Thread Rating:
  • 0 Vote(s) - 0 Average
Malware on RPi
#1
Seems that there is some malware on the loose, called Linux.MulDrop.14, that infects linux based systems with a default user called pi presumably on Rasmbmc OS.
This malware then changes the password to “\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1” searches for other RPi's on your network and also starts to mine bitcoin.

I suspect it wouldn't be out of the question for the malware to be modded to check for and thus infect other distributions like LibreElec, OpenElec, OSMC, etc.

Guess this just goes to show how bad it is for a distribution to not allow the user to change default user and password during an install process.
This behaviour is up there with the poor security focus often seen by those developing POE security cameras that are oh so hackable Tongue

Here is another link discussing Linux.MulDrop.14 which also links to SMB vulnerability discussion...

Does Team Kodi have any opinions on such maters and do you guys have any sway in pushing for better security standards within distributions like LibreELec, OpenElec, Zbian, Raspbmc, OSMC, etc that contain Kodi?

Is it worth having a security forum?
I'm a XBMC novice :)
Reply
#2
for OpenELEC: there is no "pi" user and even the default password cant be changed from 3rdparty programs and malware.
You also are free to disable ssh password login and use a key based based login which is more secure if you need to have ssh enabled all the time.
greetings, Stephan

Image
Image
Reply
#3
How many people put a Pi open to the internet and leave SSH active with the default password?
Reply
#4
I never turn on SSH but Samba is on 24/7. Will this be ok or I need to change password? Thanks
Reply
#5
Defaults are always best to change. Especially with passwords
first_time_user (wiki) | free content (wiki) | forum rules (wiki) | PVR (wiki) | Debug Log (wiki)

IMPORTANT:
The official Kodi version does not contain any content what so ever. This means that you should provide your own content from a local or remote storage location, DVD, Blu-Ray or any other media carrier that you own. Additionally Kodi allows you to install third-party plugins that may provide access to content that is freely available on the official content provider website. The watching or listening of illegal or pirated content which would otherwise need to be paid for is not endorsed or approved by Team Kodi.
Reply
#6
(2017-06-09, 14:12)GreySkies Wrote: How many people put a Pi open to the internet and leave SSH active with the default password?

You'd be surprised...
Reply
#7
(2017-06-10, 14:14)noggin Wrote: You'd be surprised...

At which point, the responsibility for security belongs to the user alone.
Reply
#8
We found a case of malware on a Pi running OSMC in the past [1]

General recommendations are:

* Don't port forward 22 unless necessary
* Use a static IP or static reservation to prevent accidental forwarding
* Change the default password for the osmc user or better yet, use SSH keys if you want to expose SSH to the Internet
* Do not expose Kodi's web server to the Internet

We continue to review ways we can improve the security of OSMC. In this month's update we hardened the default SSH configuration significantly and we continue to work on reducing the attack surface in OSMC and mitigate
the damage that can be done in the event that the device is compromised.

We also keep on top of CVEs: the 17.x patch and Samba CVE were patched within a couple of days of public disclosure.

For every instance where a device has been compromised, it turned out to be the case that the user had accidentally port forwarded their device with default credentials.

[1] https://discourse.osmc.tv/t/rpi-1-privnu...cess/23254
Reply
#9
(2017-06-10, 15:03)ActionA Wrote:
(2017-06-10, 14:14)noggin Wrote: You'd be surprised...

At which point, the responsibility for security belongs to the user alone.

Thanks for that non helpful comment. All users are learning. The point of this forum is to help. If you want to be helpful I suggest you limit your comments to facts!
Reply
#10
Well, what ActionA wrote IS a fact, so what is the point of your post, no hepl in it that i can see...
Reply
#11
(2017-06-15, 18:38)Sholander Wrote: Well, what ActionA wrote IS a fact, so what is the point of your post, no hepl in it that i can see...

I refer you to my previous quote!
Reply
#12
@KungFu please pulll your head in, you comments are bordering on unacceptable.
If I have helped you or increased your knowledge, click the 'thank user' button to give thanks :) (People with less than 20 posts won't see the "Thank you" button.)
Reply
#13
Quote:
Quote:
Quote:
Quote:
Quote: Linux.MulDrop.14, that infects linux based systems with a default user called pi presumably on Rasmbmc OS.
How many people put a Pi open to the internet and leave SSH active with the default password?
You'd be surprised...
At which point, the responsibility for security belongs to the user alone.
Thanks for that non helpful comment. All users are learning. The point of this forum is to help. If you want to be helpful I suggest you limit your comments to facts!

The whole premise of the post is malware "that infects linux based systems with a default user"! Facts be known, Raspbmc has been deprecated for years and to my knowledge, none of the other mentioned distros use the default pi:raspberry as user:pass. I have simply stated the obvious in the context of the thread as a whole. Anyone reading this thread, if they didn't already know better as you propose, now sees that it is up to them to protect themselves if they expose a media center pi distro to the open web! OSMC (I'm not familiar with how other distro's handle) prompts the user to change the default password or even disable SSH completely in the first welcome sequence upon install. Particularly speaking of linux in general, RTFM is a thing for those who wish to learn.

It is not the responsibility of the engine builder to warn the driver that there could be dire consequences if he operates his automobile without due care or otherwise re-configures it without a bit of knowledge or forethought!

Do you have any facts more helpful to offer here @KungFu?
Reply



Malware on RPi00