joukohan
Posts: 7
Joined: Tue Jan 15, 2013 2:03 pm

File in home dir doesn't show up on "ls -al"

Sat Dec 29, 2018 1:57 pm

I have managed to create a file that exists in the home folder, is read/write-able, but doesn't show up in the file listing. With "sudo ls -al" the file shows up just fine. The file was created with pico as user "pi".

Are there some extra hidden properties for the files somewhere that need fixing or have I somehow corrupted the filesystem beyond repair?("fsck.repair=yes fsck.mode=force" are present in cmdline.txt) I do reboots and power-offs with sudo reboot/shutdown, so that shouldn't be the cause.

The file is named "bridge-start". When I copy the file with cp, the copy also acts this way, so I must copy it using cat.

Code: Select all

[email protected]:~ $ ls -al
total 68
drwxr-xr-x 5 pi   pi   4096 Dec 29 15:19 .
drwxr-xr-x 3 root root 4096 Nov 13 15:09 ..
-rw------- 1 pi   pi   6503 Dec 29 14:03 .bash_history
-rw-r--r-- 1 pi   pi    220 Nov 13 15:09 .bash_logout
-rw-r--r-- 1 pi   pi   3579 Dec 26 19:36 .bashrc
-rwxr-xr-x 1 pi   pi    315 Dec 28 22:43 bridge-stop
-rw-r--r-- 1 pi   pi   9748 Dec 27 20:01 client.tar.xz
-rw-r--r-- 1 pi   pi     15 Dec 27 22:09 ip.txt
drwxr-xr-x 2 root root 4096 Dec 27 19:58 keys
drwxr-xr-x 2 pi   pi   4096 Dec 26 21:00 .nano
-rw-r--r-- 1 pi   pi    675 Nov 13 15:09 .profile
-rwxr-xr-- 1 pi   pi    249 Dec 27 22:44 sendip.sh

[email protected]:~ $ sudo ls -al
total 68
drwxr-xr-x 5 pi   pi   4096 Dec 29 15:19 .
drwxr-xr-x 3 root root 4096 Nov 13 15:09 ..
-rw------- 1 pi   pi   6503 Dec 29 14:03 .bash_history
-rw-r--r-- 1 pi   pi    220 Nov 13 15:09 .bash_logout
-rw-r--r-- 1 pi   pi   3579 Dec 26 19:36 .bashrc
-rwxrwxrwx 1 pi   pi    745 Dec 28 22:50 bridge-start
-rwxr-xr-x 1 pi   pi    315 Dec 28 22:43 bridge-stop
-rw-r--r-- 1 pi   pi   9748 Dec 27 20:01 client.tar.xz
-rw-r--r-- 1 pi   pi     15 Dec 27 22:09 ip.txt
drwxr-xr-x 2 root root 4096 Dec 27 19:58 keys
drwxr-xr-x 2 pi   pi   4096 Dec 26 21:00 .nano
-rw-r--r-- 1 pi   pi    675 Nov 13 15:09 .profile
-rwxr-xr-- 1 pi   pi    249 Dec 27 22:44 sendip.sh
drwxr-xr-x 2 pi   pi   4096 Dec 26 19:36 .system
[email protected]:~ $ cat bridge-start > bridgecopy
[email protected]:~ $ ls -al
total 72
drwxr-xr-x 5 pi   pi   4096 Dec 29 15:21 .
drwxr-xr-x 3 root root 4096 Nov 13 15:09 ..
-rw------- 1 pi   pi   6503 Dec 29 14:03 .bash_history
-rw-r--r-- 1 pi   pi    220 Nov 13 15:09 .bash_logout
-rw-r--r-- 1 pi   pi   3579 Dec 26 19:36 .bashrc
-rw-r--r-- 1 pi   pi    745 Dec 29 15:21 bridgecopy
-rwxr-xr-x 1 pi   pi    315 Dec 28 22:43 bridge-stop
-rw-r--r-- 1 pi   pi   9748 Dec 27 20:01 client.tar.xz
-rw-r--r-- 1 pi   pi     15 Dec 27 22:09 ip.txt
drwxr-xr-x 2 root root 4096 Dec 27 19:58 keys
drwxr-xr-x 2 pi   pi   4096 Dec 26 21:00 .nano
-rw-r--r-- 1 pi   pi    675 Nov 13 15:09 .profile
-rwxr-xr-- 1 pi   pi    249 Dec 27 22:44 sendip.sh

