yesterday i a raspberry pi i setup for my mom was not working right, upon logging to it everything was segfaulting and i noticed last logging was from a foreign ip, clearly it was comprised
the only thing remotely sensitive on it was the ~/.ssh/authorized_keys file
here is a snip from my auth.log file
it appears the attacker did this multiple timesCode:Nov 2 06:34:48 radio sshd[3301]: Accepted password for pi from 190.211.254.116 port 53766 ssh2 Nov 2 06:34:48 radio sshd[3301]: pam_unix(sshd:session): session opened for user pi by (uid=0) Nov 2 06:34:49 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/grep -E ^pi: /etc/shadow Nov 2 06:34:49 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:34:49 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:35:39 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/id -g Nov 2 06:35:39 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:35:39 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:35:39 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/whoami Nov 2 06:35:39 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:35:39 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:35:49 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/mount -o remount,rw / Nov 2 06:35:49 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:35:49 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:35:59 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/sh -c sed '#/lib/libxml.so#' /etc/ld.so.preload > /etc/ld.so.preload Nov 2 06:35:59 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:35:59 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:36:09 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/killall -9 libxml_CP Nov 2 06:36:09 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:36:09 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:36:09 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/rm /lib/libxml.so Nov 2 06:36:09 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:36:09 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:36:19 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/rm -R /var/libxml_CP Nov 2 06:36:19 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:36:19 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:36:29 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/mkdir /var/libxml_CP Nov 2 06:36:29 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:36:29 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:36:39 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/chmod 777 -R /var/libxml_CP Nov 2 06:36:39 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:36:39 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:37:50 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/sbin/iptables -I INPUT -p tcp --dport 40018 -j ACCEPT Nov 2 06:37:50 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:37:50 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:38:05 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/sbin/iptables-save Nov 2 06:38:05 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:38:05 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:38:20 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/sbin/iptables -S Nov 2 06:38:20 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:38:20 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:39:25 radio sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/bin/ss -tulpn Nov 2 06:39:25 radio sudo: pam_unix(sudo:session): session opened for user root by pi(uid=0) Nov 2 06:39:25 radio sudo: pam_unix(sudo:session): session closed for user root Nov 2 06:40:06 radio sshd[3301]: pam_unix(sshd:session): session closed for user pi
Bookmarks