I’d suggest rolling back any changes you’ve made, one by one, to see if the problem still persists.
I turned off cameras and changed passwords. Today is ok. So I dont know what it was.
Will se if it get back.
One thing that I found was that one of my cameras were connecting and disconnecting from mqtt server after every state change.
So there was lag on mosquitto and maybe mosquitto malfunction? I dont know. after turning camera off for now it stopped doing crazy stuff:)
I trashed some generic clone IP cameras, because I found they all had backdoors and where communicating to IP’s located in china, despite all cloud settings being disabled. They would also randomly spike and transmit several hundred megs. they all went in trash.
4 Likes
Could someone have gained access to your wifi network? I.e a pesky neighbor?
If this happens again, you may want to check your router for new device connections.
Also, if you’re router supports it, you may find it more secure to setup a openVpn connection to access your network remotely when you are not home.
This keeps you form exposing ports to the outside which is constantly being scanned for open ports and services that can be compromised.
I think general cyber security is really lacking for the general home user.
I think as general advice, if you ever think any system on your network is hacked or compromised in any way is to minimise the impact it may have, if indeed it is hacked.
In this case, I would recommend:
- Turn off all open ports to the Internet - for all devices, not just OpenHAB. If your router supports uPNP, turn that off too (as it allows devices to open ports for themselves).
- Any devices without passwords should be switched off, or else have a password added (see below about cameras specifically though)
- Add additional controls to anything being misused. If lights are going on and off, then maybe tighten the ways lights can be controlled (eg. if you’ve got a wifi switch to control them, temporarily disable that and just use buttons on the OpenHAB UI to control it)
By now the lights should have stopped flashing, and things should be roughly back to normal (bear in mind that you’re still “hacked” in so much as your systems may have malware installed on them, but the attackers can’t get to the malware right now because you’ve disconnected it from the Internet).
Now you can start to investigate, by looking at logs and trying to work out what was hacked, what the route into it was and what you can do to clean it up. If you can’t be certain that you know how to clean up, then you should probably assume everything is hacked and re-install all your systems from scratch. Switch it all off, and then go around one-by-one, keeping it off the network until it’s re-installed.
Since you mentioned cameras with no passwords, if they were accessible from the Internet (which it sounds like they were), you should probably consider them entirely compromised. They may have had their firmware changed, and so there’s now no way to recover (replacing the firmware may look like it’s worked, but may still have left malware on the camera). Same goes for adding a password - it may look like it’s worked, but there may still be another password that lets the hackers in. Sadly, cameras such as this are notorious for this, and unless you really know what you’re doing, you should now throw them away (perhaps also do the world a favour and smash them up with a hammer so no one finding them might think “oh, I could recycle that”).
In a way, if you have been hacked, the hackers just did you a favour. They may have been able to watch/hear you (via the cameras), log on to your systems and download your files for years. By messing with your lights they notified you of their presence, so now you know to fix things up.
1 Like
You can’t be certain.
1 Like
openhabian/openhabian is part of public known user password combinations
so not surprised bots will try that combination.
1 Like
I am receiving the same error in my logs today. Just starting investigating
any results?
Hi,
I’ve been getting the same errors in the openhab log today, [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token naturally I was a bit worried too. I upgraded from v2 to v3 two days ago, I’ve checked the following logs: sudo cat /var/log/auth.log, sudo cat /var/log/mosquitto/mosquitto.log aswell as others and done a netstat and nothing looks funky… In the logs there was one ssh connection from my user over 24 hour period which matches up with my usage…
I’ve been having influx errors but that’s another issue, I just need to drop the measurements and series in Influx…
I’ve not any commands firing off that shouldn’t be though… looking into my events.log
UFW is enabled and tied down quite heavily: sudo ufw status numbered
I’ve got one outgoing connection to Openhab cloud, looks right. sudo netstat -tun
ClamAV hasnt picked up anything over the last week and I’ve not got any rogue applications using the CPU, checked this using: sudo top -d 1
I’ve checked the running processes for all users on the system:
sudo pgrep -au root
sudo pgrep -au myusername
sudo pgrep -au openhab
Nothing un-towards there either…
I’ve checked the system a bit more using: sudo ps -axZ
Nothing weird here either.
I’ve checked the sudo cat /etc/passwd and there isn’t any users created or that shouldn’t be there… There was a user called Tango, pointing to a /var/lib/tango but I’m pretty sure this was an artifact from an old installation/experiment with my zoneminder server.
I’ve also ran: sudo rkhunter -c (you will need a config file first.), no rootkits have been found.
I’ll update if anything else comes through. I run a enterprise level firewall on my network, I will also check the connections incoming to openhab from that side.
But if I’m honest I’m thinking for my side this is just a connection error with something… maybe to do with frontail or something else. The webgui was being wierd when this error occured kind of hanging…
I’ll have to see if i can replicate it again.
Good Luck, I hope your system hasn’t been hacked.
Take Care, B
(Thanks @rlkoshak)
Update:
I noticed after reviewing my openhab settings the password for openhab-cli was reset to the default password. 
I presume this was after the upgrade from v2 to v3. I hadn’t done much work with the cli tool so i didnt notice… Now updated this to a stronger password for openhab-cli, Thx @Kamil_Matuszczak for the reply.
