Make sure that default password to pi account (raspberry) is changed on your Astroberry! Raspberry Pi trojan is going wild these days!
If you connect your system to the Internet exposing SSH service on default port 22, change your default pi password as soon as possible.
You can do it by running:
sudo passwd pi
Changing default password for astroberry user is also recommended.
You can tell if your system has been compromised by running:
If you see entries bins.deutschland-zahlung.eu as in the image below, your system is infected!
I'm referring to any Raspberry Pi system with active pi account, specifically to Astroberry.
Default pi account has been always blocked on Astroberry (for security reasons) and only recently (starting from version 2.0.3) it was unlocked to address users' requests.
All warnings related to default pi password have been left to users attention. Now, the old trojan gets its harvest. Shall I keep listening to users or make it my way?
Thanks for the warning. Is there any info on how one actually can get the trojan? There is no info on that in the Swedish blog post that you liniked to. Like you say yourself, for most of us our raspberry pi's will be running inside a private network and they will not be accessible via ssh from outside so no ill posed hacker will be able to get in and hack the raspberry pi. Forgive me for writing this, but it seems like a storm in a glass of water (meaning a lot of noise over a small thing for those not familiar with Dutch expressions) to me.
Having said that, it is ALWAYS a good idea to change the password of a user if the default password is used, even if it is not accessible from outside. Is it possible to change the installation instructions or the first time boot script for Astroberry such that it requires a user to change the password of the astroberry user? That could be accompanied with a text explaining the risk of choosing a simple password plus a disclaimer that you take no responsibility whatsoever if the system gets hacked.
Please note that I do understand the responsibility you are taking by making available a complete installable OS which typically gets used by people who don't know much (if anything at all) of Linux. Your work is much appreciated and it really helps to popularize astro photography so please don't take this as an attack and keep up the good work!
ASI6200 and filter wheel with a SkyWatcher Esprit 80 ED on a SkyWatcher HEQ5-Pro
ASI1600MM-Pro Cooled and filter wheel with an 8" TS Ritchey-Chrétien on a SkyWatcher EQ6-R
The trojan is populated via SSH, so it is not really an infection, but rather unauthorized remote access. This applies only to raspberries exposing SSH service to the public, either assigned public IP directly of using port forwarding from your ISP router.
Raspbian system (now called Raspberry OS) is provided with default user account and default password. It also warns a user of a security threat if SSH is enabled and pi account password is unchanged by a user. It leaves up to user decision what to do about it and Astroberry doesn't change this configuration. Well, it used to... up to version 2.0.2 as it disabled pi account by default for security reasons. Based on users' request I reverted it to default Raspbian behaviour in version 2.0.3, so now the pi account is enabled.
Just to clarify on this issue, it is not a vulnerability specific to Astroberry, but any linux operating system running on Raspberry Pi with default passwords, specifically Raspbian using pi/raspberry as default credentials.
... and last but not least, it is not a big deal, but it is storm in a glass of water neither The trojan renders Astroberry inaccessible and makes critical localhost services unavailable. So changing default password or locking pi account can save some time for reflashing microSD card after system stops working.
Given the reluctant ABS users who do want to flatten and start over, this would be disastrous if caught unawares. Loosing access to all the configs, fixed, updates, rules, videos, and FITS files would be disastrous.
I think I used pi once under ABS. No loss for right now.