So a week ago a came across a strange reddit-post (https://www.reddit.com/r/pihole/comments/160d8rp/help_hello_guys_my_friend_insists_on_installing/). The post got removed from the mods but the content was more or less this:
“A friend of a friend asked me to connect this Rasperry Pi 400 to my router. He gives me 50 USD per month if I do so and says it’s for some sort of Google advertising. What is the worst thing that can happen when I do it?”

The story is very strange, because a Pi 400 is not the first choice if you want to hang a server or anything else in a network.

Some users have (rightly) pointed out that it could be a Tor endpoint or a VPN server that could get it into serious trouble. That’s why he didn’t connect the Pi.

Upon request and with a little guidance, he even provided me with the image of the PI so that I could take a look at it. Without wasting much time, here are the (unspectacular) results:

First I checked the date and the default users groups:

Name of the user and \”current\” time

So the last time this PI turned on was the 17 April (It’s polnish) and the default user “pc-16” has an interesting group assigned: “lsadmin” which is part of “CUPS, Common Unix Printing System” and as far as I know not per default on any linux distribution.

Next I took a look at the bash_history, because this gives tons of informations about what happened on the Pi:

Bash_History of the \”PC-16\” user

So what happened here is simple: Someone tried to install GumCP (a web control panel for Raspberry Pis) via it’s installation script. I say tried because this web control panel wasn’t installed successfully (the “wiringPI” repo is down). Afterwards someone tried to install google chrome which he didn’t managed to achieve so in the end he installed chromium via apt..

Next I wanted to know why a webbrowser was needed so I started Chromium and looked at the history:

The browser history

The history confused me more than anything I saw until now and I don’t comment it any further.

Next I took a look at the existing users on the pi:

Existing users

As we can see, a cups user exists as well as snap users (but no interessting snaps installed). Except from this there is not really something special to see here. Strangely a “cockpit-ws” user exists but the software wasn’t installed on the pi.. (Cockpit-ws is another tool to administrate a pi via a webinterface).

Next I looked at the running services on the pi:

Running services

Interesting, teamviewer is running but appart from that.. nothing. Let’s look at teamviewer:

Teamviewer logs

There actually were two users “anil” and “elvin” who connected to the Pi multiple times.

Next I wanted to look at the bash_history of the root-user because maybe there are more informations, but I didn’t know the ps-16 password or the root password. Luckily the kernel version was <=6.2.0 and therefore I could apply CVE-2023-2640 to simply change the root password:

Getting root access

And what have I found in the root bash_history? Nothing! Really disapointing.

Conclusion:

Someone tried to install at least two web control pannels ( GumPC and Cockpit-ws) but neither of them are running. Instead teamviewer is running and working. CUPS is also running but no printer is set up (I looked at the webinterface, no screenshot from this). Except from this, nothing could be found on the pi. No Tor-endnote, no vpn server, nothing..

So what I believe is, that someone wanted to setup more stuff later on via teamviewer. But in it’s current state, no malicious activities could be found on it.

I hope you enjoyed my little investigation and although I didn’t find any spectacular findings, I did have a little fun during the investigation.