RPi used as trojan?

Martin Dunschen

unread,

Aug 13, 2021, 5:46:22 AM8/13/21

to <Unnamed>

Has anybody here ever had this?

I have setup a rpi zero to be publicly available for ssh on port 22, and I did change the password from 'raspberry' - I had it offline and not powered for a few days, but now when I try to login I realize I forgot my new password (for user pi) and go through the process of resetting this by editing cmdline.txt...

Now, when I boot with a monitor attached it never gets to a login prompt, but instead seemingly tries to connect to other computers with ssh or scp, rattling line and line of some random connection attempts over the console, failing with "Permission denied." It never ends until I disconnect power of course.

I can't believe that it was infected for the short time (5 minutes maybe?) the standard pi password might have not been changed, I am very puzzled.

Has anybody else ever seen this?

Looks like I have to wipe the sd card and start again from scratch to set it up.

Martin

Alex J Lennon

unread,

Aug 13, 2021, 6:18:09 AM8/13/21

to does-li...@googlegroups.com

The received wisdom is that there are lots of automated bots constantly scanning the internet for insecure devices.

Port 22/SSH is very standard and if there was any kind of exploit of the server on the Pi I can well believe it was exploited.

Hard to believe that all happened in 5 minutes though.

If it is making connections out via SSH from a vanilla installation then I would have to assume it has been exploited.

It is possible that the original installation was exploited? (this does happen too).

All sounds very worrying. I'd wipe it. I would also be looking at anything else on your network it might have infected.

Cheers,

Alex

--
You received this message because you are subscribed to the Google Groups "DoES Liverpool" group.
To unsubscribe from this group and stop receiving emails from it, send an email to does-liverpoo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/does-liverpool/CAK55gbDt%2BSFgkp8HsNbXMb2%2BVhLGsZpj1ZWL-8RmFXK%3DbTQP6g%40mail.gmail.com.

sean.van.der.smythe

unread,

Aug 13, 2021, 7:39:12 AM8/13/21

to does-liverpool

Follow an online guide to securing the Pi and do as much as possible
offline before connecting to the network. Probably also use a
non-standard port number for the shh.

Arthur Rowland

unread,

Aug 13, 2021, 7:47:14 AM8/13/21

to 'Sean Jarman' via DoES Liverpool

Here are my notes on setting up secure clean raspbian - written for my own use so might not be totally clear but hope it can be a useful reference, but covers setting up ssh keys and fail2ban firewall to try and prevent the system being compromised.

https://workflowy.com/s/1-set-up-operating-s/LDtwn2Ub3aoxhKJy

--
You received this message because you are subscribed to the Google Groups "DoES Liverpool" group.
To unsubscribe from this group and stop receiving emails from it, send an email to does-liverpoo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/does-liverpool/CAPdj8Z5439Z1rcdUcDofSk5BH03mCMPTy0x0x8-4g1LPok_%2BoA%40mail.gmail.com.

Reply all

Reply to author

Forward