[email protected]:~ $ sudo ls -al
total 72
drwxr-xr-x 5 pi   pi   4096 Dec 29 15:21 .
drwxr-xr-x 3 root root 4096 Nov 13 15:09 ..
-rw------- 1 pi   pi   6503 Dec 29 14:03 .bash_history
-rw-r--r-- 1 pi   pi    220 Nov 13 15:09 .bash_logout
-rw-r--r-- 1 pi   pi   3579 Dec 26 19:36 .bashrc
-rw-r--r-- 1 pi   pi    745 Dec 29 15:21 bridgecopy
-rwxrwxrwx 1 pi   pi    745 Dec 28 22:50 bridge-start
-rwxr-xr-x 1 pi   pi    315 Dec 28 22:43 bridge-stop
-rw-r--r-- 1 pi   pi   9748 Dec 27 20:01 client.tar.xz
-rw-r--r-- 1 pi   pi     15 Dec 27 22:09 ip.txt
drwxr-xr-x 2 root root 4096 Dec 27 19:58 keys
drwxr-xr-x 2 pi   pi   4096 Dec 26 21:00 .nano
-rw-r--r-- 1 pi   pi    675 Nov 13 15:09 .profile
-rwxr-xr-- 1 pi   pi    249 Dec 27 22:44 sendip.sh
drwxr-xr-x 2 pi   pi   4096 Dec 26 19:36 .system
[email protected]:~ $ uname -a
Linux raspberrypi 4.14.79-v7+ #1159 SMP Sun Nov 4 17:50:20 GMT 2018 armv7l GNU/Linux
[email protected]:~ $
EDIT: it's the latest Raspbian Stretch Lite, only extra software are openvpn, easy-rsa, mailutils, ssmtp and bridgeutils.

User avatar
topguy
Posts: 5967
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: File in home dir doesn't show up on "ls -al"

Mon Dec 31, 2018 2:36 pm

Very weird...

Right now my "best" theory is that you have been hacked and your "ls" is altered to hide certain filenames. And that is not even a good theory :lol: :D :lol:

I would like to see what "ls" and "sudo ls" shows and maybe what "alias" shows.

User avatar
rpdom
Posts: 15608
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: File in home dir doesn't show up on "ls -al"

Mon Dec 31, 2018 4:35 pm

topguy wrote:
Mon Dec 31, 2018 2:36 pm
Right now my "best" theory is that you have been hacked and your "ls" is altered to hide certain filenames.
That is possible.

Things you can do to check:

Code: Select all

which ls
should return "/bin/ls", sometimes the hack will point to an alternate location.

Something I've had to use on systems when even ls wasn't available:

Code: Select all

echo *
echo .*
That should list the entries in the current directory.

joukohan
Posts: 7
Joined: Tue Jan 15, 2013 2:03 pm

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 3:08 pm

Ok. I'm now pi-less as the pi got configured properly and was sent to serve its purpose elsewhere.
But luckily I have backup of the sd-card, so I decided to give it a go on an emulator. Here are the results:
The attachment scrcap1.png is no longer available
scrcap1.png
scrcap1.png (16.09 KiB) Viewed 817 times
...so, apparently there's a ".system"-folder in pi home folder, to which "ls" is redirected to.
The pi was connected to internet for very short moments during half a day, and through router that had only port 1194 open and redirected to the pi in question. So I'm not quite ready to believe it was hacked from the outside, but more likely hacked(aka configured badly with some scripts found online) by yours truly.

(Just in case you need to configure your Pi as a openvpn-server, I can now tell you it's rather easy task with pivpn :) )

So, thanks for the help! I wasn't aware of the echo-method.
Attachments
scrcap2.png
scrcap2.png (2.61 KiB) Viewed 817 times

User avatar
topguy
Posts: 5967
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 3:21 pm

If I want to add hidden files and processes to your system that is exactly the list of programs I would need to "fake" to hide myself.
This is definitely not a case of "bad configuration", this is the result of malicious intent.

So I hope the SD card was completely reformatted before the Pi was sent away.

joukohan
Posts: 7
Joined: Tue Jan 15, 2013 2:03 pm

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 3:56 pm

Yes, started anew with an empty sd-card. Checked the installed system over the vpn today, and found nothing (no hidden folders in home and PATH is clean).

Now my curiosity is itching. Do you have any suggestions what to look for in this compromised system? As I can now run it in emulator without connection to internet or LAN, and therefore am able to investigate safely(I assume?). I would like to learn who/what got in and how.

