
RaspberryPi got hacked, collected the malicious binaries.Please report this - lucapinello
https://mega.nz/#F!tUIXiA7B!HYVgQFM9yitJasg-0XOnGw
======
lucapinello
Take a look at the perl scripts (for example go.pl)

The images .gif are in reality php scripts (food.gif and food2.gif)

The scripts modify also the crontab and add:

#* * * * * /home/pi/udevd > /dev/null 2>&1 & #* * * * * /tmp/romerito >
/dev/null 2>&1 & #* * * * * /home/pi/kblockd > /dev/null 2>&1 & #* * * * *
/var/tmp/tfti > /dev/null 2>&1 &

I was running raspbmc on the raspberry pi.

It seems the scripts were there before and got activated just today.

~~~
patapon
Only one of the binaries is for arm (tfti). Others are for x86 and mips. All
symbols are stripped off the binaries. I only see two quick clues : an irc
server url, and two japanese strings that also appear in this article :
[http://www.edison-newworld.com/2017/09/linuxtsunami-
malware-...](http://www.edison-newworld.com/2017/09/linuxtsunami-malware-
captured-from.html)

Perl scripts join an IRC chan, wait for commands and google for vulnerable
sites to exploit and/or exploit them. They also contain a nice list of
proxies.

Do you know how you got hacked ?

~~~
lucapinello
Thanks for looking into this! Yes I had open the port 22 and my password was
not safe enough I guess. Or alternatively this hack was due a web app I was
running in Flask with some vulnerabilities. Stranger thing: the hack happened
back in March 2017 but got activated exactly on Jan 1 2018.

