Have you installed SSH? Change the passwords!

Discussion in 'Jailbreaks and iOS Hacks' started by Moi un Mouton, Nov 23, 2009.

  1. Moi un Mouton macrumors 68000

    Joined:
    Mar 18, 2008
    Location:
    Bracknell UK
    #1
    A malicious worm attack on JB phones. I guess we'll see a lot now.

    http://news.bbc.co.uk/1/hi/technology/8373739.stm

    This is how to change the password:

    1. Download Mobile Terminal through Cydia.

    2. Launch Terminal, type in: 'su root', it'll prompt you for your current password next, so type in 'alpine'. (Don't use quotations obviously).

    Doing the above logs you in as 'root', because by default if you launch terminal and just use the 'passwd' command, it doesn't actually change it per se as you are logged in as 'mobile', which doesn't have sufficient permissions to change the password.

    3. Type in 'passwd', and it should prompt you to enter a new password and then ask you to verify it again.

    4. Type in passwd mobile (this is to set a new one for user "mobile" as well). Once again, enter a new password twice
     
  2. pixelated macrumors 6502a

    pixelated

    Joined:
    Oct 21, 2008
    #2
    very concise. This topic keeps coming up so can we sticky this very nice guide?
     
  3. stlsot macrumors newbie

    stlsot

    Joined:
    Dec 20, 2007
    Location:
    St Louis
    #3
    Ive sshd a new password, then jb iphone had to be restored and re jailbroken. Is the sshd new password now back to alpine? or is my new password still there? I imagine i could just ssh back into it to find out:confused:
     
  4. pixelated macrumors 6502a

    pixelated

    Joined:
    Oct 21, 2008
    #4
    it will be back to alpine
     
  5. stlsot macrumors newbie

    stlsot

    Joined:
    Dec 20, 2007
    Location:
    St Louis
    #5
    Yes! thank you, it sure did! Appreciate your quick reply!
     
  6. TWHH macrumors regular

    Joined:
    Jul 12, 2008
    #6
    Apologies, this is perhaps a dim question, but how do I know if I have SSH installed?

    Is it downloaded and installed as part of the Jailbreak process or is it something which you have to specifically/manually download from Cydia post Jailbreak?

    If all I've done is Jailbroken my phone with the lastest Pwnage Tool and then unlocked with Ultrasnow am I vulnerbale to one of these attacks or not?

    Thanks,
     
  7. stlsot macrumors newbie

    stlsot

    Joined:
    Dec 20, 2007
    Location:
    St Louis
    #7
    I had to install via cydia,,,search system-cmds, install, then you can open it from its icon and perform root change:)
     
  8. klex macrumors regular

    Joined:
    Jun 28, 2007
    #8
    If I've uninstalled SSH from Cydia sources, am I in the clear?
     
  9. foob macrumors 6502

    foob

    Joined:
    Feb 17, 2009
    #9
    Bad directions. You have to change mobile's password too. The front page of cydia has the directions
     
  10. Moi un Mouton thread starter macrumors 68000

    Joined:
    Mar 18, 2008
    Location:
    Bracknell UK
    #10
    Ooops, sorry, edited now.
     
  11. pixelated macrumors 6502a

    pixelated

    Joined:
    Oct 21, 2008
    #11
    OpenSSH? then yes.
    But honestly, why would you want to? Being able to access the directory system is the best thing about jailbreaking!
     
  12. klex macrumors regular

    Joined:
    Jun 28, 2007
    #12
    Thanks so much. You may be right, but I never used any of the stuff. I just needed to be able to use the phone on another carrier.

    Thanks again.
     
  13. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #13
    If you need filesystem access you can always use iFile. It gives you access to the whole filesystem from only the device itself. Then if you get Safari Download Plugin you can download any file straight from Safari and then Run it (if it's an installer) read it (if it's a text or PDF file), view/listen to it (if it's a pic, video, audio file) or even make any mods to your themes/files right from the device.

    That said... I wouldn't recommend removing SSH. Just change your default password and you're good. It's not that hard and you never know when you may need it. I leave mine enabled at all times just in case. I have Wifi off unless I'm at home so I'm not even at risk. Even if I was on public wifi I wouldn't be worried! My home computers all have SSH running.

