[beagleboard] Re: Beaglebone hacked

Wed, 05 Mar 2014 12:42:07 -0800

you replied to me only and not the group, please include the group always in replies. 

On 03/05/2014 09:26 PM, Michael Carr wrote:

Hi Vladimir

The first highlighted TCP entry is the IP address to the  site from
where I was hacked.


>     */tcp        0      0 beaglebone.home:43017
>     senator.holtmann.net:http CLOSE_WAIT
unlikely, it is registered to Marcel Holtmann in Germany and he is one of the project maintainers of connman, the connection manager that angstrom uses: 

https://connman.net/about
having a possible rootkit on your PC does not mean your beaglebone was infected. 





So my concern is about how to find/remove any rootkits and affected
processes.

I'm new to Linux security. From what I've read iptables is the firewall.
I looked at the config file and all lines are commented out.

I also ran netstat -tap to find which processes own which ports and I
got an error message back that -p is not an option. When I ps -aux I
don't see anything out of the ordinary. However, in /home I have a user
called xuser. the directories are empty.

I also noted that if I disconnect from the LAN and use the usb
connection through my PC (the 192.168.7.1 & 2 pair) the highlighted
entries go away so I suspect that the hack is looking for a direct lan
connection.

I thank you for your help,

Mike



------------------------------------------------------------------------
Date: Wed, 5 Mar 2014 08:20:47 -0800
From: [email protected]
To: [email protected]
CC: [email protected]
Subject: Re: Beaglebone hacked

clean what up?

On Wednesday, March 5, 2014 5:35:23 AM UTC+1, [email protected] wrote:

    Ok...I'm awake now!

    I got a phone call from an overseas gentleman about my computer
    needing service. It sounded like a crank call but I was having
    problems so I contacted Microsoft. They found a rootkit and fixed
    everything.

    This evening I brought up my Beaglebone but had troubles reaching it
    over my local net. So I plugged in my USB cable and started looking
    at what could be wrong. This is what I found when I did a netstat.

