New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RPi Node Potentially Breached by Chinese Hackers #1498
Comments
UPDATE: The Firewalla developers are reviewing the logs of my Firewalla Blue box. |
Hello, which node version are you running? If your RPI node ports ware scanned as you say, that means you were running this RPI not behind the router, that is with public IP. Since you did not change default pass, any1 could have connected to your RPI on public IP and compromised it. I suggest rewriting RPI image to be 100% sure. As of local network compromise, if your RPI was on public IP then you should be fine. If your RPI was on LAN with local IP, then I am not sure what you mean by RPI ports scanned. Antanas |
The screenshot says that "Device Mysterium Node scanned ports of 110.245.46.143". This means that IP 110.245.46.143 was scanned by the Mysterium Node. Not vice versa. |
I think this may be a typo/error in the Firewalla’s notification. The Firewalla devs seem to think the ports of the Mysterium node were scanned. |
I was running a Buster Mysterium image. The node was behind my router. No ports were specifically forwarded. UPnP was turned on, however. It’s now turned off. |
I put my node up again. The Mysterium developers have not responded (still need to check Discord) but I believe it figured it out. I believe that despite my settings being set to whitelisted traffic only, somehow my node started allowing ALL traffic. This allowed someone using my node to run a port scan of a Chinese IP. That was the first odd thing. Then I started seeing computers I don’t own in my Windows network locations. That was odd thing number two. I now believe that this is actually normal — albeit alarming — behavior. Today I saw a printer and phone I don’t own in my network locations. I would like an explanation for why all traffic was suddenly allowed on my node with no change from me. Looking at my Firewalla logs, users on my node were hitting porn sites and many other sites that fall outside the scope of the whitelisted destinations. I think Mysterium needs to get its act together and communicate better about what users should expect. But I don’t think I was breached. |
Hi, can you submit feedback through webui (http://raspberrypi.local:4449/) so we could analyze node logs? And write us your provider ID. Behaviour you are describing should not be possible in normal operation. Also, did you happen to check logs for RPI access via ssh? If RPI was compromised, syslog should show ssh access initiated not by yourself. System can show no traces of compromise, but still may be affected. Then, more in depth look at RPI itself would be needed. Ideally we would need to be able to reproduce the case in order to fix it |
It looks like either resolved issue either nor reproducible one. @rollingonchrome if you still have such issues, please reopen with additional info. |
At 1:27 am PT this morning, my Firewalla Blue firewall/IPS/IDS reported that my Raspberry Pi Mysterium Node had been port scanned by a computer at IP address 110.245.46.143 in mainland China.
Later this morning, I noted two new computers in my network locations. Both computers had a "Dokan1" prefix with a Chinese "D" letter and were prefixed or suffixed by Chinese characters. Example "\\{Chinese Character}Dokan1\{Chinese Characters}"
I unplugged my Mysterium Node and both of the Dokan1 computers disappeared from my network.
Here are two screenshots from my Firewalla Blue. Unfortunately, I did not take screenshots of my network locations before pulling the plug on the Mysterium Node.
My Mysterium Node was configured with a default password. I understand there is now a warning to change the password. It is disappointing that this warning was not sent to Mysterium users via email.
Questions:
The text was updated successfully, but these errors were encountered: