My Pi is connecting to sites remote to me


#1

I have received complaints from my IPS that my IP address is trying to connect to a remote site and is not good
here is the reported problem
Mar 28 18:25:27 m2 sshd[6057]: Invalid user pi from (my IP removed from view)
Mar 28 18:25:27 m2 sshd[6055]: Invalid user pi from (my IP removed from view)
Mar 28 18:25:29 m2 sshd[6055]: Failed password for invalid user pi from (my IP removed from view) port 42516 ssh2
Mar 28 18:25:29 m2 sshd[6057]: Failed password for invalid user pi from (my IP removed from view) port 42518 ssh2
I have a fairly new update from Octoprint on my Pi (like about 4 weeks ago)

I have remove power from the Pi until I can correct this problem
any help ???


#2

If you were notified of something connecting out, this is most likely a compromised computer. It could be your desktop, laptop, or octoprint instance.
If you have a raspberry pi, and you opened it up for remote access, I am guessing you set it in the DMZ or opened up port 22 (SSH).
I am also guessing you never changed the SSH password, so anyone could have gotten in, and now connecting out.

The things I would start with:

  • Did you open up any ports, or set up any computer in the DMZ?
  • If not, then you probably have an infected computer with malware or a virus. Run an anivirus and malware scanner on ALL computers.
  • If you did open up ports or the DMZ, I would strongly suggest closing them until you figure out what is going on.
  • This may not be directly related to octoprint, even though your ISP is saying it is connecting as the user pi.
  • If this is your raspberry pi, I would strongly suggest copying any settings, and setting up a newly installed instance. And do not forget to change your SSH password.

#3

In any case do not use passwords for SSH on a publicly reachable machine (be it desktop or RPI). Use keyfiles instead. Disable the use of passwords over SSH.