Dear all
I would like to inform you about an attack against my openHAB infrastructure. The hacker fund a way into my system through somekind of open i.e. exposed ports and placed some kind of malware into my server.
As a result my system further tried to hack other systems on ssh outgoing connections. I’ve got informed by my internet provider about this issue as they received reports from security providers.
The details from provider came as follows (IP addresses and useranonymized):
description: This host has most likely been performing brute-force attacks against third parties.
feeder: shadowserver
destination ip: 216.X.Y.Z
destination port: 22
source ip: 80.A.B.C
source port: 60540
protocol: ssh
source: GCA-IoT
start time: 2019-06-29T02:20:29.036033UTC+0
end time: 2019-06-29T02:20:29.323124UTC+0
description: This host has most likely been performing brute-force attacks against third parties.
feeder: shadowserver
destination ip: 195.X.Y.Z
destination port: 22
source ip: 80.A.B.C
source port: 46892
protocol: ssh
source: GCA-IoT
username: ****
password: ****
start time: 2019-06-29T03:26:44.557520UTC+0
end time: 2019-06-29T03:26:46.919524UTC+0
At first I closed all exposed ports, but the bad guy is still sitting in my system and continued its attacks against other systems. Therefore I updated my firewall rules to block all outgoing connections completely. Resulting in malfunctioning of some OH processes such as homeconnect.
Meanwhile I have not received any further reports from my provider, but I still haven’t found the root cause of it.
Yesterday I’ve tried to track down what’s going on, I can see outgoing connection requests. The same IP target is not only used on port 22 but also 80 (using a JSON request), the occurrence is randomly no regular time.
I hope will find the damn nasty bit, but it doesn’t look good. I assume the only way is a fresh install .
Platform information:
- Hardware: MacMini /intel x64/16MB/130GB
- OS: Debian 9
- Java Runtime Environment: oracle java 1.8
- openHAB version: 2.5 M1
No cloud services involved.
Formerly open ports:
- SSH
- OH webUI
through a port forwarding (i.e. public port different)
This post is not to blame openHAB. It should be seen more in the way as a reminder how important security is and how careful one needs to be.
Cheers
Stefan