User avatar
scruss
Posts: 2630
Joined: Sat Jun 09, 2012 12:25 pm
Location: Toronto, ON
Contact: Website

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 4:09 pm

Are all ther files in .system identical? They might be (compromised?) copies of BusyBox, a common shell replacement for small systems.
‘Remember the Golden Rule of Selling: “Do not resort to violence.”’ — McGlashan.

User avatar
rpdom
Posts: 15608
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 4:44 pm

scruss wrote:
Fri Jan 04, 2019 4:09 pm
Are all ther files in .system identical? They might be (compromised?) copies of BusyBox, a common shell replacement for small systems.
That does sound likely, although usually for BusyBox they would all be linked to one binary file, but as this looks like a dodgy version it could be anything.

If that is the case, I wonder how much work they might have put into hiding the fact it is based on BusyBox? I have a PC running BusyBox and if I put an invalid option into ls this is what I get

Code: Select all

BusyBoxTest:/# ls -?
ls: unrecognized option: ?
BusyBox v1.26.2 (2017-06-11 06:38:32 GMT) multi-call binary.

Usage: ls [-1AaCxdLHRFplinsehrSXvctu] [-w WIDTH] [FILE]...

List directory contents
followed by the details of the options.

On a clean Raspbian system I get

Code: Select all

[email protected]:~ $ ls -?
ls: invalid option -- '?'
Try 'ls --help' for more information.
and I can also do

Code: Select all

[email protected]:~ $ ls --version
ls (GNU coreutils) 8.26
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Richard M. Stallman and David MacKenzie.

User avatar
topguy
Posts: 5967
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 5:15 pm

scruss wrote:
Fri Jan 04, 2019 4:09 pm
Are all ther files in .system identical? They might be (compromised?) copies of BusyBox, a common shell replacement for small systems.
I was thinking the same, I also thougth that hardlinking the bianry to different names would have been effective also but it looks like copies.

@joukokan
- You said that you check PATH on the remote system so you understand that the PATH variable has also been compromised.
suspects for that would be ".profile" or ".bashrc" files in your home directory.

- You can also fix your PATH by removing the ".system" part of it. So now you can run both real and fake versions of "ps -ef" ( or "ps aux" ) for example and compare the differences.

- The date on the files in .system also tells you exactly when the system was compromised. You can search for files created/modified around that time.

Test first with this in home directory, it should find the files in .system I guess.

Code: Select all

find . -type f -ls |grep "Dec 26 19"
If you want to do it system wide then.

Code: Select all

sudo find / -type f -ls |grep "Dec 26 19"
If you get too many hits because you were installing stuff at that time, you can search finer with "Dec 26 19:3".

User avatar
topguy
Posts: 5967
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 5:21 pm

....also things I would do...

Code: Select all

md5sum .system/*
file .system/ls
ldd .system/ls
strings .system/ls | less
or better...

Code: Select all

#check if busybox has been compromised.
ls -l /bin/busybox
md5sum /bin/busybox
# compare output with the files in .system.

strings .system/ls > fake.txt
strings /bin/busybox > real.txt
diff real.txt fake.txt

joukohan
Posts: 7
Joined: Tue Jan 15, 2013 2:03 pm

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 5:42 pm

The files are identical.
scrcap3.png
scrcap3.png (2.54 KiB) Viewed 750 times
So it gives an empty line without any info.

'ls --help' gives the same output as '/bin/ls --help'

Other files in the system that have been modified at the same time are:
~/.bashrc (which includes the PATH-modification for .system) and /var/spool/cron/crontabs/pi

crontab -l gives:

Code: Select all

* * * * * nohup /tmp/.koworker 100 > /dev/null 2>&1 &
Do you have any ideas how these changes could have possibly been made?

EDIT: no BusyBox present in the system, so I can't compare :)

joukohan
Posts: 7
Joined: Tue Jan 15, 2013 2:03 pm

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 6:04 pm

Results of some tools:

file:

Code: Select all

./ls: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, stripped

strace:

