help: Malware and/or backdoors in Retropie??

RikFlorence

Hi everybody, I'm Rik from Florence. Yesterday, while I was updating experimentals emulators through retropie console, after some hours I saw some screenshots on my arcade cabinet where there were lots of connections to some departments of the U.S. Government. Here below some screenshots.
Can I know what happen? Nobody has had the same problems?
Thank guys and .... sorry for my english :)
RIk

ps. PI 3, with Retropie 4.3 (img from the official website)

dankcushions

please fill out https://retropie.org.uk/forum/topic/3/read-this-first

jonnykesh

@rikflorence This is nothing to do with "malware" or "backdoors" in RetroPie. Your system has been compromised because you exposed it to the internet and probably didn't change the default log-in credentials. ie user:pi password:raspberry.
The best advice is to completely wipe your install and start again, this time changing the default password as soon as possible.
I would also advise you to change your network password as this information is stored as plain text on the Pi and may have been accessed. Also it wouldn't hurt to run a few AV / Malware scans on any other devices on the network.
These things unfortunately happen when you stick to the very well known default credentials used by all Raspbian installs.

cyperghost

@jonnykesh Very good explaination!

Clyde

Post deleted, because Firefox didn't want me to see the screenshots. Chromium showed them to me, making my post obsolete. :)

BillyH

@jonnykesh said in help: Malware and/or backdoors in Retropie??:

I would also advise you to change your network password as this information is stored as plain text on the Pi and may have been accessed.

Only if you use wifi to connect, right, not if you connect through an ethernet cable?

I connected my Pi to my modem today to use the scraper, didn't know about security risks like this.

cyperghost

@billyh No if port 22 for SSH is open the world outside gives a **** how you are connected ;) Therefore use router with a firewall - this keeps ports open for internal access (INTRANET) and closes them for the outside world (INTERNET)

Clyde

@billyh said in help: Malware and/or backdoors in Retropie??:

@jonnykesh said in help: Malware and/or backdoors in Retropie??:

I would also advise you to change your network password as this information is stored as plain text on the Pi and may have been accessed.

Only if you use wifi to connect, right, not if you connect through an ethernet cable?

It has little to do with the connection type. If you use wifi with wpa2 encryption and a strong wifi password, it is almost as secure as a cable connection. Likewise, if you connect to the internet via a router with a firewall that is regularly updated by its vendor, your Pi credentials aren't as important as if your Pi connects directly to the internet. If an attacker gets into your (W)LAN by any means, however, the login credentials of the devices connected to your local network are the only thing between the attacker and your systems. Thus, it's always advisable to change the defaults.

edit: @cyperghost beat me to it while I was writing this. :)

BillyH

It's probably me but to me it looks like @Clyde and @cyperghost are saying two different things?

Anyway I never gave my Pi my wifi password, so I meant to ask it can't have the password stored if I only connected through a cable (I'm not sure myself if this also gives the Pi a password to use). I've got a WPA2 encrypted password, yes, and I've made it pretty long and varied. I'm not sure how often exactly the firewall on the router gets updated but it's supposed to be pretty decent protection.

... So, in the end, I guess, the main problem with the OP was that the Pi with unchanged credentials was connected to a compromised internet connection? The way I read it as first was that the unchanged credentials was exactly what made the connection an unsafe one but it seems now that there must've been a step or two before that that went awry.

Anyway @Clyde thanks for the long explanation, made it a lot clearer about what exactly the situation is.

cyperghost

@clyde said in help: Malware and/or backdoors in Retropie??:

edit: @cyperghost beat me to it while I was writing this. :)

Not at all.
A strong wifi password is also recommended. An attacker can manipulate the router and open ports, also. Did you not notice the pizza delivery van in front of your house?

Did not remind this one :)

Clyde

@billyh said in help: Malware and/or backdoors in Retropie??:

It's probably me but to me it looks like @Clyde and @cyperghost are saying two different things?

Not really, we more of complemented each other. @cyperghost's comment about open ports in the router's firewall are valid, though they should be closed in the router's initial factory setup. It doesn't hurt to check a router's setup for open ports, though, especially if multiple people have admin access to it, or the device was bought pre-owned.

It also doesn't hurt to read the tech news about vulnerabilites in common routers, or an occational web search for one's own router model in that regard.

Finally, the advice to set strong passwords also applies to one's router, of course, lest it may be manipulated like @cyperghost said. ]:}

... So, in the end, I guess, the main problem with the OP was that the Pi with unchanged credentials was connected to a compromised internet connection? The way I read it as first was that the unchanged credentials was exactly what made the connection an unsafe one but it seems now that there must've been a step or two before that that went awry.

Supposedly yes, but without more details from @RikFlorence, we can only suspect that much.