1

I'm running a raspberry PI and I've accidentally left the 22 port open to it from a public IP for about 24 hours. Raspberries' raspbian distro comes by default with a "pi" user and "raspberry" password so I fear that it could have been compromised.

I've just changed the password to it. What's the recommended way now to verify that there was no intruder access which would have removed its fingerprints (i.e. removing entries from /var/log/auth.log, etc)? How can I check if he's not created a user which was not already there by default in the system? Is there a way to secure the server again without the need of re-installing the OS?

knocte
  • 161
  • 7
  • If it was really using the default password, can I presume it did not see too much configuration yet? In this particular case, as the Pi has an easily removable storage, it might be easy to do some forensics - just mount the card with `-o noexec` (to prevent executing any funny script an attacker may have left around), and compare the files/md5sums from the image you installed it from. But there's still the possibility of the filesystem tweaked to have an inconsistency that triggers an exploit on your host (not that I can imagine one right away). – chexum Dec 27 '15 at 17:40

2 Answers2

4

It is impossible to prove that an attacker has not compromised your server. It is always possible that an attacker accessed and installed malware that would be left behind.

The safest thing to do is to reinstall the OS. This is the only way you can truly know that it is an uncompromised OS. The password for the account should be changed so with public access an attacker could not login.

From looking at my system logs, my server gets about 1000 bad logins per day with most using the username root, but some using pi.

Eric Johnson
  • 715
  • 1
  • 6
  • 11
2

Is there a way to secure the server again without the need of re-installing the OS?

If the device really was compromised the answer is: no

And of cause there is no way you can be a 100% sure that nobody accessed your system in this 24 hours but being sure is just the highest possible kind of probability and we can talk about probability.

When we asume that your potential opponent was quit an intellegent person you won't be able to prove that he did access your system even when he did. He might have altered every logfile, the bash history, the filesystem attributes and dates that might point out that something happened,... but these guys are pretty rare and often people forget to ask one of the most important questions: Am I a intersting Victim? If you have to answer this with no you will unlikely be a victim of this type of attacker.

Most attacks that happen on a technical level aren't carried out by highly skilled hackers. They are automaticly carried out by botnets or by scriptkiddies that scan millions of hosts every day and are lucky to get away with a handfull of compromised hosts. These opponents aren't that hard to detect and they also don't try hard to hide their activities because they want quantity not quality.

You might ask your Service Provider if any ssh connection has been established in the past 24 hours. If it's a proffesional provider they might be able to tell you. You can also monitor the processes executed and the traffic generated when you don't use the device the actively. But always keep the effort on an appropriate level.

davidb
  • 4,285
  • 3
  • 19
  • 31