````
code goes here
```
Or for inline
Some text `code` some more text
1 Like
Please be clear, what errors? What is happening for you?
You know this because … you’ve inspected the events.log perhaps?
The [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token error and Yes I checked the /var/log/openhab/events.log, I have now updated my first post accordingly, Thanks.
2 Likes
When I had this strange behaviour my password was weak.
Now when I have everything secured I se this error once in a time. This means that someone is trying to get into my system, but has no access.
Thanks Kamil, I noticed after reviewing my openhab settings the password for openhab-cli was the default password.
I presume this was after the upgrade from v2 to v3. I have now updated this to a stronger password these are the only logs recorded since the upgrade.
2021-02-17 18:17:45.461 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:51.509 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:51.527 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:51.644 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:53.988 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:54.002 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:58.439 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:58.451 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:17:58.506 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:00.466 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:00.467 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.695 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.724 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.775 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:06.848 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:08.338 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
2021-02-17 18:18:08.342 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token````Just because I found this accidently:
It’s probably related:
I had the same error/warn message:
2021-07-11 21:30:59.389 [WARN ] [ore.io.rest.auth.internal.AuthFilter] - Unauthorized API request: Error while processing JWT token
And it was gone after I closed my mainUI (which was still open after a reboot)
I am reopening this old thread as apparently this MQTT issue seems to be the culprit of random lights and Sonos speaker going on at 100 % at random times, at least in our installation.
I’m not using MQTT explicitly, but the Niko Home Control binding is.
I think my Niko Home Control hobby API token expired, resulting in MQTT disconnect events. A couple seconds later almost all Items get 100% commands: lights, blinds and a Sonos speaker.
I did a fresh reinstall on a new microSD card. I also updated some passwords, just to be sure.
And yet, out of the blue, the Ikea/Sonos Symfonisk speaker starts to blast at night at full power.
Here’s an extract of events.log where this happens:
2023-03-07 22:30:57.323 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Volume' received command 100
2023-03-07 22:30:57.329 [INFO ] [penhab.event.ItemStatePredictedEvent] - Item 'SYMFONISK_Bookshelf_Kitchen_Volume' predicted to become 100
2023-03-07 22:30:57.357 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Volume' changed from 32 to 100
2023-03-07 22:30:59.597 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PLAY
2023-03-07 22:30:59.600 [INFO ] [penhab.event.ItemStatePredictedEvent] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' predicted to become PLAY
2023-03-07 22:30:59.617 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' changed from PAUSE to PLAY
2023-03-07 22:30:59.718 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo to VRT Klara Continuo - ZPSTR_CONNECTING
2023-03-07 22:30:59.917 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - ZPSTR_CONNECTING to VRT Klara Continuo - ZPSTR_BUFFERING
2023-03-07 22:31:02.203 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - ZPSTR_BUFFERING to VRT Klara Continuo
2023-03-07 22:31:03.191 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo to VRT Klara Continuo - Maria Joao Pires (piano)
2023-03-07 22:31:18.238 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Maria Joao Pires (piano) to VRT Klara Continuo - Robert Schumann
2023-03-07 22:31:38.171 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Robert Schumann to VRT Klara Continuo - Waldszenen op.82: 7.Vogel als Prophet-8.Jagdlied-9.Abschied
2023-03-07 22:31:58.234 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Waldszenen op.82: 7.Vogel als Prophet-8.Jagdlied-9.Abschied to VRT Klara Continuo - Maria Joao Pires (piano)
2023-03-07 22:32:18.224 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Maria Joao Pires (piano) to VRT Klara Continuo - Robert Schumann
2023-03-07 22:32:22.600 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command NEXT
2023-03-07 22:32:24.319 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command NEXT
2023-03-07 22:32:25.845 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command NEXT
2023-03-07 22:32:26.754 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command NEXT
2023-03-07 22:32:27.759 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command NEXT
2023-03-07 22:32:28.792 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:29.616 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:29.825 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:30.013 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:30.182 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:30.375 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:30.545 [INFO ] [openhab.event.ItemCommandEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Media_Control' received command PREVIOUS
2023-03-07 22:32:39.196 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Robert Schumann to VRT Klara Continuo - Waldszenen op.82: 7.Vogel als Prophet-8.Jagdlied-9.Abschied
2023-03-07 22:32:59.229 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Waldszenen op.82: 7.Vogel als Prophet-8.Jagdlied-9.Abschied to VRT Klara Continuo - 6 Consolations
2023-03-07 22:33:19.253 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - 6 Consolations to VRT Klara Continuo - Nelson Freire (piano)
2023-03-07 22:33:39.239 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Nelson Freire (piano) to VRT Klara Continuo - Franz Liszt
2023-03-07 22:33:59.242 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - Franz Liszt to VRT Klara Continuo - 6 Consolations
2023-03-07 22:34:19.206 [INFO ] [openhab.event.ItemStateChangedEvent ] - Item 'SYMFONISK_Bookshelf_Kitchen_Current_Track' changed from VRT Klara Continuo - 6 Consolations to VRT Klara Continuo - Nelson Freire (piano)
Unfortunately openhab.logreports nothing at the time this happens.
Do you have any ports forwarded on your router? First thing would be to close these and see if it still happens.
How did you do the fresh install? Copy the SD? Or install OH again and just copy over the configuration?