to be seen again.
Memory in C++ is a leaky abstraction .

Capt-Dave
Posts: 2
Joined: Mon Feb 22, 2016 2:35 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 1:46 am

The suspected Hacked Raspberry pi is being used as an OpenWebRX server. It has been in service for a number of years now. I am a ham radio operator and I have this pi set up to listen in on an amateur radio 2 meter repeater near Houston. This is not my only OpenWebRX server. I have them place around the country (most at family members homes). This is however the first OpenWebRX server I suspect has been hacked. First thing I did this morning after discovering the string was to change the SSH password. I am tempted to take it completely offline. I do not live in Houston but have a family member at that location that could pull the plug. I too tried to google the string with no luck. Very Strange...

ejolson
Posts: 4923
Joined: Tue Mar 18, 2014 11:47 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 4:12 am

Capt-Dave wrote:
Mon Mar 23, 2020 1:46 am
The suspected Hacked Raspberry pi is being used as an OpenWebRX server. It has been in service for a number of years now. I am a ham radio operator and I have this pi set up to listen in on an amateur radio 2 meter repeater near Houston. This is not my only OpenWebRX server. I have them place around the country (most at family members homes). This is however the first OpenWebRX server I suspect has been hacked. First thing I did this morning after discovering the string was to change the SSH password. I am tempted to take it completely offline. I do not live in Houston but have a family member at that location that could pull the plug. I too tried to google the string with no luck. Very Strange...
How many people would continue to drive their car after discovering that someone was sleeping in the back seat? Neither should one continue to use a Pi after discovering someone has remote control. While closing the stable door after the horse has bolted seems somewhat ineffective when dealing with real viruses, with computer viruses such an approach is even less effective. At this point it is only responsible to replace the SD card before your Raspberry Pi starts being used by a third party for doing things which may turn out to be illegal.

Since your relatives have been kind enough to let you place a Raspberry Pi on their local networks, I suggest pulling the plug on it before something really irritating happens. At this point I would further suggest a careful security scan be performed on all other computers (particularly older Windows computers) that might have been on the same local network as the Pi.
Last edited by ejolson on Mon Mar 23, 2020 4:27 am, edited 1 time in total.

Heater
Posts: 15493
Joined: Tue Jul 17, 2012 3:02 pm

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 4:27 am

Clifford Stoll would disagree with you. https://www.youtube.com/watch?v=Qt0844ViQDI

I get the idea of wanting to shut the hacked system down to prevent any further damage.

But then what? You had a service working, and now you don't. And you have no idea what happened or what to do about it. Does that mean you just give up and not have that service forever? Clearly simply refreshing the OS and programs and starting over is not a good idea. It will just get hacked again.

Or at least, if you do that put some monitoring in place so that you have some chance of knowing if it happens again.
Memory in C++ is a leaky abstraction .

ejolson
Posts: 4923
Joined: Tue Mar 18, 2014 11:47 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 4:34 am

Heater wrote:
Mon Mar 23, 2020 4:27 am
Clifford Stoll would disagree with you. https://www.youtube.com/watch?v=Qt0844ViQDI

I get the idea of wanting to shut the hacked system down to prevent any further damage.

But then what? You had a service working, and now you don't. And you have no idea what happened or what to do about it. Does that mean you just give up and not have that service forever? Clearly simply refreshing the OS and programs and starting over is not a good idea. It will just get hacked again.

Or at least, if you do that put some monitoring in place so that you have some chance of knowing if it happens again.
I have suggested to store the old card for further analysis and start over with a new SD card. I agree that it is very important to preserve the evidence at this point. The best way to do this is take the Pi offline, carefully label the card and put the card on the shelf. As far as services go, there is a difference between mission critical infrastructure and having a hobby. For a hobby I would not worry much about uptime but instead seek to prevent any harm that might come to a person generous enough to let me collocate a Pi on their home network.

By the way, would you be interested in hosting a Pi running a game server on your local network for a wonderful star trader game that might soon become the focus of a programming challenge?

User avatar
DougieLawson
Posts: 38543
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 7:04 am

Heater wrote:
Mon Mar 23, 2020 4:27 am
Clifford Stoll would disagree with you. https://www.youtube.com/watch?v=Qt0844ViQDI
Cliff Stoll is the craziest guy in the history of computing. He had a monetary incentive ($0.75 @1986 prices) to discover who was stealing his computer time (which cost $300/hr at that time).

Does the OP know the infection vector? There's a lot of things probing my SSH port every minute of the day - it won't take long for any RPi with a weak password to be hacked. It's also, very likely, a fruitless waste of time to try to see where the hack comes from as there's the square root of naff all you can do about it.

The better plan is to understand what part of securing the RPi was missed and ensure it's not missed on re-deployment of that RPi back on to the internet. Is an OpenWebRX server an inherently insecure protocol, does it have any unpatched known vulnerabilities? As we saw with the Scandinavian Bank/Logica hack the hackers have all the time in the world if there's a pot of gold waiting for them (through a mainframe with an open FTP server). What value does a OpenWebRX server have? What does the hacker gain by hacking it? If it has no monetary value they're just hacking it for laughs.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

I'll do your homework for you for a suitable fee.

