HELP! Someone Hacked my system? Lights and other turning on and off randomly. OH3 Snapshot

This may not be relevant to your particular situation, but at one point I added a Zwave Steinel outdoor floodlight to my system and it caused all manner of “weird” behaviour with my OpenHab setup (other devices turning on, not responding to commands, etc). Once I removed it, everything else returned to normal. So, is it possible you added some new device that could be messing the rest up?

hmmm
I didnt add anything new, but one of my sonoff switch is reseting once in few days. maybe this time something else went wrong?
But strange is that whole day nothing happens. Only after dark.

I have one rule to turn on 3 lights after dark, ant turn off all lights after 1:00am. but newer had problems with it. And even if this is the problem that doesnt explain what is happening with other items.

but this is only one open port for separate IP from outside to one IP stictly for camera inside my net, not for IP where OPENHAB is.

I’d suggest rolling back any changes you’ve made, one by one, to see if the problem still persists.

I turned off cameras and changed passwords. Today is ok. So I dont know what it was.
Will se if it get back.

One thing that I found was that one of my cameras were connecting and disconnecting from mqtt server after every state change.
So there was lag on mosquitto and maybe mosquitto malfunction? I dont know. after turning camera off for now it stopped doing crazy stuff:)

I trashed some generic clone IP cameras, because I found they all had backdoors and where communicating to IP’s located in china, despite all cloud settings being disabled. They would also randomly spike and transmit several hundred megs. they all went in trash.

3 Likes

Could someone have gained access to your wifi network? I.e a pesky neighbor?

If this happens again, you may want to check your router for new device connections.

Also, if you’re router supports it, you may find it more secure to setup a openVpn connection to access your network remotely when you are not home.

This keeps you form exposing ports to the outside which is constantly being scanned for open ports and services that can be compromised.

I think general cyber security is really lacking for the general home user.

I think as general advice, if you ever think any system on your network is hacked or compromised in any way is to minimise the impact it may have, if indeed it is hacked.

In this case, I would recommend:

  1. Turn off all open ports to the Internet - for all devices, not just OpenHAB. If your router supports uPNP, turn that off too (as it allows devices to open ports for themselves).
  2. Any devices without passwords should be switched off, or else have a password added (see below about cameras specifically though)
  3. Add additional controls to anything being misused. If lights are going on and off, then maybe tighten the ways lights can be controlled (eg. if you’ve got a wifi switch to control them, temporarily disable that and just use buttons on the OpenHAB UI to control it)

By now the lights should have stopped flashing, and things should be roughly back to normal (bear in mind that you’re still “hacked” in so much as your systems may have malware installed on them, but the attackers can’t get to the malware right now because you’ve disconnected it from the Internet).

Now you can start to investigate, by looking at logs and trying to work out what was hacked, what the route into it was and what you can do to clean it up. If you can’t be certain that you know how to clean up, then you should probably assume everything is hacked and re-install all your systems from scratch. Switch it all off, and then go around one-by-one, keeping it off the network until it’s re-installed.

Since you mentioned cameras with no passwords, if they were accessible from the Internet (which it sounds like they were), you should probably consider them entirely compromised. They may have had their firmware changed, and so there’s now no way to recover (replacing the firmware may look like it’s worked, but may still have left malware on the camera). Same goes for adding a password - it may look like it’s worked, but there may still be another password that lets the hackers in. Sadly, cameras such as this are notorious for this, and unless you really know what you’re doing, you should now throw them away (perhaps also do the world a favour and smash them up with a hammer so no one finding them might think “oh, I could recycle that”).

In a way, if you have been hacked, the hackers just did you a favour. They may have been able to watch/hear you (via the cameras), log on to your systems and download your files for years. By messing with your lights they notified you of their presence, so now you know to fix things up.

1 Like

You can’t be certain.

1 Like

openhabian/openhabian is part of public known user password combinations
so not surprised bots will try that combination.

see: https://github.com/danielmiessler/SecLists/blob/master/Passwords/Default-Credentials/windows-betterdefaultpasslist.txt

1 Like

I am receiving the same error in my logs today. Just starting investigating

any results?

Hi,

I’ve been getting the same errors in the openhab log today, [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token naturally I was a bit worried too. I upgraded from v2 to v3 two days ago, I’ve checked the following logs: sudo cat /var/log/auth.log, sudo cat /var/log/mosquitto/mosquitto.log aswell as others and done a netstat and nothing looks funky… In the logs there was one ssh connection from my user over 24 hour period which matches up with my usage…

I’ve been having influx errors but that’s another issue, I just need to drop the measurements and series in Influx…

I’ve not any commands firing off that shouldn’t be though… looking into my events.log

UFW is enabled and tied down quite heavily: sudo ufw status numbered

I’ve got one outgoing connection to Openhab cloud, looks right. sudo netstat -tun

ClamAV hasnt picked up anything over the last week and I’ve not got any rogue applications using the CPU, checked this using: sudo top -d 1

I’ve checked the running processes for all users on the system:
sudo pgrep -au root
sudo pgrep -au myusername
sudo pgrep -au openhab

Nothing un-towards there either…

I’ve checked the system a bit more using: sudo ps -axZ

Nothing weird here either.

I’ve checked the sudo cat /etc/passwd and there isn’t any users created or that shouldn’t be there… There was a user called Tango, pointing to a /var/lib/tango but I’m pretty sure this was an artifact from an old installation/experiment with my zoneminder server.

I’ve also ran: sudo rkhunter -c (you will need a config file first.), no rootkits have been found.

I’ll update if anything else comes through. I run a enterprise level firewall on my network, I will also check the connections incoming to openhab from that side.

But if I’m honest I’m thinking for my side this is just a connection error with something… maybe to do with frontail or something else. The webgui was being wierd when this error occured kind of hanging…

I’ll have to see if i can replicate it again.

Good Luck, I hope your system hasn’t been hacked.

Take Care, B

(Thanks @rlkoshak)

Update:

I noticed after reviewing my openhab settings the password for openhab-cli was reset to the default password. :expressionless:

I presume this was after the upgrade from v2 to v3. I hadn’t done much work with the cli tool so i didnt notice… Now updated this to a stronger password for openhab-cli, Thx @Kamil_Matuszczak for the reply.

````
code goes here
```

Or for inline

Some text `code` some more text
1 Like

Please be clear, what errors? What is happening for you?

You know this because … you’ve inspected the events.log perhaps?

The [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token error and Yes I checked the /var/log/openhab/events.log, I have now updated my first post accordingly, Thanks.

2 Likes

When I had this strange behaviour my password was weak.
Now when I have everything secured I se this error once in a time. This means that someone is trying to get into my system, but has no access.

Thanks Kamil, I noticed after reviewing my openhab settings the password for openhab-cli was the default password.

I presume this was after the upgrade from v2 to v3. I have now updated this to a stronger password these are the only logs recorded since the upgrade.


2021-02-17 18:17:45.461 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:51.509 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:51.527 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:51.644 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:53.988 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:54.002 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:58.439 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:58.451 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:58.506 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:00.466 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:00.467 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.695 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.724 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.775 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.848 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:08.338 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:08.342 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token````

Just because I found this accidently:
It’s probably related:

I had the same error/warn message:

2021-07-11 21:30:59.389 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token

And it was gone after I closed my mainUI (which was still open after a reboot)