Code: Select all

execve("./ls", ["./ls"], [/* 20 vars */]) = 0
getpid()                                = 3235
sched_getaffinity(0, 8192, [0])         = 4
mmap2(0x200000, 807411712, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x200000
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f99000
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=712675372}) = 0
mmap2(0x10400000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x10400000
mmap2(0xf3b0000, 17104896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf3b0000
mmap2(0x200000, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000
mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f89000
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=726161376}) = 0
mmap2(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f79000
rt_sigprocmask(SIG_SETMASK, NULL, [], 8) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=735348379}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=736965380}) = 0
sigaltstack(NULL, {ss_sp=NULL, ss_flags=SS_DISABLE, ss_size=0}) = 0
sigaltstack({ss_sp=0x10402000, ss_flags=0, ss_size=32720}, NULL) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
gettid()                                = 3235
rt_sigaction(SIGHUP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGHUP, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGINT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGQUIT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGILL, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGILL, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGTRAP, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTRAP, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGABRT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGABRT, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGBUS, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGFPE, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGFPE, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGUSR1, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGUSR1, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGSEGV, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGUSR2, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGUSR2, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGPIPE, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGALRM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGALRM, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGSTKFLT, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGSTKFLT, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGCHLD, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGURG, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGURG, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGXCPU, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGXCPU, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGXFSZ, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGXFSZ, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGVTALRM, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGVTALRM, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGPROF, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGPROF, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGWINCH, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGWINCH, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGIO, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGIO, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGPWR, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGPWR, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGSYS, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGSYS, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRTMIN, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_1, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_2, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_2, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_3, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_3, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_4, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_4, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_5, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_5, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_6, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_6, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_7, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_7, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_8, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_8, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_9, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_9, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_10, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_10, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_11, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_11, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_12, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_12, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_13, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_13, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_14, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_14, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_15, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_15, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_16, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_16, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_17, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_17, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_18, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_18, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_19, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_19, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_20, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_20, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_21, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_21, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_22, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_22, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_23, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_23, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_24, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_24, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_25, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_25, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_26, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_26, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_27, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_27, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_28, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_28, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_29, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_29, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_30, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_30, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_31, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_31, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
rt_sigaction(SIGRT_32, NULL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGRT_32, {sa_handler=0x647b8, sa_mask=~[], sa_flags=SA_STACK|SA_RESTART|SA_SIGINFO}, NULL, 8) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=941835442}) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=943726443}) = 0
rt_sigprocmask(SIG_SETMASK, ~[], [], 8) = 0
clone(child_stack=0x1042fff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD) = 3236
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
clock_gettime(CLOCK_MONOTONIC, {tv_sec=12322, tv_nsec=953267446}) = 0
rt_sigprocmask(SIG_SETMASK, ~[], [], 8) = 0
clone(child_stack=0x1042bff0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD) = 3237
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
futex(0x13f0fc, FUTEX_WAIT, 0, NULL)    = -1 EAGAIN (Resource temporarily unavailable)
futex(0x1042032c, FUTEX_WAKE, 1)        = 1
readlinkat(AT_FDCWD, "/proc/self/exe", "/home/pi/.system/ls", 128) = 19
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f39000
futex(0x1042032c, FUTEX_WAKE, 1)        = 1
stat64("/usr/bin/ls", 0x10456024)       = -1 ENOENT (No such file or directory)
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
stat64("/bin/ls", {st_mode=S_IFREG|0755, st_size=108804, ...}) = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
openat(AT_FDCWD, "/dev/null", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
pipe2([4, 5], O_CLOEXEC)                = 0
pipe2([6, 7], O_CLOEXEC)                = 0
pipe2([8, 9], O_CLOEXEC)                = 0
getpid()                                = 3235
clone(child_stack=NULL, flags=SIGCHLD)  = 3238
close(9)                                = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
read(8, "", 4)                          = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
close(8)                                = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
close(3)                                = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
close(5)                                = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
close(7)                                = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
waitid(P_PID, 3238, {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3238, si_uid=1000, si_status=0, si_utime=0, si_stime=0}, WEXITED|WNOWAIT, NULL) = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3238, si_uid=1000, si_status=0, si_utime=7, si_stime=6} ---
rt_sigreturn()                          = 0
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
wait4(3238, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0, {ru_utime={tv_sec=0, tv_usec=61589}, ru_stime={tv_sec=0, tv_usec=52791}, ...}) = 3238
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "file.txt\n", 9file.txt
)               = 9
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "ls\n", 3ls
)                     = 3
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "lsof\n", 5lsof
)                   = 5
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "ls.txt\n", 7ls.txt
)                 = 7
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "netstat\n", 8netstat
)                = 8
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "ps\n", 3ps
)                     = 3
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "pstree\n", 7pstree
)                 = 7
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "ss\n", 3ss
)                     = 3
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "strace.txt\n", 11strace.txt
)            = 11
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "strings.txt\n", 12strings.txt
)           = 12
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "top\n", 4top
)                    = 4
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
write(1, "\n", 1
)                       = 1
futex(0x13ee34, FUTEX_WAKE, 1)          = 1
futex(0x13edc0, FUTEX_WAKE, 1)          = 1
exit_group(0)                           = ?
+++ exited with 0 +++
EDIT: strings output is ridiculously long. What should I be looking for in there?

