Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPi Node Potentially Breached by Chinese Hackers #1498

Closed
rollingonchrome opened this issue Jan 13, 2020 · 10 comments
Closed

RPi Node Potentially Breached by Chinese Hackers #1498

rollingonchrome opened this issue Jan 13, 2020 · 10 comments
Labels
security
Projects
Engineering

Comments

@rollingonchrome
Copy link

rollingonchrome commented Jan 13, 2020
edited

At 1:27 am PT this morning, my Firewalla Blue firewall/IPS/IDS reported that my Raspberry Pi Mysterium Node had been port scanned by a computer at IP address 110.245.46.143 in mainland China.

Later this morning, I noted two new computers in my network locations. Both computers had a "Dokan1" prefix with a Chinese "D" letter and were prefixed or suffixed by Chinese characters. Example "\\{Chinese Character}Dokan1\{Chinese Characters}"

I unplugged my Mysterium Node and both of the Dokan1 computers disappeared from my network.

Here are two screenshots from my Firewalla Blue. Unfortunately, I did not take screenshots of my network locations before pulling the plug on the Mysterium Node.

IMG_1032
IMG_1033

My Mysterium Node was configured with a default password. I understand there is now a warning to change the password. It is disappointing that this warning was not sent to Mysterium users via email.

Questions:

  1. What are some general recommendations to assess the extent of this possible network breach?
  2. If the Mysterium node was breached, how can I be sure that if I change my Mysterium default password that this type of breach does not happen again?
  3. If the Mysterium node was breached, why were the hackers able to SSH into my Mysterium node from the VPN subnet and access my LAN subnet?
@rollingonchrome
Copy link
Author

UPDATE: The Firewalla developers are reviewing the logs of my Firewalla Blue box.

@chompomonim chompomonim added this to To do in Engineering via automation Jan 13, 2020
@soffokl
Copy link
Member

soffokl commented Jan 13, 2020

There are 2 options for what kind of traffic you are going to serve as a Mysterium Node:
image

You are sharing your internet connection via Mysterium Raspberry Pi node, so any user connected to your node can use your node Internet.

If any consumer did port scanning aimed for any server, it will use your internet connection.

This doesn't mean that your node was hacked by anyone.

Please make sure that you are selected Mysterium verified partner traffic if you want to serve only allowed list of verified traffic.

@zolia
Copy link
Contributor

zolia commented Jan 13, 2020

Hello,

which node version are you running?

If your RPI node ports ware scanned as you say, that means you were running this RPI not behind the router, that is with public IP. Since you did not change default pass, any1 could have connected to your RPI on public IP and compromised it.

I suggest rewriting RPI image to be 100% sure.

As of local network compromise, if your RPI was on public IP then you should be fine.

If your RPI was on LAN with local IP, then I am not sure what you mean by RPI ports scanned.
If you exposed all ports to RPI on your router, such as https, then yes, your RPI could have been connected to.

Antanas

@soffokl
Copy link
Member

soffokl commented Jan 13, 2020

The screenshot says that "Device Mysterium Node scanned ports of 110.245.46.143". This means that IP 110.245.46.143 was scanned by the Mysterium Node. Not vice versa.

@rollingonchrome
Copy link
Author

rollingonchrome commented Jan 14, 2020
edited

There are 2 options for what kind of traffic you are going to serve as a Mysterium Node:
image

You are sharing your internet connection via Mysterium Raspberry Pi node, so any user connected to your node can use your node Internet.

If any consumer did port scanning aimed for any server, it will use your internet connection.

This doesn't mean that your node was hacked by anyone.

Please make sure that you are selected Mysterium verified partner traffic if you want to serve only allowed list of verified traffic.

I am only allowing verified traffic.

Interesting, so you’re saying that someone using my node through a VPN might have run the port scan on the Chinese IP/computer.

@rollingonchrome
Copy link
Author

The screenshot says that "Device Mysterium Node scanned ports of 110.245.46.143". This means that IP 110.245.46.143 was scanned by the Mysterium Node. Not vice versa.

I think this may be a typo/error in the Firewalla’s notification. The Firewalla devs seem to think the ports of the Mysterium node were scanned.

@rollingonchrome
Copy link
Author

Hello,

which node version are you running?

If your RPI node ports ware scanned as you say, that means you were running this RPI not behind the router, that is with public IP. Since you did not change default pass, any1 could have connected to your RPI on public IP and compromised it.

I suggest rewriting RPI image to be 100% sure.

As of local network compromise, if your RPI was on public IP then you should be fine.

If your RPI was on LAN with local IP, then I am not sure what you mean by RPI ports scanned.
If you exposed all ports to RPI on your router, such as https, then yes, your RPI could have been connected to.

Antanas

I was running a Buster Mysterium image. The node was behind my router.

No ports were specifically forwarded. UPnP was turned on, however. It’s now turned off.

@rollingonchrome
Copy link
Author

I put my node up again.

The Mysterium developers have not responded (still need to check Discord) but I believe it figured it out.

I believe that despite my settings being set to whitelisted traffic only, somehow my node started allowing ALL traffic. This allowed someone using my node to run a port scan of a Chinese IP.

That was the first odd thing.

Then I started seeing computers I don’t own in my Windows network locations. That was odd thing number two.

I now believe that this is actually normal — albeit alarming — behavior. Today I saw a printer and phone I don’t own in my network locations.

I would like an explanation for why all traffic was suddenly allowed on my node with no change from me. Looking at my Firewalla logs, users on my node were hitting porn sites and many other sites that fall outside the scope of the whitelisted destinations.

I think Mysterium needs to get its act together and communicate better about what users should expect. But I don’t think I was breached.

@chompomonim chompomonim moved this from Icebox to Todo in Engineering Jan 15, 2020
@zolia
Copy link
Contributor

zolia commented Jan 16, 2020

Hi,

can you submit feedback through webui (http://raspberrypi.local:4449/) so we could analyze node logs? And write us your provider ID.

Behaviour you are describing should not be possible in normal operation.

Also, did you happen to check logs for RPI access via ssh? If RPI was compromised, syslog should show ssh access initiated not by yourself.

System can show no traces of compromise, but still may be affected. Then, more in depth look at RPI itself would be needed.

Ideally we would need to be able to reproduce the case in order to fix it

@chompomonim
Copy link
Contributor

It looks like either resolved issue either nor reproducible one. @rollingonchrome if you still have such issues, please reopen with additional info.

Engineering automation moved this from Todo to Done Jan 31, 2020
@chompomonim chompomonim moved this from Done to Archive in Engineering Feb 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
No open projects
Engineering
  
Archive
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chompomonim @soffokl @rollingonchrome @zolia