How secure is webserver?

grey · 18 May 2015 07:58

if say someone has login/password - can he/she just browse media and click buttons or can upload a malicious software/download all files remotely?

regards

sam_nazarko · 18 May 2015 14:40

It has a known 0 day exploit in it…

S

grey · 18 May 2015 14:54

damn… that’s a problem, i guess i’ve been hacked.
still, hope no vital data was leaked…

will re-install from scratch and reconfigure the network

DBMandrake · 18 May 2015 15:09

What makes you think you’ve been hacked ?

grey · 18 May 2015 15:24

my brother was experimenting with network configurations of a new router and put the RPi in DMZ zone, with a webserver enabled with no password.
later on he called me to say that the RPi is strangely active and the external HDD with data is making some noises (as when someone is copying smth). when he said the RPi is in DMZ zone i told him to disable this immediately, and as soon as he did this the activity stopped. so i guess, someone was browsing data (at least) or maybe was transferring it (i hope not).

well, lesson learnt. never give access to new toys to someone else without a prior instructing lesson)

sam_nazarko · 18 May 2015 15:25

OSMC should never be front-facing. It’s not designed for that.

See https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150113-2_Kodi_XBMC_Cross_Site_Request_Forgery_v10.txt

grey · 18 May 2015 16:01

now i wonder all that i have is just format the SD card, reinstall and configure or i have to search on external hdd for malicious software?

sam_nazarko · 18 May 2015 16:06

Just reinstall.

I doubt you were severely compromised: most people just compromise boxes and set up root access on them nowadays

S

grey · 18 May 2015 16:18

thx, reinstalling. should i check for updates within the OSMC menu?

sam_nazarko · 18 May 2015 16:20

After a fresh install of RC2, yes.

grey · 18 May 2015 16:39

okay, got 2 errors OSMC couldn’t update, then an offer to close OSMC and to update. just FYI

sam_nazarko · 18 May 2015 17:19

We need a log to work out what’s up

S

grey · 18 May 2015 17:41

unfortunately, not available at the moment, but i see i’ve updated to RC3.

sam_nazarko · 18 May 2015 18:51

You’re not on RC3 if you haven’t got all the updates yet

S

grey · 21 May 2015 09:41

just to be sure, this is a normal sd card content?

Filesystem      Size  Used Avail Use% Mounted on    
/dev/root       7.0G 1012M  5.6G  16% /
devtmpfs        364M     0  364M   0% /dev
tmpfs           368M     0  368M   0% /dev/shm
tmpfs           368M  5.0M  363M   2% /run
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           368M     0  368M   0% /sys/fs/cgroup
/dev/mmcblk0p1  240M   24M  216M  10% /boot
tmpfs            74M     0   74M   0% /run/user/1000

ReBoot · 21 May 2015 09:45

If someone has login/password, then the security is through the chimney. It’s like “If someone is in my house, can he steal stuff?”

grey · 21 May 2015 09:56

not from the ssh, but from webinterface. these are 2 different passwords, fyi.

denbertuz · 21 May 2015 10:20

my brother was experimenting with network configurations of a new router and put the RPi in DMZ zone, with a webserver enabled with no password.

Never use the DMZ function - If you want access to e.g. web og ssh server - use portforwarding on router - for SSH you might consider to use another port than 22 - eg. forward port 2222 to 22 - And off course change default osmc password BEFORE opening anything on router