User avatar
topguy
Posts: 5967
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: File in home dir doesn't show up on "ls -al"

Fri Jan 04, 2019 9:49 pm

EDIT: strings output is ridiculously long. What should I be looking for in there?
Yeah I realised that, so thats why I suggested piping it to files and only looking at the differences..
Of course transferring the files to another computer and using Windiff for example is better.
EDIT: no BusyBox present in the system, so I can't compare :)
ahh ok..

But you can do "strings .system/ls | grep koworker" to verify that this process/file is one of the "hidden" ones.
The same with "bridge-start" which was the file you noticed it on.

You can search with "less" if you type a '/' and then "bridge", then it might jump to a section with lots of filenames. ( press 'n' for next match, 'p' for previous. )

joukohan
Posts: 7
Joined: Tue Jan 15, 2013 2:03 pm

Re: File in home dir doesn't show up on "ls -al"

Sat Jan 05, 2019 1:02 pm

I'm closing this investigation, as I've found the starting point for this "security breach". As usual, it was between the chair and the keyboard. Because I'm still a newbie in RasPi-world, I didn't know where to look.

Apparently I didn't change the default password for user "pi" right away like I always do. I had to restart the project so many times due to messing up the network settings completely, that at one point I forgot to change the password after rewriting the sd-card. During those few hours there were numerous logins from different ip's through SSH.

Examining /var/log/auth.log and forming the timeline by comparing sudo-commands from .bash_history shows this painfully clearly.

What did I learn here?
- change passwd before going online
- change ssh port away from the default
- deny the user "pi" from logging in through SSH, or add another user with sudo-priviledges and remove "pi" completely

Helpful sources (apart from this forum, ofc!)
https://wiki.ubuntu.com/BasicSecurity/DidIJustGetOwned
https://www.raspberrypi.org/documentati ... ecurity.md

So, apologies for taking up your valuable time and a big thank you for the help. Learned quite a lot through this. :)

Now, if you'll excuse me, I have an SD-card to burn and hands to sanitize! Brrrh!

---
Epilogue:
Of course, I had to check the "sent away"-pi auth.log too. The login-attempts started few minutes after connecting it to the router. When it doesn't allow "pi", the bots seem to try a lot of other usernames, starting from root/admin/mail etc. One screen of examples:

