×

INDI Library v2.0.6 is Released (02 Feb 2024)

Bi-monthly release with minor bug fixes and improvements

Raspberry Pi trojan going wild!!!

  • Posts: 983
  • Thank you received: 375
Make sure that default password to pi account (raspberry) is changed on your Astroberry! Raspberry Pi trojan is going wild these days!
If you connect your system to the Internet exposing SSH service on default port 22, change your default pi password as soon as possible.
You can do it by running:
sudo passwd pi

Changing default password for astroberry user is also recommended.

You can tell if your system has been compromised by running:
cat /etc/hosts

If you see entries bins.deutschland-zahlung.eu as in the image below, your system is infected!
3 years 6 months ago #59284
Attachments:

Please Log in or Create an account to join the conversation.

  • Posts: 983
  • Thank you received: 375
Details on the trojan can be found here: www.tobsan.se/update/2017/11/06/rpi-trojan.html
3 years 6 months ago #59285

Please Log in or Create an account to join the conversation.

  • Posts: 309
  • Thank you received: 40
If you are referring the default PW that comes with SM? Can we change the length to something as short as the default? I have to type it in so many times, the required length is just nuts.
3 years 6 months ago #59286

Please Log in or Create an account to join the conversation.

  • Posts: 983
  • Thank you received: 375
I'm referring to any Raspberry Pi system with active pi account, specifically to Astroberry.
Default pi account has been always blocked on Astroberry (for security reasons) and only recently (starting from version 2.0.3) it was unlocked to address users' requests.
All warnings related to default pi password have been left to users attention. Now, the old trojan gets its harvest. Shall I keep listening to users or make it my way? ;-)
3 years 6 months ago #59289

Please Log in or Create an account to join the conversation.

  • Posts: 983
  • Thank you received: 375
You can lock and disable default pi account by running:
sudo usermod -L pi && sudo usermod -s /sbin/nologin pi
3 years 6 months ago #59290

Please Log in or Create an account to join the conversation.

  • Posts: 1957
  • Thank you received: 420
Thanks for the warning. Is there any info on how one actually can get the trojan? There is no info on that in the Swedish blog post that you liniked to. Like you say yourself, for most of us our raspberry pi's will be running inside a private network and they will not be accessible via ssh from outside so no ill posed hacker will be able to get in and hack the raspberry pi. Forgive me for writing this, but it seems like a storm in a glass of water (meaning a lot of noise over a small thing for those not familiar with Dutch expressions) to me.

Having said that, it is ALWAYS a good idea to change the password of a user if the default password is used, even if it is not accessible from outside. Is it possible to change the installation instructions or the first time boot script for Astroberry such that it requires a user to change the password of the astroberry user? That could be accompanied with a text explaining the risk of choosing a simple password plus a disclaimer that you take no responsibility whatsoever if the system gets hacked.

Please note that I do understand the responsibility you are taking by making available a complete installable OS which typically gets used by people who don't know much (if anything at all) of Linux. Your work is much appreciated and it really helps to popularize astro photography so please don't take this as an attack and keep up the good work!


Wouter
3 years 6 months ago #59297

Please Log in or Create an account to join the conversation.

  • Posts: 983
  • Thank you received: 375
The trojan is populated via SSH, so it is not really an infection, but rather unauthorized remote access. This applies only to raspberries exposing SSH service to the public, either assigned public IP directly of using port forwarding from your ISP router.
Raspbian system (now called Raspberry OS) is provided with default user account and default password. It also warns a user of a security threat if SSH is enabled and pi account password is unchanged by a user. It leaves up to user decision what to do about it and Astroberry doesn't change this configuration. Well, it used to... up to version 2.0.2 as it disabled pi account by default for security reasons. Based on users' request I reverted it to default Raspbian behaviour in version 2.0.3, so now the pi account is enabled.
Just to clarify on this issue, it is not a vulnerability specific to Astroberry, but any linux operating system running on Raspberry Pi with default passwords, specifically Raspbian using pi/raspberry as default credentials.
... and last but not least, it is not a big deal, but it is storm in a glass of water neither ;-) The trojan renders Astroberry inaccessible and makes critical localhost services unavailable. So changing default password or locking pi account can save some time for reflashing microSD card after system stops working.
The following user(s) said Thank You: Wouter van Reeven, John Robison, Brian, Spartacus
Last edit: 3 years 6 months ago by Radek Kaczorek.
3 years 6 months ago #59303

Please Log in or Create an account to join the conversation.

  • Posts: 389
  • Thank you received: 15
Hello,

Given the reluctant ABS users who do want to flatten and start over, this would be disastrous if caught unawares. Loosing access to all the configs, fixed, updates, rules, videos, and FITS files would be disastrous.

I think I used pi once under ABS. No loss for right now.
3 years 6 months ago #59395

Please Log in or Create an account to join the conversation.

Moderators: Radek Kaczorek
Time to create page: 1.190 seconds