    I think people here are scared of SSH... The issue with these Worms is not that OpenSSH is unsafe... It's that using the default password on ANY DEVICE (that means your home router or your briefcase) you are opening yourself up to a world of pain.
     
  14. Night Spring macrumors G5

    Night Spring

    Joined:
    Jul 17, 2008
    #14
    Personally, I prefer to use file browsing programs like ifunbox, iphone explorer, etc, that run from my computer and access the iphone file system over usb. Are there any functionality that SSH provides that these don't? Since I don't have any use for SSH other than accessing iPhone/iPod touch, setting it up seemed more pain than it's worth.
     
  15. Moi un Mouton thread starter macrumors 68000

    Joined:
    Mar 18, 2008
    Location:
    Bracknell UK
    #15
    I'm not promoting SSH over anything else in this thread, I'm just saying what the title says - if you've got it, don't leave it on default password!! Or you leave yourself open to these new hacks.
     
  16. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #16
    With SSH you can run commands from the command line as well as set various file permissions. I'm not sure if these can be done with iFunbox, but I doubt it. iFile can though, but that doesn't help you if you can't get your Springboard to boot.

    I leave SSH on and advise against just removing it because if you are having issues with Springboard constantly cycling you can SSH in and fix them rather than being forced to restore your phone.

    Also, the directions at the top of this thread are dead simple. They have been posted many times and I've even written several guides here on exactly what to do. I swear it takes longer to remove SSH than it does to just change your password.
     
  17. Night Spring macrumors G5

    Night Spring

    Joined:
    Jul 17, 2008
    #17
    That's true enough, but I never installed SSH in the first place! You are talking as if SSH is preloaded with a jailbreak. Are you recommending that everyone install SSH, just in case we get into this springboard cycling state you mention?
     
  18. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #18
    Well, this thread is warning about security risks due to default passwords left unchanged, so I assumed that SSH was installed or people wouldn't even be contemplating this.

    If you really don't want to install SSH, you don't have to, but I would recommend having it installed (that means I would recommend you install it in case you need to fix your springboard).

    The only issue is that if my phone gets stuck in a springboard boot cycle then I have to just hope I left Wifi enabled :D If so I can turn off my phone using the Home + Sleep button combo and wait until I"m at my computer. Then I can find a fix online, boot it up, SSH in and try and fix it. Usually this would consist of removing any package that I recently installed. (This is why I also have Aptitude installed. It's a command line package manager like Cydia is. I can use this over SSH to remove packages that could be causing my problem).

    But that's just me :D I like to play it safe.
     
  19. Night Spring macrumors G5

    Night Spring

    Joined:
    Jul 17, 2008
    #19
    Well, I've seen plenty of people posting asking whether or not SSH is automatically installed with a jailbreak, so I thought it better to be clear on that point.

    And with ifunbox, I can plug my phone in to the USB port, and get into the file system and fix the problem. I don't even have to worry about whether or not I've left wifi on! Or am I missing something?
     
  20. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #20
    Do you have command line access? You can't run commands on the phone with iFunbox. You can only cut, copy and move files.
     
  21. thelatinist macrumors 603

    thelatinist

    Joined:
    Aug 15, 2009
    Location:
    Connecticut, USA
    #21
    You had to install what? SSH? If you didn't have it installed then there was no need to worry!
     
  22. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #22
    Not only that... There is no icon to click to "open ssh" :D You have to access your command line either with MobileTerminal or from another computer and you SSH into your phone.
     
  23. Night Spring macrumors G5

    Night Spring

    Joined:
    Jul 17, 2008
    #23
    No command line, but so far I haven't come across a problem that needed command line access in order to fix. You yourself said that the most common solution was to remove the offending files/applications. iFunbox can do that just fine.
     
  24. ViViDboarder macrumors 68040

    ViViDboarder

    Joined:
    Jun 25, 2008
    Location:
    USA
    #24
    If you know where they all are. It'll probably work just fine but I use Aptitude so it fully removes the entire package.
     
  25. Night Spring macrumors G5

    Night Spring

    Joined:
    Jul 17, 2008
    #25
    That does sound convenient! But personallly, not enough to go out of my way to install and set up SSH -- not such a hassle if you have a Mac, I suppose, but it's terribly confusing and complex if you are on a Windows system!
     

Share This Page