Code: Select all

Jan  2 18:11:29 raspberrypi_vpn sshd[2291]: Failed password for invalid user cl from 218.94.156.130 port 26904 ssh2
Jan  2 18:12:11 raspberrypi_vpn sshd[2298]: Failed password for invalid user pay from 129.158.74.141 port 59630 ssh2
Jan  2 18:12:28 raspberrypi_vpn sshd[2307]: Failed password for invalid user csczserver from 112.196.54.35 port 59140 ssh2
Jan  2 18:12:39 raspberrypi_vpn sshd[2314]: Failed password for invalid user caleb from 159.65.195.167 port 46176 ssh2
Jan  2 18:12:45 raspberrypi_vpn sshd[2321]: Failed password for invalid user caleb from 151.80.144.255 port 46578 ssh2
Jan  2 18:13:09 raspberrypi_vpn sshd[2328]: Failed password for invalid user gaetan from 210.99.13.245 port 49768 ssh2
Jan  2 18:14:32 raspberrypi_vpn sshd[2335]: Failed password for invalid user caleb from 218.94.156.130 port 43073 ssh2
Jan  2 18:14:53 raspberrypi_vpn sshd[2342]: Failed password for invalid user jenkins from 129.158.74.141 port 41108 ssh2
Jan  2 18:15:09 raspberrypi_vpn sshd[2349]: Failed password for invalid user bots from 159.65.195.167 port 37336 ssh2
Jan  2 18:15:17 raspberrypi_vpn sshd[2360]: Failed password for invalid user bots from 151.80.144.255 port 56257 ssh2
Jan  2 18:16:07 raspberrypi_vpn sshd[2371]: Failed password for invalid user marko from 210.99.13.245 port 41096 ssh2
Jan  2 18:17:21 raspberrypi_vpn sshd[2393]: Failed password for invalid user bots from 218.94.156.130 port 52145 ssh2
Jan  2 18:17:22 raspberrypi_vpn sshd[2397]: Failed password for invalid user sshuser from 129.158.74.141 port 50826 ssh2
Jan  2 18:18:52 raspberrypi_vpn sshd[2420]: Failed password for invalid user python from 210.99.13.245 port 60644 ssh2
Jan  2 18:19:50 raspberrypi_vpn sshd[2431]: Failed password for invalid user db2fenc1 from 99.242.103.135 port 47951 ssh2
Jan  2 18:41:20 raspberrypi_vpn sshd[2482]: Failed password for invalid user test from 185.50.154.199 port 47043 ssh2
Jan  2 18:45:17 raspberrypi_vpn sshd[2490]: Failed password for invalid user aman from 185.50.154.199 port 36775 ssh2
Jan  2 18:48:00 raspberrypi_vpn sshd[2498]: Failed password for invalid user lynda from 185.50.154.199 port 46808 ssh2
Jan  2 18:50:34 raspberrypi_vpn sshd[2505]: Failed password for invalid user web from 185.50.154.199 port 56842 ssh2
Jan  2 19:02:52 raspberrypi_vpn sshd[2518]: Failed password for invalid user mcserver from 190.217.17.52 port 26313 ssh2
Jan  2 19:06:45 raspberrypi_vpn sshd[2531]: Failed password for invalid user admin from 88.214.26.49 port 46972 ssh2
Jan  2 19:06:58 raspberrypi_vpn sshd[2538]: Failed password for invalid user user from 190.217.17.52 port 43148 ssh2
Jan  2 19:08:53 raspberrypi_vpn sshd[2546]: Failed password for invalid user nexus from 119.29.251.152 port 35592 ssh2
Jan  2 19:09:18 raspberrypi_vpn sshd[2553]: Failed password for invalid user nexus from 114.22.10.215 port 44432 ssh2
Jan  2 19:09:44 raspberrypi_vpn sshd[2560]: Failed password for invalid user fg from 190.217.17.52 port 40842 ssh2
Jan  2 19:12:45 raspberrypi_vpn sshd[2567]: Failed password for invalid user cc from 73.141.47.152 port 37888 ssh2
Jan  2 19:13:17 raspberrypi_vpn sshd[2575]: Failed password for invalid user cc from 95.224.112.213 port 51128 ssh2
Jan  2 19:16:01 raspberrypi_vpn sshd[2582]: Failed password for invalid user test1 from 114.22.10.215 port 50208 ssh2
Jan  2 19:21:31 raspberrypi_vpn sshd[2604]: Failed password for invalid user teamspeak3 from 194.182.65.248 port 59006 ssh2
Jan  2 19:21:58 raspberrypi_vpn sshd[2611]: Failed password for invalid user nexus from 186.2.196.91 port 39172 ssh2
Jan  2 19:22:15 raspberrypi_vpn sshd[2618]: Failed password for invalid user spark from 123.206.61.19 port 60142 ssh2
Jan  2 19:22:54 raspberrypi_vpn sshd[2625]: Failed password for invalid user oracle from 210.18.139.230 port 26344 ssh2
Jan  2 19:23:35 raspberrypi_vpn sshd[2633]: Failed password for invalid user ashok from 167.114.153.77 port 36334 ssh2
Jan  2 19:23:35 raspberrypi_vpn sshd[2637]: Failed password for invalid user upload from 159.65.230.251 port 35074 ssh2
Jan  2 19:24:36 raspberrypi_vpn sshd[2648]: Failed password for invalid user tempo from 119.29.147.254 port 60966 ssh2
Jan  2 19:26:28 raspberrypi_vpn sshd[2665]: Failed password for invalid user rrashid from 73.217.57.207 port 43934 ssh2
Jan  2 19:26:52 raspberrypi_vpn sshd[2672]: Failed password for invalid user helpdesk from 192.144.155.63 port 53716 ssh2
Jan  2 19:27:03 raspberrypi_vpn sshd[2681]: Failed password for invalid user mu from 96.114.71.146 port 60332 ssh2
Jan  2 19:27:32 raspberrypi_vpn sshd[2688]: Failed password for lp from 159.65.230.251 port 52965 ssh2
Jan  2 19:30:06 raspberrypi_vpn sshd[2694]: Failed password for invalid user g from 119.29.147.254 port 40460 ssh2
Jan  2 19:30:29 raspberrypi_vpn sshd[2701]: Failed password for invalid user jake from 96.114.71.146 port 41598 ssh2

After changing the port and network-name for the raspi, the login-attempts seem to have stopped. The new name doesn't contain "raspberry" or "pi".

Return to “Raspbian”