[WarheadsSE]

My pogoplug has been running ARCH Linux for a while now, acting as a media server with Twonky. Yesterday I decided to open the SSH port on the machine so that I can SSH from my work computer.

Today I login and find a bunch of scripts being downloaded(history didnt get deleted) and that I have lost privs to run ls, ps, netstat, top and a bunch of other commands..All owned by UNKNOWN. Also found a udp.pl script acting as a UDP flooder. Was able to get hold of the script used by hacker to do a bunch of stuff and noticed that the service will start on restart and backdoor's have been created to get back into the box.

Took the server down with the shutdown command. Cant delete any of the files that have been downloaded so my only option is to re-install.

Now I would like to scrub the whole thing and re-install archlinux, I am not a techie in Linux..So any info on how to scrub(basically wipe everything on the plug) is appreciated, not even sure if its possible/not..

Appreciate any help

[WarheadsSE]

Sure.

http://archlinuxarm.org/platforms/armv6 ... s-ui-tabs2

Scroll to the bottom, and follow the instructions.

Essentially wipe, format, re-start.

And make a strong password.

[rag1998]

Thanks for the reply, I looked at those instructions but wasnt sure if formatting the boot drive will clear everything off the pogo.

Thanks will do that and post back the results.

Yes this time a better password and will add some additional security!!

[WarheadsSE]

I suggest a very strong password and an public-key ssh login.

[rag1998]

WarheadsSE, I followed the instructions and did steps 7 & 8, after which I did a dir(cant ls) on the / dir and all the files are still there, these dirs are corrupted and I assume are on the pogoplug itself but not on the USB drive..How can I format the pogo internal drive?

$this->bbcode_second_pass_code('', '[root@alarm /]# dir
bin oxnas-rootfs.tar.gz
boot proc
dev root
etc run
home sbin
kernel26-oxnas-nopci-2.6.31.6_SMP_820.3-1.1-arm.pkg.tar.xz srv
kernel26-oxnas-pci-2.6.31.6_SMP_820.3-1.1-arm.pkg.tar.xz swapfile
ledcontrol.tgz sys
lib tmp
lost+found twonkymedia
media usb
mnt usr
opt var
')

[WarheadsSE]

I doubt this person had the piece of mind to install anything to the NAND.

[rag1998]

Worked like a charm and back in business with Twonky...

Now need learn a bit on iptables, for some reason I am having a hard time initializing them..Will have to work it out..

Does this security sound ok:

1. Good root password
2. Change ssh port number
3. iptables
4. fail2ban

[WarheadsSE]

The 2.6.31 oxnas kernel actually has some issues with ip tables.

I suggest setting a ridiculously strong password and using rsa keys, thus, never having an issue. I'd have to look into what fail2ban is. If people are scanning your ports, it won't much matter if it is on 99999 or 22, it'll just be a less "dude, there it is" and more a "oh hey, look, they moved the port". If you are going to change the port, just do a port translation at your firewall.

http://strongpasswordgenerator.com/

[elazar]

Changing the port will help a bit, most likely your Plug was owned by a bot, not necessarily a live person. Changing the port on my VPS cut scanning attempts by about %75-80.

fail2ban looks for failed authentication attempts and will shun/drop connection requests from the offending IP for a pre-configured amount of time after a threshold is hit, site is here: http://www.fail2ban.org/wiki/index.php/Main_Page, Arch specific details are here: https://wiki.archlinux.org/index.php/Fail2ban

elazar

[Kurlon]

Personally, I prefer denyhosts myself. It can use a centralized db to proactively block IPs that have been spotted scanning other systems before they try to pop yours.

Also, disable PermitRootLogin in your sshd conf. I dunno why that is enabled out of the gate on so may distros these days...