Any DMs sent on Twitter will be answered next month.
All non-medical doctors are on my foes list.

jbudd
Posts: 1276
Joined: Mon Dec 16, 2013 10:23 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 12:11 pm

Is it possible that the non-ascii character in this song title_artist combination: "Far Away In America_Die Deutsche Fußballnationalmannschaft & Village People" messes up the appearance of the line in your log?
Doesn't explain how it got there of course. It's not a song many would want to hear again.

It seems a tiny bit paranoid to assume that those 11 characters in a log is evidence of being hacked, why would a hacker do that?

And speaking of paranoia, now I've googled America_die, are the national security agency watching me?

User avatar
davidcoton
Posts: 4780
Joined: Mon Sep 01, 2014 2:37 pm
Location: Cambridge, UK
Contact: Website

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 4:38 pm

jbudd wrote:
Mon Mar 23, 2020 12:11 pm
And speaking of paranoia, now I've googled America_die, are the national security agency watching me?
Weren't they before?
Signature retired

Heater
Posts: 15493
Joined: Tue Jul 17, 2012 3:02 pm

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 4:55 pm

Seems OpenWebRX has been abandoned as of end of 2019 https://github.com/ha7ilm/openwebrx Iy has not seen any updates for years.

God knows how many vulnerabilities there are in it's web interface.
Memory in C++ is a leaky abstraction .

trejan
Posts: 1672
Joined: Tue Jul 02, 2019 2:28 pm

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 5:16 pm

Heater wrote:
Mon Mar 23, 2020 4:55 pm
Seems OpenWebRX has been abandoned as of end of 2019 https://github.com/ha7ilm/openwebrx Iy has not seen any updates for years.
The original author stopped working on OpenWebRX but it was forked and all new development is now at https://github.com/jketterl/openwebrx

Heater
Posts: 15493
Joined: Tue Jul 17, 2012 3:02 pm

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 5:25 pm

Ah, ha, cool.
Memory in C++ is a leaky abstraction .

ejolson
Posts: 4923
Joined: Tue Mar 18, 2014 11:47 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 5:32 pm

jbudd wrote:
Mon Mar 23, 2020 12:11 pm
It seems a tiny bit paranoid to assume that those 11 characters in a log is evidence of being hacked, why would a hacker do that?
Even if the person sleeping in your car is not planning to steal it, there is already a line of acceptable behaviour that has been crossed by obtaining unauthorized access to the Pi computer.

Unlike the car example, however, there is not in this case an actual person who is in need of some place to sleep. Instead, there appears to be no justifiable need for anyone to break into someone else's Pi computer, especially since it is only being used for a hobby. The conclusion is that whoever did so can not be trusted and the Pi should be powered down.

As you point out, the evidence so far is that of a bumbling attempt rather than an expert criminal organisation. At the same time, see my previous post about how obvious intrusions have been used to distract people in charge of security from a real problem elsewhere.

jbudd
Posts: 1276
Joined: Mon Dec 16, 2013 10:23 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 6:00 pm

As you point out, the evidence so far is that of a bumbling attempt rather than an expert criminal organisation.
I don't think i do point that out. Perhaps the machine has been hacked, perhaps not.
I see no evidence either way from a strange line in ~/.bash_history.
There are log files that records logins - /var/log/auth.log*. Perhaps the OP would find it informative to run
zgrep Accepted\ password /var/log/auth.lo*
and
zgrep Failed\ password /var/log/auth.lo*

ejolson
Posts: 4923
Joined: Tue Mar 18, 2014 11:47 am

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 6:23 pm

jbudd wrote:
Mon Mar 23, 2020 6:00 pm
As you point out, the evidence so far is that of a bumbling attempt rather than an expert criminal organisation.
I don't think i do point that out. Perhaps the machine has been hacked, perhaps not.
I see no evidence either way from a strange line in ~/.bash_history.
There are log files that records logins - /var/log/auth.log*. Perhaps the OP would find it informative to run
zgrep Accepted\ password /var/log/auth.lo*
and
zgrep Failed\ password /var/log/auth.lo*
Checking the log files is only useful if they were securely stored on a remote logging device. On the other hand, it could be useful to compare hashes for all system binaries to see if any have changed. One could also examine the configuration files, for example those in /etc/pam, for weirdness. It is strange, but intruders might lock the doors after they enter so others don't crowd their dreams while they comfortably sleep in the back seat of someone else's car.

cleverca22
Posts: 407
Joined: Sat Aug 18, 2012 2:33 pm

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 7:15 pm

Code: Select all

[email protected]:/$ md5sum --check /var/lib/dpkg/info/git.md5sums 
etc/bash_completion.d/git-prompt: OK
usr/bin/git: OK
usr/bin/git-shell: OK
usr/bin/git-upload-pack: OK
usr/lib/git-core/git-p4: OK
any APT based system will maintain a list of md5 hashes for every file it installs

you can then just `cd /` and check against all of them, `md5sum --check /var/lib/dpkg/info/*.md5sums | grep -v OK` should check all, and exclude un-altered files

however, if the attacker knows of this and is crafty enough, he could just update that file to have the new hash, so you still run the risk of missing some things

User avatar
dickon
Posts: 1258
Joined: Sun Dec 09, 2012 3:54 pm
Location: Home, just outside Reading

Re: Am I being Hacked?? (Strange sting in history)

Mon Mar 23, 2020 8:44 pm

Installing something like rkhunter is worth a shot, too.

Return to “General discussion”