×
INDI Library v1.8.7 Released (21 Nov 2020)

Nov. 2020 Release brings significant improvements to streaming and recording videos. Support for new drivers including Estatto focuser and Pegasus falcon rotator.

Raspberry Pi trojan going wild!!!

2 months 4 weeks ago
Kaczorek
Moderator
Moderator
Posts: 966
Karma: 6
More
Topic Author
Raspberry Pi trojan going wild!!! #59284
Make sure that default password to pi account (raspberry) is changed on your Astroberry! Raspberry Pi trojan is going wild these days!
If you connect your system to the Internet exposing SSH service on default port 22, change your default pi password as soon as possible.
You can do it by running:
sudo passwd pi

Changing default password for astroberry user is also recommended.

You can tell if your system has been compromised by running:
cat /etc/hosts

If you see entries bins.deutschland-zahlung.eu as in the image below, your system is infected!

--
Radek Kaczorek
Astroberry Server | NEQ6 | Atik 460EX | Atik EFW2 | ASI 120MM
Attachments:

Please Log in or Create an account to join the conversation.

2 months 4 weeks ago
Kaczorek
Moderator
Moderator
Posts: 966
Karma: 6
More
Topic Author
Raspberry Pi trojan going wild!!! #59285
Details on the trojan can be found here: www.tobsan.se/update/2017/11/06/rpi-trojan.html

--
Radek Kaczorek
Astroberry Server | NEQ6 | Atik 460EX | Atik EFW2 | ASI 120MM

Please Log in or Create an account to join the conversation.

2 months 4 weeks ago
Megiddo
Gold Boarder
Gold Boarder
Posts: 256
More
Raspberry Pi trojan going wild!!! #59286
If you are referring the default PW that comes with SM? Can we change the length to something as short as the default? I have to type it in so many times, the required length is just nuts.

Please Log in or Create an account to join the conversation.

2 months 4 weeks ago
Kaczorek
Moderator
Moderator
Posts: 966
Karma: 6
More
Topic Author
Raspberry Pi trojan going wild!!! #59289
I'm referring to any Raspberry Pi system with active pi account, specifically to Astroberry.
Default pi account has been always blocked on Astroberry (for security reasons) and only recently (starting from version 2.0.3) it was unlocked to address users' requests.
All warnings related to default pi password have been left to users attention. Now, the old trojan gets its harvest. Shall I keep listening to users or make it my way? ;-)

--
Radek Kaczorek
Astroberry Server | NEQ6 | Atik 460EX | Atik EFW2 | ASI 120MM

Please Log in or Create an account to join the conversation.

2 months 4 weeks ago
Kaczorek
Moderator
Moderator
Posts: 966
Karma: 6
More
Topic Author
Raspberry Pi trojan going wild!!! #59290
You can lock and disable default pi account by running:
sudo usermod -L pi && sudo usermod -s /sbin/nologin pi

--
Radek Kaczorek
Astroberry Server | NEQ6 | Atik 460EX | Atik EFW2 | ASI 120MM

Please Log in or Create an account to join the conversation.

2 months 4 weeks ago
wvreeven
Supernova Explorer
Supernova Explorer
Posts: 1749
Karma: 8
More
Raspberry Pi trojan going wild!!! #59297
Thanks for the warning. Is there any info on how one actually can get the trojan? There is no info on that in the Swedish blog post that you liniked to. Like you say yourself, for most of us our raspberry pi's will be running inside a private network and they will not be accessible via ssh from outside so no ill posed hacker will be able to get in and hack the raspberry pi. Forgive me for writing this, but it seems like a storm in a glass of water (meaning a lot of noise over a small thing for those not familiar with Dutch expressions) to me.

Having said that, it is ALWAYS a good idea to change the password of a user if the default password is used, even if it is not accessible from outside. Is it possible to change the installation instructions or the first time boot script for Astroberry such that it requires a user to change the password of the astroberry user? That could be accompanied with a text explaining the risk of choosing a simple password plus a disclaimer that you take no responsibility whatsoever if the system gets hacked.

Please note that I do understand the responsibility you are taking by making available a complete installable OS which typically gets used by people who don't know much (if anything at all) of Linux. Your work is much appreciated and it really helps to popularize astro photography so please don't take this as an attack and keep up the good work!


Wouter

Wouter van Reeven

ASI6200 and 7 slot 2" filter wheel with a SkyWatcher Esprit 80 ED on a SkyWatcher HEQ5-Pro
ASI1600MM-Pro Cooled and 5 slot 1.25" filter wheel with an 8" TS Ritchey-Chrétien on a SkyWatcher EQ6-R

Please Log in or Create an account to join the conversation.

2 months 4 weeks ago 2 months 4 weeks ago by Kaczorek.
Kaczorek
Moderator
Moderator
Posts: 966
Karma: 6
More
Topic Author
Raspberry Pi trojan going wild!!! #59303
The trojan is populated via SSH, so it is not really an infection, but rather unauthorized remote access. This applies only to raspberries exposing SSH service to the public, either assigned public IP directly of using port forwarding from your ISP router.
Raspbian system (now called Raspberry OS) is provided with default user account and default password. It also warns a user of a security threat if SSH is enabled and pi account password is unchanged by a user. It leaves up to user decision what to do about it and Astroberry doesn't change this configuration. Well, it used to... up to version 2.0.2 as it disabled pi account by default for security reasons. Based on users' request I reverted it to default Raspbian behaviour in version 2.0.3, so now the pi account is enabled.
Just to clarify on this issue, it is not a vulnerability specific to Astroberry, but any linux operating system running on Raspberry Pi with default passwords, specifically Raspbian using pi/raspberry as default credentials.
... and last but not least, it is not a big deal, but it is storm in a glass of water neither ;-) The trojan renders Astroberry inaccessible and makes critical localhost services unavailable. So changing default password or locking pi account can save some time for reflashing microSD card after system stops working.

--
Radek Kaczorek
Astroberry Server | NEQ6 | Atik 460EX | Atik EFW2 | ASI 120MM
The following user(s) said Thank You wvreeven, AradoSKYindi, starman345, Spartacus

Please Log in or Create an account to join the conversation.

2 months 3 weeks ago
AradoSKYindi
Gold Boarder
Gold Boarder
Posts: 372
More
Raspberry Pi trojan going wild!!! #59395
Hello,

Given the reluctant ABS users who do want to flatten and start over, this would be disastrous if caught unawares. Loosing access to all the configs, fixed, updates, rules, videos, and FITS files would be disastrous.

I think I used pi once under ABS. No loss for right now.

Please Log in or Create an account to join the conversation.

Moderators: Kaczorek
Time to create page: 0.413 seconds