Thread removed???

[Canedje]

Why is my last thread removed????

It was a serious question about a strange file at my RPI???

[joan]

Probably because of the unnecessary use of a swear word.

[Canedje]

Oke, but that was the name of the file???
How to mention it then?

There was already a dialog and I'm now missing it!!

This is no fun.

[joan]

Oke, but that was the name of the file???
How to mention it then?

There was already a dialog and I'm now missing it!!

I'm afraid that is your own fault. You had no need to use the word in the thread title or mention it in the post.

[Canedje]

I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation
What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused

[NickT]

Writing the exact spelling of the f word gave a strong clue to the presence of malware, so could be excused in the body of the original post in my opinion. If the moderators objected, then they could have edited the post. It's a shame that all Dougie's useful security tips in a reply were deleted

[stderr]

I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation

Does the situation being clear require the use of words you aren't supposed to use here? I felt like I was watching Joe Pesci on HBO 2.

What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused

Rather than worrying about the exact word that the file was named, which could be anything, why not run a virus checker on your system, specifically on that file, that looks for matches for x86 threats?

Then if it turns something up, you could go on about that. Of course it doesn't really matter because it isn't news that there are threats out there and if you didn't put the file there, well, it got there somehow. The somehow is the real issue.

[Canedje]

Writing the exact spelling of the f word gave a strong clue to the presence of malware, so could be excused in the body of the original post in my opinion. If the moderators objected, then they could have edited the post. It's a shame that all Dougie's useful security tips in a reply were deleted

Thanks.
I agree.
I now still don't know what to do. Because I didn't read the reaction of Dougie, and still have a problem possible.
Again, I was not mend to be rude!

[DougieLawson]

The annoyance is that my carefully crafted and sanitised answer has gone with it.

Your system has had a rogue ELF X86 executable file planted in the root directory. Your system is compromised, go and clean it up and next time change your "f-bomb" into "****" to protect the innocent and keep this place as a family friendly forum. It doesn't matter what the rogue file is called, you could have renamed it to foobar or fubar and your thread wouldn't have been removed.

[Canedje]

I disagree.
It was not mentioned to be crude but I only name the exact situation to be clear about the situation

Does the situation being clear require the use of words you aren't supposed to use here? I felt like I was watching Joe Pesci on HBO 2.

What is your suggestion to discuss it over here then?
How can I explane then the situation?
I'm not amused

Rather than worrying about the exact word that the file was named, which could be anything, why not run a virus checker on your system, specifically on that file, that looks for matches for x86 threats?

Then if it turns something up, you could go on about that. Of course it doesn't really matter because it isn't news that there are threats out there and if you didn't put the file there, well, it got there somehow. The somehow is the real issue.

I agree for a part.
But oke it is done. If the moderator didn't agree, why not remove the word en save the thread?
Remove the total thread is rude and not necesarry

Going on the issue:
I'm not familiar in using viruscheckers in a unix like surrounding.
How to use a viruschecker?

[Canedje]

The annoyance is that my carefully crafted and sanitised answer has gone with it.

Your system has had a rogue ELF X86 executable file planted in the root directory. Your system is compromised, go and clean it up and next time change your "f-bomb" into "****" to protect the innocent and keep this place as a family friendly forum. It doesn't matter what the rogue file is called, you could have renamed it to foobar or fubar and your thread wouldn't have been removed.

Thanks Dougie.
I agree,
I just didn't realize this was cousing trouble.

what does: rogue ELF X86 executable means?

[DougieLawson]

You don't need a virus checker, you need to pull the ethernet cable and/or wifi dongles out of that RPi. You need to do that NOW!

Then start running virus checkers on all of your Windows, X86/X86_64 Linux AND Apple systems.

YOU HAVE A LINUX VIRUS OR ROOTKIT INSTALLED ON YOUR RASPBERRY PI.

[Canedje]

You don't need a virus checker, you need to pull the ethernet cable and/or wifi dongles out of that RPi. You need to do that NOW!

Then start running virus checkers on all of your Windows, X86/X86_64 Linux AND Apple systems.

YOU HAVE A LINUX VIRUS OR ROOTKIT INSTALLED ON YOUR RASPBERRY PI.

Oops!!

That is clear, thanks.

I did already do this a hour ago.
No virusses detected.

Is the RPI reusable again by removing these files?

[stderr]

I did already do this a hour ago.
No virusses detected.

That file doesn't come up as something?

Is the RPI reusable again by removing these files?

No, this isn't 1997, this is 2016. If your system is compromised, even if you just think it is, it needs to be completely redone from nothing by using known good media.

[DougieLawson]

You should also analyse how they gained access (probably userid=pi, password=raspberry, pi still has sudo and sudo still doesn't need a password).

You should also assume, until you've checked, that EVERY device on your LAN is also compromised.

[Canedje]

You should also analyse how they gained access (probably userid=pi, password=raspberry, pi still has sudo and sudo still doesn't need a password).

You should also assume, until you've checked, that EVERY device on your LAN is also compromised.

I agree.
I did change the password of pi in the past.
Now I just removed it

Just today I found the strange file.
But about a month ago I was hacked. (around the make date of the strange file).
At that time I upgraded my firewall of the router and my total equipment/ devices.
I did also all type off virus checks on all my devices and there where some virusses at some of them at that time.
These virusse where not realy harmfull, but creating data traffic from my devices.
Thes virusses where removed at that time.

I did still use my RPI from that time until now. Until today there was no strange behaviour.
Now an hour ago after finding this strange file i removed the file. disconnect the RPI and did al kind off viruscheckes
No virusses detected.

[DougieLawson]

Now trash that SDcard and create a fresh one with a fresh download of NOOBS or Raspbian Jessie. You can't trust that card, so it needs to be wiped clean.

First thing to install is ufw (user-friendly fire wall) so you can block every port except the ones that need to be open to the world.