TIFU by exposing my Pi to the outside world with default user:password

/RaspberryPi · Post by **/RaspberryPi** » Mon Jul 25, 2022 12:21 pm

I'm sure this has been mentioned over and over again, but it cannot be reiterated enough: Don't use the default user:password combination (pi:raspberry), especially if you are going to expose any device on your network to the outside world.
Here's why:
I recently bought a used Pi zero W (at well above MSRP, mind you) which I intended to use mainly to wake my PC up (WOL) or put it to sleep, as well as run an FTP server on it. I was going for a headless setup since I didn't need a GUI for my purposes. I grabbed the latest version of Raspberry Pi OS Lite, enabled SSH, and set up the Wi-Fi connection. I did all of that manually, not using the official image installer.
When I tried to SSH into it, the default user:password combination was not working. After googling I stumbled upon this fairly recent SO post: Raspberry Pi SSH Access Denied - Stack Overflow
The top/chosen answer states that the default user setup was changed in newer images and that the default user "pi" does not exist anymore. It also explains how to (manually) set up a user(s). The first comment on that answer makes things even easier and gives the user:hashed-password for "pi:raspberry".
Laziness got the better of me and I ignored the nagging voice in the back of my head and just used the default user anyway and then forwarded the ports on my router to SSH into my Pi from the outside. "What's the worst that could happen? No one cares about my tiny, insignificant personal network, right?"
WRONG!
On the same day, barely 6 hours had passed, I started noticing that it was taking a long time to establish an SSH session. At first it was 6-8 seconds and I didn't mind that much. I thought the Pi Zero was just slower than what I had expected it to be. Gradually it got worse and it would take almost half a minute for an SSH session to be established. That's when I decided I had to investigate the issue.
I called htop and sure enough, CPU was at 100% all the time with over 150 Tasks running on average and new tasks constantly being spawned. The top processes (in terms of CPU utilization) were all ZMap instances. Except... I never installed ZMap!
A quick google search confirmed that my Pi was compromised and was most likely infected with Linux.Muldrop.14, which not only turns the Pi into a cryptocurrency mining machine, but also (unsurprisingly) constantly searches for other devices and attempts to infect them. I even got a warning (Edit: from my ISP) two days later dated to the day that I started having issues, telling me that suspicious "hacking" activity was detected from my network.
I immediately took my Pi offline and erased the SD card. Then I was scrambling to verify the integrity of every device in my network. On top of that, I had given a new neighbor my Wi-Fi password (he won't have personal internet access for at least 2 weeks) and I had to tell him to get all of his devices checked as well.
TL;DR: Laziness got the better of me and I used the old default user:password combo for my Pi, which I then exposed to the outside world and it got infected by crypto-mining malware.

submitted by /u/Birosso
[link] [comments]

More...