Welcome to the forum!Capt-Dave wrote: ↑Sun Mar 22, 2020 2:19 pmHelp, am I being hacked...
Using Putty I SSH into a remote raspberry pi this morning. Once there I hit the down arrow to bring up passed commands. I often do this rather than retyping a string. To my surprise I found all my past string commands (history) were missing except this one unknown disturbing sting: AMERICA_DIE=true killall -9 libxml_CP
What is this all about. Hacked??
AMERICA_DIE=true does come up with 1 result from January.
It's tempting, but that's how the Equifax data breach happended. There were two hacking teams: A bumbling one that served as a distraction for the security guys to monitor while a separate expert team siphoned off data from someplace else. Maybe it's better to take care of this problem quickly to have extra time for making sure everything else is secure.
How many people would continue to drive their car after discovering that someone was sleeping in the back seat? Neither should one continue to use a Pi after discovering someone has remote control. While closing the stable door after the horse has bolted seems somewhat ineffective when dealing with real viruses, with computer viruses such an approach is even less effective. At this point it is only responsible to replace the SD card before your Raspberry Pi starts being used by a third party for doing things which may turn out to be illegal.Capt-Dave wrote: ↑Mon Mar 23, 2020 1:46 amThe suspected Hacked Raspberry pi is being used as an OpenWebRX server. It has been in service for a number of years now. I am a ham radio operator and I have this pi set up to listen in on an amateur radio 2 meter repeater near Houston. This is not my only OpenWebRX server. I have them place around the country (most at family members homes). This is however the first OpenWebRX server I suspect has been hacked. First thing I did this morning after discovering the string was to change the SSH password. I am tempted to take it completely offline. I do not live in Houston but have a family member at that location that could pull the plug. I too tried to google the string with no luck. Very Strange...
I have suggested to store the old card for further analysis and start over with a new SD card. I agree that it is very important to preserve the evidence at this point. The best way to do this is take the Pi offline, carefully label the card and put the card on the shelf. As far as services go, there is a difference between mission critical infrastructure and having a hobby. For a hobby I would not worry much about uptime but instead seek to prevent any harm that might come to a person generous enough to let me collocate a Pi on their home network.Heater wrote: ↑Mon Mar 23, 2020 4:27 amClifford Stoll would disagree with you. https://www.youtube.com/watch?v=Qt0844ViQDI
I get the idea of wanting to shut the hacked system down to prevent any further damage.
But then what? You had a service working, and now you don't. And you have no idea what happened or what to do about it. Does that mean you just give up and not have that service forever? Clearly simply refreshing the OS and programs and starting over is not a good idea. It will just get hacked again.
Or at least, if you do that put some monitoring in place so that you have some chance of knowing if it happens again.
Cliff Stoll is the craziest guy in the history of computing. He had a monetary incentive ($0.75 @1986 prices) to discover who was stealing his computer time (which cost $300/hr at that time).
Weren't they before?
The original author stopped working on OpenWebRX but it was forked and all new development is now at https://github.com/jketterl/openwebrx
Even if the person sleeping in your car is not planning to steal it, there is already a line of acceptable behaviour that has been crossed by obtaining unauthorized access to the Pi computer.
I don't think i do point that out. Perhaps the machine has been hacked, perhaps not.As you point out, the evidence so far is that of a bumbling attempt rather than an expert criminal organisation.
Checking the log files is only useful if they were securely stored on a remote logging device. On the other hand, it could be useful to compare hashes for all system binaries to see if any have changed. One could also examine the configuration files, for example those in /etc/pam, for weirdness. It is strange, but intruders might lock the doors after they enter so others don't crowd their dreams while they comfortably sleep in the back seat of someone else's car.jbudd wrote: ↑Mon Mar 23, 2020 6:00 pmI don't think i do point that out. Perhaps the machine has been hacked, perhaps not.As you point out, the evidence so far is that of a bumbling attempt rather than an expert criminal organisation.
I see no evidence either way from a strange line in ~/.bash_history.
There are log files that records logins - /var/log/auth.log*. Perhaps the OP would find it informative to run
zgrep Accepted\ password /var/log/auth.lo*
zgrep Failed\ password /var/log/auth.lo*
Code: Select all
[email protected]:/$ md5sum --check /var/lib/dpkg/info/git.md5sums etc/bash_completion.d/git-prompt: OK usr/bin/git: OK usr/bin/git-shell: OK usr/bin/git-upload-pack: OK usr/lib/git-core/git-p4: OK