Pull the WAN from it now, and start checking your systems over.
Can the router be flashed with custom Firmware do you know?
Whilst unlikely, but still possible, it could have been flashed with a compromised firmware build, to aid in the activity, so even if you reset it, the firmware may still be compromised, and allowing a 'back door'
Also, do you have anything else running on that network?
You will need to change the router and wi-fi passwords but as Marcus says, ideally you would push a known good firmware onto the router if that is an option before doing anything else.
Its the most recent vodafone router. Would a factory reset suffice?
Also can anyone tell me why I have all that bash not found stuff in the terminal window. This is from a known good backup imaged sd card.
thanks
Probably. Do the reset offline and change the passwords before connecting to the Internet. Leave other devices off your network until you are happy with the router.
I can't see any obvious issues with Vodafone routers in particular. One had a very weak default password but you are changing that anyway. Of course, choose a strong passcode for your router and wi-fi passcodes and don't forget to save them in a password manager so you don't lose them.
I never do full-system backups because by the time you ever need to restore, the world has moved on a long way and things change.
So my recommendation is to start from scratch. Download a fresh copy of the latest Rasbian. Then install your dependencies: Node.js - via nodesource/distributions: NodeSource Node.js Binary Distributions (github.com) preferably though you could use Dave's script if you prefer. Mosquitto. And anything else you need.
Take notes as you go along so that should you ever need to start again, you've left yourself some clues.
Finally, copy what specific things like your userDir folder from your backup and maybe your Mosquitto config if you can't remember how you set it.
Talk to Vodafone support, tell them you were hacked and your router password changed back to the default. Ask them if a factory reset is safe.
When you start a terminal window the commands in .bashrc and /etc/rc.local (I think) are run.
If you open a terminal and run source ./.bashrc, do you see the same errors again? and source /etc/rc.local?
If so, can you post the contents of .bashrc?
note:
/etc/rc.local is run when the system boots up, not when you open a terminal. Worth checking if it has been modified though.
6 solid hours now today. I did a factory reset and now it wont connect to internet saying "no ip4 address"
Vodafone support guy asked me 4 times about lights on unit and each time I told him that there were none. Anyway still no internet. Definitely been hacked! There is this horrible feeling like being burgled, as in what else have they taken.
It is a lot more than that. Best to look it up, I can never remember the full list but the profile is also run I think. And I can't remember if both the /etc version and the ~/ versions are run.
I plan to do a completely fresh install. There is a lot of stuff. Is it foolish to open a port for PIVPN?
That way I could get access to dashboard etc.
Personally I don't like full VPN connections due to the risks of a remote device being compromised and getting access to your network. The risk level depends on where you travel to though I suppose.
My preferred approach is to use Cloudflare Zero Trust which has an excellent free-tier. Using that, you can have login secured access to your Node-RED install without needing any holes in the firewall. You can also get a browser SSH terminal, again without having to expose your SSH via your router.
It is a web service so you access everything from your browser.
I have a couple of things set up:
A link to Node-RED (covers Editor, Dashboard, uibuilder, etc) - you use this as you would use Node-RED at home. But it has a different URL and is protected by Cloudflare's excellent security complete with up to 50 users for free.
A browser SSH terminal page.
Because it is clouldflare, you get their excellent security so you can restrict to certain countries, certain types of login and more. Login's can be specific user id's or can be linked to external logins such as GitHub, LinkedIn, etc. (OAuth).
So yes, all accessible from a mobile.
The only possible downside is that you need a domain name and you need to let Cloudflare manage it. They also offer cheaper domain name registration by the way as they do not add overheads to the basic cost so grabbing a .uk, .com or whatever is as cheap as it can be and you get an excellent DNS management portal too and DNS security. You can leave your existing domains with your current registrar if you want to and just let Cloudflare manage it but they are so good, I've moved all of mine.
That curl item plus about 6 others were on the infected PI. The backup sd card seems clean.
Vodafone folk said they had never heard of their routers being hacked.
This all happened at our holiday cottage where use PI to control heating, monitor oil etc. When we arrived and before discovering the hack I connected to our home via vpn to do some stuff. At home I have 2 PIs and a 24/7 PC. I don't know how viruses work but......
Anything connected to the Internet is fair game to hackers and bots. It takes less than 30seconds for a newly connected IP address to start being scanned.
And you've found the problem with VPN's. They create an extension from one network to another so compromises in one potentially extend to the other.
This is why I generally don't recommend them unless you know what you are doing.