      netstat
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address
    State
    tcp        0    372 beaglebone.local:ssh 192.168.7.1:51659
    <http://192.168.7.1:51659>       ESTABLISHED
    */tcp        0      0 beaglebone.home:43017
    senator.holtmann.net:http CLOSE_WAIT
    udp        0      0 beaglebone.home:46957
    Wireless_Broadband_Router.home:domain ESTABLISHED
    udp        0      0 beaglebone.home:52599
    Wireless_Broadband_Router.home:domain ESTABLISHED
    udp        0      0 beaglebone.home:44667
    Wireless_Broadband_Router.home:domain ESTABLISHED
    udp        0      0 beaglebone.home:38089
    Wireless_Broadband_Router.home:domain ESTABLISHED/*
    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags       Type       State         I-Node Path
    unix  2      [ ]         DGRAM                       944
    @/org/freedesktop/systemd1/notify
    unix  2      [ ]         DGRAM                       963
    /run/systemd/shutdownd
    unix  5      [ ]         DGRAM                       978
    /run/systemd/journal/socket
    unix  10     [ ]         DGRAM                       980 /dev/log
    unix  3      [ ]         STREAM     CONNECTED       3917
    @/tmp/.X11-unix/X0
    unix  3      [ ]         STREAM     CONNECTED       3689
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4933
    unix  3      [ ]         STREAM     CONNECTED       2272
    unix  3      [ ]         STREAM     CONNECTED       4720
    @/tmp/.X11-unix/X0
    unix  3      [ ]         STREAM     CONNECTED       4695
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3490
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       2156
    unix  2      [ ]         DGRAM                      3608
    unix  3      [ ]         STREAM     CONNECTED       3548
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4723
    unix  3      [ ]         STREAM     CONNECTED       4934
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4979
    unix  3      [ ]         STREAM     CONNECTED       4936
    unix  3      [ ]         STREAM     CONNECTED       4408
    unix  2      [ ]         DGRAM                      5096
    unix  3      [ ]         STREAM     CONNECTED       4902
    @/tmp/.X11-unix/X0
    unix  2      [ ]         DGRAM                      3371
    unix  2      [ ]         DGRAM                      1400
    unix  3      [ ]         STREAM     CONNECTED       2678
    unix  3      [ ]         STREAM     CONNECTED       4255
    unix  3      [ ]         STREAM     CONNECTED       2803
    unix  3      [ ]         STREAM     CONNECTED       4041
    unix  3      [ ]         STREAM     CONNECTED       3425
    unix  3      [ ]         STREAM     CONNECTED       4943
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       4679
    unix  3      [ ]         STREAM     CONNECTED       3435
    unix  3      [ ]         STREAM     CONNECTED       4930
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3916
    unix  3      [ ]         STREAM     CONNECTED       4740
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       3482
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4937
    @/tmp/gdm-session-EVyXHMgT
    unix  3      [ ]         DGRAM                      1436
    unix  3      [ ]         STREAM     CONNECTED       4683
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       4691
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       2445
    unix  3      [ ]         STREAM     CONNECTED       3688
    unix  3      [ ]         STREAM     CONNECTED       3680
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3796
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4734
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       3670
    unix  3      [ ]         STREAM     CONNECTED       4976
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4896
    unix  3      [ ]         STREAM     CONNECTED       3493
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4042
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3436
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3380
    unix  3      [ ]         STREAM     CONNECTED       5123
    unix  2      [ ]         DGRAM                      2928
    unix  3      [ ]         STREAM     CONNECTED       4044
    unix  3      [ ]         STREAM     CONNECTED       3439
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4906
    unix  3      [ ]         STREAM     CONNECTED       4038
    unix  3      [ ]         STREAM     CONNECTED       4931
    unix  3      [ ]         STREAM     CONNECTED       4946
    unix  3      [ ]         STREAM     CONNECTED       4254
    unix  3      [ ]         STREAM     CONNECTED       3496
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4739
    unix  3      [ ]         STREAM     CONNECTED       5124
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       2212
    unix  3      [ ]         STREAM     CONNECTED       3491
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4682
    unix  3      [ ]         STREAM     CONNECTED       4889
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         DGRAM                      1437
    unix  2      [ ]         DGRAM                      5262
    unix  3      [ ]         STREAM     CONNECTED       4733
    unix  3      [ ]         STREAM     CONNECTED       3437
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4690
    unix  3      [ ]         STREAM     CONNECTED       4726
    unix  3      [ ]         STREAM     CONNECTED       2677
    unix  3      [ ]         STREAM     CONNECTED       3497
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       5091
    unix  3      [ ]         STREAM     CONNECTED       4311
    @/tmp/.X11-unix/X0
    unix  3      [ ]         STREAM     CONNECTED       3386
    unix  3      [ ]         STREAM     CONNECTED       4897
    @/tmp/.X11-unix/X0
    unix  3      [ ]         STREAM     CONNECTED       4907
    @/tmp/gdm-greeter-HVyBFWMp
    unix  3      [ ]         STREAM     CONNECTED       4045
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4060
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3547
    unix  3      [ ]         STREAM     CONNECTED       4932
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       2934
    unix  3      [ ]         STREAM     CONNECTED       3979
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3434
    unix  3      [ ]         STREAM     CONNECTED       4947
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       3483
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4719
    unix  3      [ ]         STREAM     CONNECTED       2619
    unix  2      [ ]         DGRAM                      1426
    unix  3      [ ]         STREAM     CONNECTED       2502
    unix  2      [ ]         DGRAM                      3714
    unix  3      [ ]         STREAM     CONNECTED       4888
    unix  3      [ ]         STREAM     CONNECTED       3481
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4694
    unix  2      [ ]         DGRAM                      2862
    unix  3      [ ]         STREAM     CONNECTED       4727
    @/tmp/dbus-xZDw0oinFq
    unix  2      [ ]         DGRAM                      4872
    unix  3      [ ]         STREAM     CONNECTED       3679
    unix  3      [ ]         STREAM     CONNECTED       4724
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       4409
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       3978
    unix  3      [ ]         STREAM     CONNECTED       3379
    unix  3      [ ]         STREAM     CONNECTED       4901
    unix  3      [ ]         STREAM     CONNECTED       5092
    @/tmp/dbus-xZDw0oinFq
    unix  3      [ ]         STREAM     CONNECTED       4310
    unix  3      [ ]         STREAM     CONNECTED       3494
    /run/systemd/journal/stdout
    unix  3      [ ]         STREAM     CONNECTED       4929
    unix  3      [ ]         STREAM     CONNECTED       4980
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       3438
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       4942
    unix  3      [ ]         STREAM     CONNECTED       4058
    unix  3      [ ]         STREAM     CONNECTED       4680
    /var/run/dbus/system_bus_socket
    unix  3      [ ]         STREAM     CONNECTED       2914
    unix  3      [ ]         STREAM     CONNECTED       4975
    unix  3      [ ]         STREAM     CONNECTED       4039
    /run/systemd/journal/stdout
    unix  2      [ ]         DGRAM                      3457

    My current version of Angstrom is;

    [beaglebone ~ 502]# uname -a
    Linux beaglebone 3.8.13 #1 SMP Thu Sep 12 10:27:06 CEST 2013 armv7l
    GNU/Linux

    God, I have a lot of effort invested in this. Does anybody have some
    advice to clean things up without a fresh install? Any tools?
    Logfiles I should look at?




--
For more options, visit http://beagleboard.org/discuss
--- You received this message because you are subscribed to the Google Groups "BeagleBoard" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to