Malware after installation Openhabianpi on RaspberryPi

Hello,
I wanted to start my Smarthome Environment using a new bought Raspberry Pi 3+. I followed the steps written here: https://www.openhab.org/download/ No problems until Step 5 (installation completed). Using Safari (works only with all Extensions off) on my Mac to reach for http://openhabianpi:8080 a Website will be opened which is simply Malware (Phishing/Trjoan). At the first try of installation Kaspersky blocked the site. On the 2nd try (openhabian new loaded) following all steps anew lead to the same result (this time a new Phishing-Website).

I downloaded Etcher from their website.
My question is: Where is the mistake? Etcher? Openhabian? SD-Card? Or even the raspberry?

Are the sizes right:
Openhabian…img.gz = 254,8MB
Flashed SD-Card: Capacity = 43,1MB, Used = 23,1MB, Available = 251,3 MB

  • Platform information:
    • Hardware: iMac with Mac OS 10.14, RaspberryPi 3 B+
    • Java Runtime Environment: which java platform is used and what version
    • openHAB version: 2.3 - Openhabian 1.4.1

hope there is an solution…

This sounds more like there is malware installed on your Mac as opposed to the RPi. For one I’ve never heard of such a thing happening on the RPi but I have seen this sort of behavior when a desktop machine gets pwnd with malware. Or it might be your gateway that has been compromised.

You can run some tests to verify some of this though.

From the terminal of a machine, preferably some other machine (or using an app on your phone) run

ping openhabianpi

Does the returned IP address make sense? Is it on your local network? When you ssh to the RPi it tells you the IP address of the machine, does that IP address match what was returned by ping? Can you even ssh to the RPi? If not plug it into a monitor and keyboard and log in that way and see what it says.

If you bring up the OH webpage using the IP address in place of openhabianpi does it work or does it still send you to the phishing site? http://<confirmed ip address of the RPi>:8080.

If the IP address of the RPi doesn’t match what gets returned by ping then for sure you have malware but it isn’t on the RPi. It’s on your Mac or on your gateway. Something has compromised your hosts file or your DNS.

Is it right that the filesystem of the SD-Card is “MS-DOS FAT 32”?

Thank you. Tried some things and it did not help.

Since my system is updated and also Kaspersky is on I think there is no problem here. Also it is only a fake website which wants to phish…

Only a small portion of the SD card is Fat 32. That is /boot folder and it should look something like

All of the steps above is to identify WHERE the malware is on your network. It won’t fix it. You can’t fix it until you know where the infection resides.

You know for certain you have malware somewhere. Kaspersky can only identify malware that it knows about (i.e. it can’t identify malware it has never seen before) and malware that doesn’t know how to get around. Having an updates system with anti-virus is no guarantee that you are not infected.

No, it’s not only a fake website. It is unknown software running on your network. What you do know is it is malicious. And just because the parts you can see is “just a phishing site” doesn’t mean it isn’t also stealing your account information, transferring all your files, adding your machines to a botnet, or otherwise using your machines to attack someone else.

This is a REALLY BIG DEAL. Don’t be blase about it. You really do need to make the effort to find the source of the problem.

One more test you can make to verify whether it is actually the RPi or not. Unplug it and open http://openhabianpi:8080 in a browser. If you still get the phishing site you know the malware is not on the RPi and running somewhere else on your network.

You also might want to install and run MalwareBytes. It catches a lot of malware that anti-virus does not.

But, unless the unlikely has happened and the malware did come from openHABian, this is going to be a problem for some other forum.

5 Likes

Thanks for your headsup and advise.

I tested this Last Night and it is like you wrote: I get the Site only on the RPi. So IMHO the Problem is On RPi or the SD Card Image.

I am Going to test it with the Environment of a friend of mine. (SD Flashing).

Where did you buy your SD-Card?
Maybe there is a hidden partition on it or something like that…

Very interesting.

Can you describe the process you followed to set up this SD card. You can’t provide enough detail on this. I want to know every step you took from URLs you went to to download forward.

If it is on the RPi, which seems to be the case, then we need to know how it got there so we can prevent this from happening to others.

Can you post a screenshot of the phishing site you see? That may help identify what the malware is.

I would have assumed that Etcher would have wiped out any hidden partition on the SD card. Maybe not?

Okay. With a new SD-Card I tried the whole Setup again. After long waiting I can provide the following information:

  1. Openhabian is on the RPi installed. Background: Using Terminal.app I got on the RPi by ssh. I have the Login-Screen and already changed the password.

  2. I can not reach http**://openhabianpi:8080 (without **) in Safari/Firefox to get to the OpenHAB-Dashboard. Mistakingly only using http://openhabian gets me to a malicious site (see virustotal.com).

So I have a new problem. But I am one step further.

Another topic shows the solution: Using the ip-Adress-of-pi:8080 shows the dashboard. Seems to be an issue with DNS…

I think the Problem is solved.

This doesn’t seem to add up then…
You had this name resolution redirection to the phishing site only when the rPi was on or also when it was off?

what do you mean? how? :slight_smile:
this is important to know if there is something that could affect the openHABian (doubt it but you never know)

which is your DNS server?
to which ip does the hostname openhabian resolve to?

The problem is solved for me, because the RPi runs Openhabian and I can use it via Finder/Safari. I only have to use the IP-Adress.

The problem is also in this topic: "http://openhabianpi:8080/" stopped working; IP address still works

I would say you still got DNS issues then. But it´s not releated to the Rpi.

1 Like

That thread describes a failure in name resolution of the hostname openhabianpi
You reported that you were being redirected to a phishing website when trying to access http://openhabianpi:8080 and/or http://openhabianpi from your PC (and only when the rPi was on).

Are you still getting the Kaspersky warning about the phishing website when you try to use the hostname in the URL?

If yes: there is some kind of malware somewhere

edit: Most likely: http://www.myantispyware.com/2018/03/19/how-to-remove-onclickbright-com-redirect-chrome-firefox-ie-edge/

For Safari, see: https://www.pcrisk.com/removal-guides/12846-onclickbright-com-pop-up-redirect#safari

1 Like

Looks like somebody registered “openhabianpi.com” and redirects it to phishing/malware sites. In case you just enter “openhabianpi:8080” in the browser and a local host with that name cannot be found, many browsers automatically try openhabianpi.com instead.

So in case anything goes wrong with the installation or the user tries to open the URL too early, before the web server is started, he will be redirected. Although it is not exactly openhabians fault, it sheds a bad light on the project, I would recommend to change the documentation for the installation to avoid this problem.

3 Likes

If you have a recommendation for what to change in the install docs to avoid this problem there is a link at the bottom of the page that will take you straight to that file in GitHub where you can edit it and submit a PR.

Happened to me too. No spyware installed, but I got redirected

i would say, in most cases this is a normal behavior as the browsers take your input as something to be searched and “fixes” the ending of your entry happily.
In this case (if i understand correctly) the openabianpi.com is opened automatically.

In local networks unless the router is not providing any suffix the hostname.local should be used
In other cases the suffix can be configured but usually defaults to what is provided by the vendor (e.g. for fritzbox it is hostname.fritz)

In this thread openhabianpi is mentioned, but I have openhab as hostname for my rpi with the standard OH SD image.
Perhaps it is changed to that in the SD image in the meanwhile.