F5F Stay Refreshed Software Operating Systems Discovered an unusual application on your friend's Raspberry Pi.

Discovered an unusual application on your friend's Raspberry Pi.

Discovered an unusual application on your friend's Raspberry Pi.

K
Kavenoke
Member
Find
242
03-19-2023, 09:10 AM
#1
He mentioned his Pi couldn<|pad|> a password was updated. I linked it to a monitor and saw a script in /opt/etc/rc.local running. The file attached was the one that got executed. I have some programming skills and can explain what it does. Here’s the link: https://pastebin.com/bmzhZAS3
Reply
Reply
K
Kavenoke
03-19-2023, 09:10 AM #1

He mentioned his Pi couldn<|pad|> a password was updated. I linked it to a monitor and saw a script in /opt/etc/rc.local running. The file attached was the one that got executed. I have some programming skills and can explain what it does. Here’s the link: https://pastebin.com/bmzhZAS3

Reply
Reply
T
tiggore
Member
Find
50
03-19-2023, 12:53 PM
#2
The changes will delete the file. Updated on January 5, 2021 by TVwazhere He's correct you understand
Reply
Reply
T
tiggore
03-19-2023, 12:53 PM #2

The changes will delete the file. Updated on January 5, 2021 by TVwazhere He's correct you understand

Reply
Reply
O
Ozwego
Member
Find
191
03-19-2023, 01:24 PM
#3
You're noticing CPUminer and SSH password details in the script. It seems like scripts might be downloading or using credentials from the internet without your explicit knowledge. The SSH password mentioned could relate to accessing a device like a Raspberry Pi.
Reply
Reply
O
Ozwego
03-19-2023, 01:24 PM #3

You're noticing CPUminer and SSH password details in the script. It seems like scripts might be downloading or using credentials from the internet without your explicit knowledge. The SSH password mentioned could relate to accessing a device like a Raspberry Pi.

Reply
Reply
M
MrsGalaxyPvP
Junior Member
Find
17
03-19-2023, 09:59 PM
#4
I’d destroy this Pi and any others in the network. I’m not sure exactly what it’s aiming for, but here are three odd behaviors: it adds an SSH key to the authorized keys file, it runs what looks like an IRC bot, and it tries to connect to other Raspberry Pis using the default login. A reminder: update the default password on Raspberry Pis, particularly if they’re exposed online.
Reply
Reply
M
MrsGalaxyPvP
03-19-2023, 09:59 PM #4

I’d destroy this Pi and any others in the network. I’m not sure exactly what it’s aiming for, but here are three odd behaviors: it adds an SSH key to the authorized keys file, it runs what looks like an IRC bot, and it tries to connect to other Raspberry Pis using the default login. A reminder: update the default password on Raspberry Pis, particularly if they’re exposed online.

Reply
Reply
I
Ireo
Member
Find
150
03-23-2023, 09:42 AM
#5
Be cautious—there’s something off. Suggest replacing the OS on a fresh card and avoiding this one. Or better yet, let a professional handle it.
Reply
Reply
I
Ireo
03-23-2023, 09:42 AM #5

Be cautious—there’s something off. Suggest replacing the OS on a fresh card and avoiding this one. Or better yet, let a professional handle it.

Reply
Reply
T
TeaSparrow
Junior Member
Find
37
03-23-2023, 06:41 PM
#6
It only uses the SD card it comes with. Works for all RPi devices on the network.
Reply
Reply
T
TeaSparrow
03-23-2023, 06:41 PM #6

It only uses the SD card it comes with. Works for all RPi devices on the network.

Reply
Reply
M
Mihaa
Junior Member
Find
47
03-23-2023, 08:49 PM
#7
It's a fragment of the cryptomining malware that began focusing on Pi around 2019. It depends on the user setting the default Pi security options. The safest choice is to reinstall the system.
Reply
Reply
M
Mihaa
03-23-2023, 08:49 PM #7

It's a fragment of the cryptomining malware that began focusing on Pi around 2019. It depends on the user setting the default Pi security options. The safest choice is to reinstall the system.

Reply
Reply
K
Keleg
Member
Find
149
03-23-2023, 10:03 PM
#8
That's what you intended.
Reply
Reply
K
Keleg
03-23-2023, 10:03 PM #8

That's what you intended.

Reply
Reply
M
mamaland56
Junior Member
Find
48
03-25-2023, 02:01 AM
#9
From what I understand, no installation or download was necessary for the infection. The malware spread via SSH to various hosts, relying on default user account configurations.
Reply
Reply
M
mamaland56
03-25-2023, 02:01 AM #9

From what I understand, no installation or download was necessary for the infection. The malware spread via SSH to various hosts, relying on default user account configurations.

Reply
Reply