Announcement

Collapse
No announcement yet.

Zee Trojan is nasty if you open port 22 to the internet to SSH

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Zee Trojan is nasty if you open port 22 to the internet to SSH

    I had a nasty time recently trying to upgrade my 2 Zees to the latest HS3 pi software and kept getting a trojan that took over my machine.

    Here is the description the trojan: https://www.tobsan.se/update/2017/11/06/rpi-trojan.html

    So here is what I found out. The current RPI image does not change the default user/password from pi/raspberry. As soon as you open port 22 on your router and point it to the Zee, you will be infected very quickly. In my case, before I figured out what was going on, I re-imaged my SD cards about 4 times, booted them up on a network with port 22 forwarded to the pi and was infected every time within 4 hours. This trojan sets your Zee up to become and IrC bot and the remote hacker has complete control.

    Solution: Don't open port 22 on your router to remote SSH to the Zee OR change the default user pi password before you do.

    Hope this helps someone.

    PS. To see if you already may be affected, SSH to your machine, navigate to /opt and issue a dir command. If you see a funny 8 character script you are infected. In my case, I only see two files: HomeSeer and vc.


    This weekend, me and my girlfriend visited her parents, and at the same time, I got to do the usual IT admin work on the Raspberry Pi 3 I set up for her father. Interestingly, there was a pi-specific trojan installed on his system. I’ll walk you through it!

    #2
    Why on god's good green earth would you open those ports to the Internet?

    Comment


      #3
      Drhtmal, I need to manage my system remotely and have other apps besides HS3 running on it. Do you have another recommendation to managing the ZEE remotely besides a properly secured SSH connection?

      Comment


        #4
        I do not know what router you are using but most support some sort of VPN connection.

        Comment


          #5
          Originally posted by luvatlast View Post
          Drhtmal, I need to manage my system remotely and have other apps besides HS3 running on it. Do you have another recommendation to managing the ZEE remotely besides a properly secured SSH connection?
          Highly recommend you vpn to your router (or do
          site to site vpn if the two locations are fixed) this way none of those ports need to be directly on internet.

          Comment


            #6
            Good suggestions. I actually have 2 systems at 2 different locations. One has an Asus router that supports a VPN, the other site has Verizon Fios router that I am pretty sure does not. Luckily, most of my SSH need is ‘to’ the site with the Asus router. Thanks for the help.

            Comment


              #7
              Been using VPN a long time here for my home network.

              I do remote manage a few peers here using SSH. It is sort of a poor man's VPN connection and can be utilized for all sorts of things and is much easier to set up remotely then a VPN tunnel (here utilize IPSec rather than OpenVPN).

              IE: here use a reverse proxy to see the HS3 web gui. Use x windows with single remote x windows applications. (not recommended)

              There are ways to harden the SSH connection. First time you open SSH to the internet you will see robots hitting it within seconds. It's been like this for a while.



              First have a read over here ==> hxxps://linux-audit.com/audit-and-harden-your-ssh-configuration/

              and then edit /etc/ssh/sshd_config


              - Pete

              Auto mator
              Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb- Mono 6.12.X - HSTouch on Intel tabletop tablets
              Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.12.X
              HS4 Pro - V4.1.10.0 - Ubuntu 18.04/VB W7e 64 bit Intel Kaby Lake CPU - 32Gb - Mono 6.12.x
              HS4 Lite -

              X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Smartthings hub, Hubitat Hub, and Home Assistant

              Comment


                #8
                Originally posted by luvatlast View Post
                Luckily, most of my SSH need is ‘to’ the site with the Asus router.
                If you continue down the SSH route via the internet vs a VPN, I strongly recommend disabling passwords and forcing ssh keys for authentication. You will need to generate a ssh key and transfer it to your ssh server before you remove password authentication. There is a sub-url in the url Pete posted on how to set this up.

                PubkeyAuthentication yes
                PasswordAuthentication no

                Comment


                  #9
                  BTW this is not a specific "Zee Trojan" rather it is an SSH bot that sets up house on your RPi to replicate throughout the internet.

                  It is a "back door" trojan. There are many. Here is one description of Ebury:

                  Background

                  In February 2013, CERT-Bund started analyzing Ebury in depth and was able to identify thousands of systems around the world infected with the malware. Subsequently, an international Working group was formed. In a joint research effort with ESET, the Swedish National Infrastructure for Computing and the European Organization for Nuclear Research (CERN), and with kind support from CERTs and hosting providers in several countries, many thousand additional systems infected with Ebury could be identified.

                  Since February 2013, hosting providers and national CERTs in more than 60 countries have been notified of infected machines hosted on networks within their responsibility.

                  About one-third of the systems that were found to be infected are hosted in the US, another ten percent in Germany. Other countries with large numbers of infections include France, Italy, Great Britain, Netherlands, Russian Federation, Ukraine, Mexico and Canada.

                  What is Ebury?

                  Ebury is a SSH rootkit/backdoor trojan for Linux and Unix-style operating systems (like FreeBSD or Solaris). It is installed by attackers on root-level compromised hosts by either replacing SSH related binaries (ssh, sshd, ssh-add, etc.) or modifying a shared library used by SSH (libkeyutils).

                  On infected hosts, Ebury steals SSH login credentials (username/password) from incoming and outgoing SSH connections. The harvested credentials are sent to dropzone servers controlled by the attackers using specially crafted DNS-like packets. Additionally, SSH private keys stored on the compromised system for use with outgoing SSH connections are stolen by the attackers.

                  Ebury provides a backdoor the attackers can use to get a remote root shell on infected hosts even if passwords for user accounts are changed on a regular basis.

                  Why do you think my system is infected with Ebury?

                  Login credentials harvested by Ebury from SSH connections from/to your system were seen being sent to a dropzone server for the malware. Corresponding timestamps have been included in our reports to ISPs, hosting providers and national CERTs.

                  What do the attackers use compromised systems like mine for?

                  The compromised systems are used for various criminal activities, such as sending massive amounts of spam, redirecting visitors of compromised websites to drive-by-exploits or running nameservers for malicious domains. See for details.

                  Equipped with root-level privileges, the attackers can take full control of your machine and are able to access, delete or alter any kind of data processed or stored on the system. For example, if the compromised system is running a web shop the attackers might gain access to sensitive information like personal customer data or credit card numbers.



                  - Pete

                  Auto mator
                  Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb- Mono 6.12.X - HSTouch on Intel tabletop tablets
                  Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro - Mono 6.12.X
                  HS4 Pro - V4.1.10.0 - Ubuntu 18.04/VB W7e 64 bit Intel Kaby Lake CPU - 32Gb - Mono 6.12.x
                  HS4 Lite -

                  X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Smartthings hub, Hubitat Hub, and Home Assistant

                  Comment

                  Working...
                  X